“Phishing” specifically describes the process by which a malicious person tries to find out sensitive information about you or your accounts using the a phishing email to try to get you to voluntarily provide information. They do this by creating fake websites and branding to get you to enter details online. They will try to get you to visit a malicious website via a link on that email.
DOCUSIGN AS A MASK
A new Phishing email scam has come to our attention. Scammers have now started using Docusign as a mask to install their software on unsuspecting individuals.
Sample of a fake email
To a busy person it is easy to miss the tell-tale signs of an email scam as it is very close to an original Docusign email. Those that are on Office 365 will already have this picked up for them but other systems may not pick up that this is a scam.
Always hover over a link before clicking on it. Make sure that the email is from who it says it is by checking out the URL. Check where the link is taking you to without clicking, hover over it to have a look first. A legit Docusign email will always take you to the correct url / Docusign webpage to retrieve and view documents.
FRAUDULENT EMAIL & WEBSITES
First and foremost, if you don’t recognize the sender of a DocuSign envelope and you are uncertain of the authenticity of an email, look for the unique security code at the bottom of the notification email. All DocuSign envelopes include a unique security code. If you do not see this code DO NOT click on links or open attachments within the email.
WHAT SHOULD I DO IF I RECEIVE A SUSPICIOUS EMAIL?
First and foremost, if you don’t recognize the sender of a DocuSign envelope and you are uncertain of the authenticity of an email, look for the unique security code at the bottom of the notification email. All DocuSign envelopes include a unique security code.
If you think that you have received a fraudulent email, please contact DocuSign Security immediately at spam@docusign.com.
If there is a security code…
Access your documents directly from www.docusign.com, click Access Documents then enter the unique security code.
If there is NO security code…
DO NOT click on links or open attachments within the email. This is not a valid DocuSign email and it should be sent to our security team immediately at spam@docusign.com
Sample of a real Docusign email
Spot fraudulent emails and web sites by checking for the following signs:
1. Fake links:
As described above, avoid fake links by accessing your documents directly from www.docusign.com using the unique security code found at the bottom of the DocuSign notification email.
Always check where a link goes before you click on it. You can hover your mouse over the link to look at the URL in your browser or email status bar (they should be hosted on docusign.com or docusign.net). A fraudulent link is dangerous and can:
Direct you to a fake website that tries to collect your personal data.
Install spyware on your system. Spyware is an application that can enable a hacker to monitor your actions and steal any login IDs, passwords, or credit card numbers you type online.
Cause you to download a virus that could disable your computer.
2. A fake sender’s email address:
Fake emails may include a forged email address in the “From” field. This field is easily altered. If you don’t recognize the sender of a DocuSign envelope, contact the sender to verify the authenticity of the email.
3. Attachments:
DocuSign email requests to sign a document never contain attachments of any kind. DO NOT OPEN or click on attachments within an email requesting your signature. DocuSign emails only contain PDF attachments of completed documents after all parties have signed the document. Even then, pay close attention to the attachment to ensure it is a valid PDF file. DocuSign NEVER attaches zip files or executables.
4. Generic greetings:
Many fake emails begin with a generic greeting like “Dear DocuSign Customer.” If you do not see your name in the salutation, be suspicious and do not click on any links or attachments.
5. A false sense of urgency:
Many fake emails try to deceive you with the threat that your account is in jeopardy if you don’t provide immediate updates. They may also state that unauthorized transactions have occurred on your account or that DocuSign needs to update your account information immediately.
6. Emails that appear to be websites:
Some fake emails are made to look like a website in order to get you to enter personal information. DocuSign never asks you for personal information, including login, ID, or password in email.
7. Deceptive URLs:
Check the Web address. Just because the address looks OK, don’t assume you’re on a legitimate site. Look in your browser’s URL bar for these signs that you may be on a phishing site:
Incorrect company name. Often the web address of a phishing site looks correct but actually contains a common misspelling of the company name or a character or symbol before or after the company name. Look for tricks such as substituting the number “1” for the letter “l” in a Web address or transposing consecutive letters of the brand (for example, rea1estate.docusign.com instead of realestate.docusign.com or www.docusing.com instead of www.docusign.com).
