Anatomy of a Phishing Scam

Does anyone else remember the 1990s Hollywood depiction of hacking? Dimly lit room, nerdy looking character, possibly wearing a Hypercolor t-shirt and fluoro shades, whizzing through a CGI mainframe wonderland. Yes, I know.


As cool as that is, the reality in 2018 isn’t like that at all. You are much more likely to run into trouble from a plausible email from your utilities provider or from someone you know.   

Small businesses are one of the biggest targets for hackers with some 43% of all cyber-attacks hitting small businesses.  

Why are these kinds of attacks on the rise? Because they can be extremely profitable for perpetrators! The good news is that are also relatively easy to combat. 

Let us give you a rundown of the current approaches from scammers and tips on how to stay cybersafe.

What is Phishing? 

Put simply, Phishing is a method of stealing confidential information by sending fraudulent messages to a victim.  

Unlike Spear phishing or Whaling these emails are not personalized to their victim. They are more likely to come in the form of emails from places like the ATO, Telstra or your favourite bank. 

Traditionally the perpetrators attempted to target basic human emotions such as fear and curiosity to elicit a sense of urgency out of their target and increase the likelihood that the target goes along with the request. But as internet behavior changes, so do cyber-attacks. The most commonly targeted motivators in 2018 are social, reward and recognition. Losing access to your Facebook account is a terrifying prospect now, isn’t it? 

The end game of phishing is to coerce users into performing specific actions such as opening an attachment, visiting a website, revealing account credentials, providing sensitive information or even transferring money. 

Spear Phishing  

To increase their probability of success, attackers may gather information about a specific target and customize their message to the user, often taking into consideration timing of the message as well as the appearance and content. This ‘spear phishing’ technique is by far the most successful on the internet today. 

The term Whaling has been coined for a specific kind of attack where high profile targets, such as Directors or Senior Executives, are directly targeted. 

Phishing emails are crafted to appear to originate from a known and trusted source. Quite often these emails can be very sophisticated, appearing at a cursory glance to be the genuine deal.  

Phishing emails from Ben (1)

Imagine if your ‘CEO’ emailed a few people and sent them a meeting invite and the link in the email prompted the users to sign-in to attend the meeting. Hmm, that dodgy link doesn’t appear to work. Meanwhile, it’s mission accomplished for the ‘bad guy’. 

How to Spot a Phishing Scam 

While socially-engineered messages can be very convincing, there are things to look for to assist in differentiating them from legitimate messages. Users should first consider the following questions:

  • Do you recognise the sender? 
  • Are you expecting a message from the sender? 
  • Is the tone consistent with what you would expect from them? 
  • Is the message suspiciously written? 

While most attackers go out of their way to make their messages appear legitimate and from a relevant and trustworthy source, some may simply lack the capability or motivation to do so. Look for simple spelling issues such as incorrect spelling or grammar, abnormal tone or the absence of a specific addressee indicating a shotgun untargeted message.  

  • Is the sender asking you to open an attachment or access a website? 
  • Is the attachment or website relevant to the content of the message? 
  • Is the website asking you to login to either your email or social media accounts? 

When messages contain links to websites, consider browsing to the website rather than clicking on the link in the message or directly copying or typing the link into a web browser. A scammer can use several techniques to either bewilder or trick users into accessing a malicious website that they think is legitimate. Never enter credentials into websites if directed there by a link in a message.

  • Is the sender asking you to perform a specific activity for them? 

You should treat any requests to change the configuration of systems or perform specific actions, such as manually running macros in an embedded document, as highly suspicious.

There is another form of this scam, known as “CEO fraud”, that involves someone masquerading as an organisation’s CEO, or accounts team and requesting the transfer of funds.  If at all unsure, then the best course of action is to pick up the phone and call to confirm identity and intent.  

  • Is the sender asking for information they wouldn’t necessarily have a need to know? 

Most people like to be helpful. The easiest way for an attacker to access sensitive information is to exploit your natural desire to be a nice guy or girl and simply ask. 

Often, they may masquerade as someone people may expect to have a legitimate requirement to access the information being asked for. A colleague asking for copies of documentation that is claimed to have been accidentally deleted for example.  

Needless to say, you should never disclose your credentials to other people. You should be suspicious of any requests originating from sources that you do not interact with on a regular basis and even if you know the person you should still consider whether that individual has a legitimate requirement to know the information that they are requesting.  

