Dissecting the most common email scams that hit Aussie inboxes
New research from MailGuard says that Australians businesses are popular targets for scams and brandjacking and in the last few weeks alone, two massive fraud influxes from ASIC email scams.
The scams contained malware and originated from both a domain in China, as well as a domain in Cyprus.
MailGuard says that there’s something of a pattern to brand hijacking, also known as brandjacking: The larger the customer base, the larger the potential victim pool.
“Criminals go where the targets are,” comments MailGuard CEO Craig McDonald.
“That’s why well-known brands with loyal customer bases are frequently in cybercriminals’ sights.”
MailGuard has intercepted many different email-based scams this year and has compiled a list of some of the most common.
Common seasonal scams targeting Australia
- In the leadup to Christmas, Australia Post is a perfect target. Online delivery orders soar, and people are busy getting their shopping finished in time for the big day. The rush means people awaiting an online order are especially susceptible to a ‘Your parcel is due for delivery – click here to track it’ malicious email. FedEx and DHL are also regularly impersonated.
- Around tax time, fraud ATO and ASIC emails ramp up. False Business Activity Statements, ‘Renew your business name’ attempts and fake tax return documents are prolific. All aim to trick people into click a link containing malware, or handing over sensitive personal information.
- Winter sees a peak in fake energy invoices. AGL, Origin Energy, EnergyAustralia are impersonated regularly, and often on a huge scale.
- Fake driving fines, inviting recipients to a (malicious) click a link to view the ‘evidence’ of their offence.
- Sham invoices from telecommunications companies including Optus and Telstra.
- Malware-carrying bills designed to look like they were sent by MYOB, Xero or Intuit QuickBooks.
- Phishing attempts purporting to be from Australian banks. Westpac, ANZ, NAB, Commonwealth Bank and Macquarie Bank.
- Attempts to hack myGov accounts, under the guise of a ‘Verify your identity’ phishing email. With more than 11 million Australian accounts reportedly registered with myGov, which holds sensitive information from agencies including the Australian Taxation Office, Medicare and Centrelink, this poses a huge potential breach risk.
- PayPal, Dropbox, Google Drive, Apple and Office 365.
Anatomy of an attack
- An up-and-coming cybercriminal can find everything they need to complete a large-scale email scam on the internet’s underground: the dark web.
- Known as phishing kits, these can be purchased as a package, with the price dependant on the sophistication of the fraud attempt.
- Once the kit has been purchased it can be deployed relatively easily. The first step is purchasing a domain to host the attempt – because these can be registered anywhere in the world it’s difficult to identify the real country of origin.
- In the case of a mass phishing attempt, the kit usually comes in the form of a compressed archive file which contains all the elements necessary to configure the scam. Among this cache is a list of recipients, together with their contact details. Often this information has been stolen in a previous phishing attempt.
- The attack is deployed, with the emails distributed to recipients in bulk. The aim is to steal information, which might be used to access bank accounts, or on-sold on the black market.
- Brand-impersonation scams have a short shelf life – usually less than 24 – with companies quick to arrange the blacklisting of domains set up to defraud their customers.