“http://” at the start of the address on DocuSign sign-in pages. A legitimate DocuSign sign-in page address starts with “https://” – the letter “s” must be included. So check the website address for any DocuSign sign-in page.
Browser warnings. Your browser has ways of detecting certain types of malicious sites. Always heed these browser warnings, especially when they notify that the site or certificate cannot be trusted.
8. Misspellings and bad grammar:
While no one is perfect, fake emails often contain misspellings, incorrect grammar, missing words, and gaps in logic. Mistakes like this help fraudsters avoid spam filters.
9. Unsafe sites:
The term “https” should always precede any website address where you enter personal information. The “s” stands for secure. If you don’t see “https,” you’re not in a secure web session, and you should not enter personal data.
10. Pop-up boxes:
DocuSign will never use a pop-up box in an email as pop-ups are not secure.
If you think that you have received a fraudulent email, please contact DocuSign Security immediately at spam@docusign.com
[shareaholic app=”share_buttons” id=”12025595″]
For more information, please call our
IT team on 1300 755 615.
In today’s digital world, small businesses face a growing onslaught of cyber threats, with the potential for significant financial and reputational harm looming large. Within this landscape, the Australian Cyber Security Centre’s Essential Eight strategies emerge as a beacon of guidance, with Multi-Factor Authentication (MFA) standing as its critical third component. This article dives deep into MFA, an essential layer of defence that extends beyond mere passwords, demanding additional verification that thwarts unauthorised access. By adopting MFA, you’re not just adding a security measure; you’re embracing a foundational principle of the Essential Eight to fortify your business against increasingly sophisticated cyber-attacks. Let’s explore how this powerful tool can be your ally, securing your digital assets against the backdrop of an ever-evolving threat landscape.
Importance of Multi-Factor Authentication:
Enhanced Security: MFA significantly reduces the risk of unauthorised access by requiring multiple forms of identification.
Phishing Resistance: Implementing MFA methods resistant to phishing attacks adds an extra layer of protection, reducing vulnerabilities.
Credential Theft Prevention: MFA makes it challenging for cybercriminals to use stolen credentials effectively, thwarting their attempts.
Unlocking Enhanced Security: Navigating Multi-Factor Authentication (MFA) Choices for Your Business
In today’s digital age, safeguarding your business’s online assets is more critical than ever. Multi-Factor Authentication (MFA) stands out as a powerful shield, demanding two or more verification factors to confirm a user’s identity. These factors include something you know (like a password), something you have (like a security key), and something you are (like a fingerprint). This multi-layered approach significantly bolsters your defence against unauthorised access attempts.
But with various MFA methods available, how do you choose the right one for your business? The decision should be tailored to your specific security requirements and operational context. Each authentication method brings its unique strengths to the table, ensuring that your choice effectively balances security with user convenience.
Let’s dive into the world of MFA to understand the options at your disposal and how they can fortify your business against cyber threats.
Security Keys:
What They Are: Security Keys: Physical devices that provide secure authentication through public key cryptography. Why Use Them: Ideal for high-security requirements such as remote access solutions. Example: Employees use a physical USB device (security key) to authenticate their identity, providing a robust defence against unauthorised access. Security Considerations: Ensure physical security of the keys; loss or theft can lead to unauthorised access if not quickly mitigated through revocation of the keys’ access privileges.
Smart Cards:
What They Are: Cards that use a private key stored on the card for authentication. Why Use Them: Best suited for sectors with stringent security requirements like government and finance. Example: Employees use a smart card and PIN for two-step verification to access secure systems. Security Considerations: Physical security of the cards is crucial, as lost or stolen cards can be exploited if PINs are compromised or guessed.
certificate icon
Software Certificates:
What They Are: Authentication using a device’s Trusted Platform Module, combining a passphrasewith a private key. Why Use Them: Common for secure login to networks or sensitive applications. Example: Utilising Windows Hello for Business, employees authenticate with a software certificate stored in a TPM for secure access. Security Considerations: Certificates must be properly managed and updated to prevent exploitation; revocation lists must be maintained to ensure compromised certificates cannot be used.