How should socially-engineered messages be handled? 

If you suspect that you’ve received a socially-engineered phishing message, do not delete or forward it. Contact your organisation’s information technology help desk (or #nerdherd, if you have one, and seek advice on how to proceed.)

Example of a phishing scam masquerading as an email from the Australian government.

Three ways to keep your business cybersafe

Education and Awareness 

The first line of defence against a social-engineering attack is that clever human right behind the keyboard (that’s you!).

Here are some fast and easy tips to help keep your organisation covered:

  • Don’t click on links or download attachments unless you and/or your staff are certain the email is legitimate. When in doubt, manually type the web address into a browser, rather than clicking on a link. 
  • Trust your instincts—if you or your staff think you know the source of an email but something seems odd—phone to check if they did send it. 
  • Report suspicious emails to your IT security staff. 

Password Hygiene 

Quite often, the objective of a phishing attack is to have their target enter their credentials into spoofed pages of popular sites to gain access to employees’ usernames and passwords.

One of the best ways to minimise your exposure is to ensure that you are practicing excellent password practices. Good, complex passwords, changed at an appropriate frequency, but most importantly… 

stop sharing passwords

Really. Stop sharing passwords.

Sharing passwords greatly increases the risk of sensitive information being released into the wild and damaging your business’ hard won reputation.

We aren’t just talking about employees sharing passwords a-la “Passw0rd!” on the post-it-note on the monitor either (and please don’t let that be your password).

Sharing passwords between systems can be incredibly dangerous. Do you or your staff use the same passwords on your mission critical systems that you use on Facebook or your personal Gmail? If you do, then please just zip over and change your password now. It will only take a minute, I’ll wait.

Technical Solutions 

Although the best defence against this kind of sophisticated threat is an alert workforce there are also tools available for extra protection. 

Grassroots IT uses and recommends ManageProtect MPMail as a tool in your tool box to help mitigate the risk of falling foul to phishing attacks, as well as reducing the torrent of spam. 

MP’s patented method of identifying and controlling spam delivers more than 99% accuracy in eliminating spam mail from your inbox. The technique also results in highly accurate threat protection with low positive rates, meaning that legitimate emails are not misidentified as spam. (No Hypercolor t-shirts or fluoro visored shades required). 

Once filtered, suspect messages are stored in a safe, accessible and configurable external quarantine. 


With MPmail Fraud Protection, users are protected from fraudulent phishing emails and the multi-layered filtering protects employees from unwittingly releasing sensitive information. 

Automatic filtering identities and blocks unwanted, inappropriate and malicious content in body copy and attachments before it enters or leaves your organisation. 

To truly combat phishing tactics, companies of all sizes must become more vigilant through employee training and a culture of awareness as well as the use of security software, to better spot and avoid debilitating and costly attacks. 


Why Do Australian Businesses Require Cyber Security? Here are Some Eye Opening Stats

[box style=”simple”]

This is a guest post by Gavin McDowell, Chief Security Officer at Gridware Cybersecurity. Gavin is a highly experienced information security expert with over 17 years experience in the IT industry.


In just the last five years, business leaders have changed the tone of their cyber security conversations. It is no longer a discussion about layers of defence or the beefiness of the firewall, instead Directors now understand it’s no longer a matter of ‘if’ but instead a matter of ‘when’ the system will be breached. And the smart companies have already started to shift their resources from preventative techniques to detective ones.

The fact that historical approaches to cybersecurity are no longer good enough is an indication that cyber attackers have become more intelligent and patient, and that the nature of the attacks are more sophisticated. In today’s digital world, this is something business leaders have come to accept.

The perimeter of your network can no longer be defined and effectively controlled, instead attackers have learned to be patient and exploit lower risk vulnerabilities that are usually ignored by internal IT teams, allowing exploits to go unnoticed.

This demonstrates all the more reason Australian businesses need to take cyber security more seriously. The first step will be to focus on predicting where the next risks will be for their business and working pre-emptively to come up with solutions.

There is no better way to demonstrate the urgency of developing formal cyber security plans for your business than looking at some of the big players and the cost of their data breaches:

Case Study 1 – Target

The brand we know and love, Target was subjected to a malware based attack through a compromised point of sale system that allowed hackers to steal credit card information of customers for three years without detection. Target’s share prices dropped 13.7% the month of announcing the data breach, and said the cost of the breach aftermath was close to $163 million.