Physical OTP Tokens:
What They Are: Devices that generate a time-limited, one-time password. Why Use Them: Useful for secure, one-time access to critical systems. Example: Employees use a physical device that generates time-limited OTPs for an added layer of security. Security Considerations: Like with security keys, the physical security of OTP tokens is essential. Additionally, systems should be in place to quickly revoke access if a token is reported lost or stolen.
Mobile Apps:
What They Are: Applications on smartphones generating time-sensitive authentication codes. Why Use Them: A cost-effective solution for businesses with mobile device users. Example:Employees install an authenticator app on their smartphones, using codes for authentication. Security Considerations: Ensure mobile devices are secure and up to date to prevent malware from capturing OTPs. Educate users on the importance of securing their mobile devices with strong passwords, biometrics, and keeping the software up to date.
SMS, Emails, or Voice Calls:
What They Are: Methods that send a one-time code via SMS, email, or voice call. Why Use Them: Convenient for a user-friendly MFA option, though with potential vulnerabilities. Example: Users verify their identity during login by receiving a one-time code through their chosen method. Security Considerations: Vulnerable to interception (e.g., SIM swapping for SMS). Use as part of a layered security approach or for non-critical access. Consider stronger methods for sensitive information.
Biometrics:
What They Are: Authentication methods using unique biological traits, like fingerprints or iris scans. Why Use Them: Ideal for devices with built-in biometric scanners for enhanced security. Example: Employees use biometric recognition (fingerprint or facial) on smartphones to access company applications securely. Security Considerations: Ensure the storage of biometric data is secure and complies with privacy regulations. Be aware of limitations and potential for false positives/negatives and have alternative authentication methods available.
Best Practices for Secure Implementation:
To ensure seamless integration, consider the following best practices:
User Education: Conduct workshops to educate employees about the importance of MFA and how to use different methods securely.
Gradual Implementation: Introduce MFA gradually, starting with less sensitive systems to allow users to acclimate to the new authentication methods.
Scenario-Based Training: Provide training sessions based on different scenarios employees might encounter, emphasizing the appropriate use of each MFA method.
Continuous Monitoring: Implement continuous monitoring to detect any anomalies in the usage of MFA methods, enhancing overall security.
By tailoring the choice of MFA methods to specific scenarios, educating employees on their secure use, and implementing continuous monitoring, small businesses can effectively strengthen their cybersecurity defences. Multi-Factor Authentication is a cornerstone of cyber resilience, enabling small businesses to elevate their cybersecurity posture.
As we navigate the complexities of cybersecurity, implementing Multi-Factor Authentication (MFA) is not just a recommendation; it’s a necessity for safeguarding your business’s future. Don’t wait for a security breach to realise the value of your digital safety. Take the first step today by evaluating your current security measures and considering which MFA methods align with your business needs. Need help getting started? Reach out to our team who can guide you through the process, ensuring that your business is fortified with the best defences against cyber threats. Remember, in the digital age, being proactive about your cybersecurity is the key to staying one step ahead of attackers. Secure your business’s digital doors with MFA today.
In the dynamic landscape of technology, small businesses often rely on Managed Service Providers (MSPs) for comprehensive IT solutions. However, one prevalent misconception persists—the belief that engaging an MSP guarantees complete protection against evolving cyber threats. Unveiling this myth, recent studies reveal that 85% of cyberattacks stem from human error, making employee education paramount in fortifying organisational information security.
Creating a Comprehensive Cybersecurity Awareness Program:
To empower small businesses against cyber threats, MSPs must establish robust cybersecurity training programs. These initiatives should equip clients and their employees with the knowledge and skills to understand their responsibilities, safeguard sensitive information, and identify signs of potential cyberattacks.
Phishing and Social Engineering:
One of the most insidious threats, phishing, and social engineering exploit human vulnerability. MSPs must educate clients about recognising phishing attempts, which often involve clicking on deceptive links or providing sensitive information. Key indicators include content errors, a sense of urgency, and suspicious email addresses. Immediate actions include informing IT and resetting passwords to mitigate potential damage.
Access, Passwords, and Connection:
Client cybersecurity training should delve into network aspects like access privileges, password security, and network connections. MSPs can guide employees in creating secure passwords, emphasising uniqueness, length, complexity, and regular updates. Additionally, users should exercise caution with external network connections, using trusted sources or VPNs to ensure secure data transmission.
Device Security:
As the era of bring-your-own-device (BYOD) gains momentum, MSPs play a crucial role in educating employees about device security. Every connected device represents a potential vulnerability, making it imperative to understand the risks associated with personal mobile devices. Awareness campaigns should focus on safe browsing habits, judicious app installations, and cautious clicking to protect company data.
Physical Security:
Beyond digital threats, physical security is often overlooked. MSPs can guide clients and employees in implementing practices that enhance physical security. Simple measures such as locking devices when unattended, securing documents in locked cabinets, and proper disposal of sensitive information contribute significantly to safeguarding data.
In the realm of managed services, the responsibility of MSPs goes beyond deploying protective measures; it extends to educating and empowering clients and their employees. Partnering with KeyTech will serve as a valuable resource, offering support, educational materials, and expert insights to help your team enhance their capabilities. By embracing a comprehensive approach to cybersecurity education, KeyTech can fortify your small businesses against the ever-evolving landscape of cyber threats.
Got Questions about Cybersecurity Education? Let’s talk!
There is no doubt you have seen or heard about the scam emails, texts, and phone calls that are a daily nuisance for everyone. It may be in an email, phone call, or text format. The scam message could lure you in many ways; It may tell you that you have won a prize or a notification about an internet order or package delivery.
What is Phishing?
Phishing is a type of social engineering where the attacker sends fake messages to trick a person into disclosing sensitive details to the attacker or deploys malicious software onto a device to get private information. Phishing scams usually require the recipient to perform an action such as clicking a link, downloading a file or entering a password.
Tactics Phishing Attackers Use
Look out for emails and texts with:
Generic greetings such as “Hello Customer” rather than an actual name.
Emails requesting personal information
Emails demanding an urgent response
Emails that say you won a prize for something that you didn’t enter
Messages with poor spelling and grammar
Messages asking for money
Mismatched links in the email body
Spoofed links. Never click on a link unless you are certain it is authentic. You can hover over it first to reveal its true destination. If the email claims to be from your bank, they will never ask you to log in from an email. Also, secure links should begin with HTTPS://
Always be suspicious of texts, emails & calls from unknown sources
Scam Phone Calls: Tactics to look out for:
Unknown phone numbers
Calls seeking your personal information
Recorded messages that ask for payment or personal data
Callers who say there is an issue with your computer
Callers who require your action urgently.
Offers or deals that sound too good to be true
If the caller claims to be your bank and asks for your information
If the caller threatens you
How can you protect your business from phishing attacks?
Phishing awareness training – Most successful attacks occur due to employees unknowingly clicking on dangerous links in their emails.
If you suspect a phishing email, you can check online for scams related to the email topic or company. For example, if the email claims to be from PayPal, check PayPal’s website or sites such as www.scam-detector.com
Installing Endpoint Protection software such as Sophos, will add an extra layer of security and warn you if you click on a suspicious link. Ask us for a free trial!
Our security partner Sophos has released some startling news regarding an increase in phishing.
Pop quiz: What’s phishing? Here’s what other people think it is:
Not too many people guessed this one right! Sophos reports that the correct answer was the most popular response, but the term is still widely misunderstood.