Case Study 2 – Sony Pictures

This time hackers used more complex exploits. They utilised highly sophisticated phishing, calling employees pretending to be from internal IT teams, and ended up creating fake digital authentication certificates to bypass security systems. The breach allowed the hackers to expose the entire Sony employee email servers to the public. Sony admitted the cost of the IT repairs after the breach totalled $35 million, with the total cost of the breach coming close to $1 billion.

Case Study 3 – US Office of Personnel Management

Government departments are especially vulnerable which is why the Coalition has recently introduced an Australian Government Cyber Security Strategy. In the United States, however, the Office of Personnel Management had 22 million government employee records stolen by a contractor who was tasked with performing background checks. The information stolen included employee driver’s licences and passport information.

Case Study 4 – Yahoo

One of the largest breaches of customer information ever recorded, Yahoo reported in late 2016 that a breach occurred three years earlier in 2013 of over 1 billion user accounts that were compromised by hackers. The cyber criminals took and published the user records which included full names, emails, data of births, secret questions and answers and passwords. Verizon Communications reduced its original take-over bid of Yahoo by $925 million as a result of this breach, with the real implicated cost of the breach not disclosed, the catastrophic effect of the breach has certainly been felt in the reputational damage Yahoo has faced in the media.

So How can My Company be Compromised?

This is question most want answered. How can I be breached? With the premise of the question being ‘what can I do to prevent this particular breach?’ The reality is, for close to 60% of cases, attackers will be able to compromise an unprepared organisation within minutes.

Between 70-90% of malware samples were uniquely created to an organisation. This means attackers will likely evaluate your specific business, looking closely at the applications you are running to develop a unique exploit.

The prevalence of phishing is also a very high risk. Two thirds of incidents where a business was compromised included a pattern of phishing. In a recent study by the Ponemon Institute, 23% of business employees open phishing messages and 11% click on attachments within the first hour of receiving them.

What Will a Cyber Breach Cost?

Perhaps you’re not in the middle of a take-over bid, but the cost of cyber breaches will still be great. IBM interviewed 1500 organisations and found that the data breach cost per record (that is, think how many paying customers you have ever had in your company records) would amount to between $200-400 per customer. And the costs are growing. You need to consider not only the IT repair and hardware costs, but the reputational damage that will inevitably occur when you are forced to publically disclose your company was breached by the Privacy Commissioner (and the cost of fines if you don’t).

Where should I Focus If I Want To Protect My Business?

Start by assessing the cyber risks that apply to your business. Look at your cyber maturity and your business objectives:


    • What digital solutions are changing in line with where the business is heading?


    • Consider how you will mitigate those risks, what is your ‘plan b’ and ‘failsafe’ for each critical system?


    • What type of cyber awareness training might be appropriate for your employees and how regularly should they refresh their knowledge?


    • Ensure you have senior management support for good cyber practices and that is reflected through the company culture.


    • Ensure you have three lines of defence for critical systems:
        1. the right configurations,
        1. effective and regular monitoring of those controls and configurations, and;
        1. having an independent expert regularly audit and assess those controls to determine any weaknesses.

Cyber threats will continue to rapidly evolve in the years to come. In 2017, it is now more critical than ever to ensure you remain a step ahead of cyber criminals and your competitors to give your company the edge to grow and succeed securely.




Cost of Data Breach Study: United States, Ponemon Institute LLC, May 2016.


[box style=”simple”]

Gavin McDowell is the Chief Security Officer at Gridware Cybersecurity. Gavin is a highly experienced information security expert with over 17 years experience in the IT industry. Prior to Gridware, Gavin held several senior security roles at Accenture Consulting, Symantec Australia and Westpac Banking Corporation. Gavin has a Bachelor of Computer Science (First Class Honours) from the University of Sydney and a Masters of Business Administration from Macquarie Graduate School of Management. You can find Gridware on Facebook and Twitter.


Tips for creating a memorable and secure password

Tips for creating a secure and memorable password

Remembering your password can be difficult at the best of times. To add to that, most websites these days require password security so they can store your personal information and keep it secure. So you have all these passwords for countless different website and it can begin to be difficult to remember them all.