What is phishing?
Phishing It’s when internet scammers send you an email pretending to be eBay, Amazon, or some other service you might not use. It usually asks you to check or verify something and takes you to a website that looks just like the real one and asks you to log in.
In a survey by Sohpos, phishing attacks in all sectors have increased since the start of the pandemic. Scarily, governmental organizations reported the largest increases, followed by business and professional services and then healthcare.
If you fall for a phishing attack, taking the bait as it were, you can expect a follow-up ransomware attack. Spyware can be installed on your system, and your information could be ransomed for millions. That’s the worst-case scenario that a large organization might face. Ordinary folk can expect to have some accounts hijacked, money stolen, and a whole lot of inconvenience along the way.
If you’re protected by KeyCloud Threat Protection, which is powered by Sophos’ ever-evolving AI, you can stop reading here. If not, there are some things you should know.
PhaaS
Phishing is an ever-evolving threat, and like all forms of cybercrime, the techniques used are increasingly elaborate. You can tell people fall for them all the time just by taking a look at the effort that goes into setting up these attacks. And like all profitable enterprises, it’s getting easier.
I’m sure you use SaaS, or Software as a Service, products such as Teams, or your CMS, but Microsoft has recently caught out something new: a Phishing as a Service. This makes it very easy for anyone to set up a phishing campaign including all the related hosting and email services that would otherwise be time-consuming and expensive.
Phishing email messages, websites, and phone calls can be carried out for the purposes of stealing credentials, in order to steal money, defame sites, and any number of other reasons. Attackers can do this by sending malicious software to your computer in the hopes of getting you to run it, or by tricking you into sending personal or sensitive information (such as passwords and other credentials).
Cybercriminals also use social engineering to trick you into running such programs or send such information. They may email, call, text or try to get you to download files from a website. Phishing emails can take many forms, but generally they will present some false pretence as to why they are entitled to the information, or have the authority to get you to do what they need you to.
Here is an example of what one may look like:
Some key things to look for are:
Grammar and spelling: Large companies will almost never allow correspondence to go out without spell-checking it. If you see a spelling mistake you should be suspicious.
Links: Beware of links in emails, if something seems wroung to you, hover your mouse over the link for a second. The address shown below the cursor will show the actual destination of the link, if it is not from the same domain as the sender claims to be from, be suspicious
Coercion: Reputable sites rarely coerce their customers, if an email sender attempts to use a threat of coercion to do something, they may want you to do it for nefarious purposes.
Spoofing: Scammers often use graphics in email that, whilst looking legitimate, can take you to sites which utilise pop-ups or have slightly different domains to the legitimate ones.
If you see one of these emails, do not respond to them, instead, look up the site they claim to be representing, and find a real email address on the site to alert them of the threat.
In recent weeks, an alarming surge of scams, particularly the Meta Business Support scam, has targeted Facebook business and community page owners. As scammers impersonate Meta, users are at risk of falling victim to deceptive messages leading to potential phishing threats. This article aims to equip you with the necessary information to recognise and avoid such scams, ensuring a secure online experience.
The Meta Business Support Messenger Scam
Scammers employ deceptive messages, claiming affiliation with Meta, to target Facebook business and community page owners. These fraudulent messages falsely assert that pages are disabled due to a report by I.N.C. International Concepts, a legitimate women’s clothing brand unrelated to the scam. The scammers create a false sense of urgency, urging users to click on a link under the guise of addressing the alleged issue.
Identifying the Scam
Several variations of the Meta Business Support scam exist, all with the same goal.
Example of a Phishing Message sent to a business page:
Some Scam URL Examples:
Please note these are only some of the links that have been reported. Clicking on any of these links is a guaranteed encounter with a scam, so it’s crucial to steer clear.