To help you create memorable (and secure) passwords we’ve put a lists of tips you can use:



    1. Base your password around a personal goal and add the date by which you want to reach that goal, e.g.: Europe2019
    2. Make up a visual password by following a pattern on your keyboard, e.g.: cvghyu89
    3. Combine three random words, e.g.: TreeLibrarySound
    4. Include words from a different language. e.g.: VeniVidiVici (I came, I saw, I conquered in latin).
    5. Revere a word or phrase, e.g.: esarhp
    6. Try referencing an unsual word, phrase or quote from your favourite book or movie, e.g.: “May the Force be with you”.
    7. Use the first letter from each word in a quote or saying, e.g.: MtFbwy
    8. Use a phrase that includes punctuation, e.g.: WhySoSerious?



To add another layer of security for all above instances, why not replace some letters with numbers or symbols, e.g.: 8=B, @=a,$=s, 1=!, 3=E. Or use capitals for the words that normally require capitalisation.

Most passwords requirements are between 6-8 characters, if you’ve chosen a quote that’s a little short, try adding a random number or symbol to increase your password length.

However, avoid using the simple number patterns such as “1234” or your birth date. Find something that holds meaning to you. For example, the first Star Wars movie was released 25th May 1977, so my password would look like this: MtFbwy25577

So, the next time you lock yourself out, why not try one of these examples to make sure you never forget it again. And if you haven’t changed your passwords in a while, maybe it’s time for a refresh to keep it all secure and safe. 😉

Keeping your business safe with Datto Business Continuity solutions

Ransomware is becoming a leading threat to small business in Australia. It’s a type of malware that encrypts data on infected systems and locks its victim’s files and allows criminals to demand payment to release them. Small businesses are particularly vulnerable to these attacks.

In this webinar, James Bergl from Datto shares the steps you can take to keep your business safe from these expert hackers.





More data is being created and stored, by companies of all sizes. Data will continue to grow at rates from 11% to 40% annually (Enterprise Strategy Group). Amount of data could grow by 50 times by 2020. (IDC)

SMBs are part of the “big data” wave.  It really just means smarter use of their data, in turn making it more valuable.

For SMBs, their data is their lifeline.






Have you experienced disaster in your business?

Earthquakes are a real threat here.  And even in a minor earthquake you may not be let back into a server room until the building is inspected. However, there are more and more threats to a business’ data.  Not just big natural disasters but the day-to-day data loss disasters caused by malware, server failure, power outages and human error.



Evaluate your risk

Aging equipment and more security risks will drive more data failure and potential data loss for businesses of all sizes, particularly small business.

95% of companies experienced an unplanned data center outage in the past two years. (Ponemon Institute)



Protecting your data is protecting your business

You wouldn’t consider running your business without insuring your employees or the physical components.  For example, you have have insurance for the physical desktops in case they get stolen, but what about the more valuable data that it contains?

Most business liability insurance policies do not cover data loss.



What is true Business Continuity?

Just backing up the data is not enough. Business Continuity is about keeping the business up and running in the event of an outage.

  • Hybrid cloud-based backup
  • Image-based backup

Backup entire servers, not just select sets of files.

  • Delivers superior

RTO = Recovery Time Objective
How much downtime can you withstand?

How long can your business be down without it affecting your bottom line?

  • Seconds
  • Minutes
  • Hours
  • Days
  • Never


RPO = Recovery Point Objective
How much data are you willing to lose?

  • Eliminates downtime (Virtualization)






To sum it up…


[list type=”icon” style=”none” icon=”double-angle-right” icon_color=”#90a105″]

  • Ransomware is rife & will cost your business money and time
  • Backup is not enough to deliver business continuity
  • Grassroots & Datto are committed to delivering a complete solution to protect you against downtime


[box style=”solid”]


FREE RTO/RPO Consultancy Session with Grassroots IT

30% discount on all 3 year contracts before December 14th 2016






How secure is your Cyber Security?

Do you have a good grasp on Cyber Security and how it affects your business? Or do you leave it to someone else to worry about, such as a manager or your IT guy?

On The Small Business Technology Show, we spoke to Dr Sally Ernst who is an expert in the area of cyber security and has written the book ‘Gotcha! Your Little Black Book to a Safer E-xperience‘. Her book is aimed at business owners who are short on time but want to be cyber safe. Our recent interview with Dr Sally on the podcast explains why you need to have a good understanding of cyber security and how it can affect your business, and here is a quick summary of the information we discussed.