Mfb[.]mobi
mfb[.]social
facebook[.]5246272198633275-pages[.]help/[.]com
ampl.ink/MetaBusinessSupportwwcom
Facebook Page Deletion Phishing Scams
In a related threat, scammers have been sending messages claiming that Facebook pages are scheduled for permanent deletion due to trademark infringement. The message invites users to file a complaint to prevent the deletion. However, this is a phishing scam aimed at stealing login credentials and personal information.
Protect yourself and your business by staying informed and vigilant against evolving scams in the digital landscape. Remember, a cautious approach is the first line of defence against cyber threats.
How to Stay Safe from Scams
Given the increasing sophistication of scams, it’s essential to adopt proactive measures to protect yourself:
Verify Web Addresses: Legitimate Facebook pages always start with ‘facebook.com/.’ Ensure you’re on official pages before taking any action.
Direct Communication: When seeking assistance, use official channels. Avoid clicking on links provided by others; instead, search for the Facebook Help Center and visit the site directly.
Protect Personal Information: Exercise caution with your personal information. Refrain from sharing sensitive details online.
Avoid Unknown Links: Never click on links from unknown sources. Verify the legitimacy of links before taking any action.
Reporting Scams
To report a scam group, page, or profile on Facebook, select the three dots on the right-hand side of the page and click ‘report.’ Additionally, you can move the scam phishing messages to the spam folder when received. Report scam websites to the National Cyber Security Centre on its website.
Reporting Scams: If you suspect a scam on Facebook, report it to ensure a safe and secure experience.
About Scams: Understand how scammers target users, creating fake accounts or compromising existing ones to deceive or defraud.
Protecting Your Account: Facebook advises users to slow down, spot check information, and never send sensitive details to potential scammers.
Protecting Your Account: Practical Tips
Don’t Click Suspicious Links: Verify emails, texts, or social media messages claiming to be from Facebook. Check your Facebook settings for recent communications.
Avoid Unknown File Downloads: Exercise caution with files or software from unknown sources, especially if they request login credentials.
Say No to Sensitive Information: Never share passwords, social security numbers, or financial information with unknown entities.
Strengthening Online Security
Enable Two-Factor Authentication (2FA): Add an extra layer of security to your accounts across the Internet.
Avoid Password Reuse: Use unique passwords for different websites to prevent widespread compromise.
Use Trusted Antivirus Software: Keep your antivirus software up to date and regularly scan devices for malware.
Turn on Login Alerts: Be notified if someone attempts to access your account. Review previous sessions to ensure recognised devices have access.
Visit Security Checkup: Utilise the Security Checkup tool to enhance the security of your account.
Common Scams and How to Avoid Them
Facebook’s Help Center provides insights into prevalent scams:
Investment Scams: Be wary of promises of unrealistic monetary benefits. Verify offers before making any financial commitments.
Romance Scams: Exercise caution with romantic messages from unknown individuals seeking financial assistance.
Job Scams: Avoid misleading job postings that request personal information or upfront payments.
Lottery Scams: Beware of false claims of lottery winnings that require advance fees.
Loan Scams: Be cautious of messages offering instant loans for small advance fees.
Donation Scams: Verify online accounts claiming to represent charities before making donations.
Inheritance Scams: Exercise caution with messages claiming you’re entitled to an inheritance and requesting personal information.
Commerce Scams: Be sceptical of online sellers offering goods at unbelievably low prices, especially if they pressure you to move conversations to other platforms.
Paid Subscription Services: Avoid one-time payments for lifetime access to subscription services, especially if the product is never delivered.
Facebook’s Guidance on Scams
Facebook emphasises vigilance and offers detailed guidelines to stay safe online. If you encounter suspicious activity or are unable to access your account, follow the steps on the Facebook Help Centerto regain control.
Staying informed and adopting a cautious approach is your first line of defence against evolving cyber threats. By implementing these recommendations, you can protect yourself and your business from falling victim to scams in the digital landscape.
In today’s digital age, protecting your website from cyberattacks is crucial for all businesses, big or small. Cyberattacks can lead to data loss, website downtime, and harm your company’s reputation. To help you safeguard your website, we’ve put...