[section background_repeat=”repeat” background_position=”center top” background_attachment=”static” background_scroll=”none”]

Dr Sally’s thoughts on cyber security:

The need now is to get people engaged in cyber security, and this includes business owners. A lot of businesses rely on blissful ignorance that their internal IT guy (or girl) is going to make sure everything is safe and secure. The reality is that it is not just one person’s responsibility to be working towards being less cyber insecure. There is a need for a mindset shift towards everyone being personally accountable.

It is important to have an understanding what your cyber security is and where it is. Many businesses are not even consuming the basic security that already exists. There is no excuse at a corporate level not to be operating under the best practices and frameworks.



Cyber security implementation:



Here are Dr Sally’s five tips to get you cyber safe and secure:

[one_sixth valign=”top” animation=”none”]


[five_sixth_last valign=”top” animation=”none”]

[list type=”decimal” style=”none”]

  • Start small and start somewhere
  • Understand where your information functionality is
  • Know where all your information is stored
  • Prioritise how to start protecting it
  • Beware of Shadow IT



(For more information on Shadow IT, click here)

Examples of security breach and practices to avoid them:

It’s important to understand what type of security breaches could occur and to think ahead to avoid any occurring. Here are some examples Dr Sally has shared with us.

[one_sixth valign=”top” animation=”none”]


[five_sixth_last valign=”top” animation=”none”]

[list type=”icon” style=”none” icon=”double-angle-right” icon_color=”#90a105″]

  • It’s not just as simple as knowing your email is with Microsoft Outlook and banking is with your banking provider. They’re not isolated. In fact, they are all very much interconnected.
  • Think on a larger scale – who has access to your network?
  • Email providers use an authentication as a backup for your password, like sending a text to your mobile. If you’re mobile is breached, then you only have one level of security.





If you would like more information on cyber security click this link to hear the rest of our chat with Dr Sally.




Infectious Email

A potentially infectious email containing a zip file and a word document

Hello. Ben again from Grassroots IT. Look, I really do not want to become the guy on YouTube who posts about every single new virus and infection that comes out, but I have just got hold of a new variant on those phishing emails that are coming through and wanted to show you very briefly.

What we can see here is an email that has come to my proper address. They’ve got my address from somewhere, not that that’s hard mind, and it’s come from Michael John Stone at something or other I have no idea who this person is for starters. That’s the first thing we need to be aware of. Coming down into the body of the email. “Denied BPay transaction”. They’re using the sort of bait here that’s likely to get everybody interested. Denied transactions. I’d better fix that otherwise I’m going to hit with fines and fees et cetera.

They’re really baiting people well. They’re talking about Australian dollars here, which makes it seem a little more legitimate given that I work in Australian Dollars. Obviously there’s my email address there.

Here’s a couple of interesting things. Can you see the attachment? Aborted Bill Payment transaction. Can you see on the end there, it says .zip? A zip file is a compressed file, a compressed archive that may contain multiple other files. It is a classic way for spammers to send through potentially infectious payloads.

What I’m going to do, I’ve already checked this out in advance so don’t panic, is I’m going to double click on that to open it. Now I would recommend that you do not. If you do receive one just like this, leave it alone. Delete it. Okie doke? So what we can see here is that it’s uncompressed that and there is a single file in there. It is a Word document. Word 97 – 2003, so a slightly older format. Again, this is looking a little bit suspicious. I’m not sure why anyone would legitimately zip up a single word document. But I’m going to double click on that again.

Now, again, do not do this yourselves, please. I’ve already been through this. I know what I’m doing. These are trained professionals, people. Now this is interesting. We get a Word document. The main way that they can potentially infect your computer or cause problems, is using macros. Macros are like little scripts or computer programs that can run within a Word document. But by default, Word will not run those macros. It’s got security settings in place that don’t let that happen. So what they’re trying to prompt you to do here is to essentially disable that security, okay?

See this, Macros must be enabled to display the contents of the document. They’re actually trying to get you to disable that built-in security that Word has so that their malicious payload can run.

Now going through the document here, they do give you instructions on how to do that for every version of Microsoft Word. Again, don’t do this. What I’m going to do though is do this. So I’m clicking on enable editing. Okay. So it’s changed views now into the editing view of Word. You can see our document there but here’s another security warning. Security warning: Macros have been disabled, so Word is still trying to protect me. Now, I’m not going to click on Enable Content. That will cause problems on my computer and I don’t want that. What I am going to do, though, is show you something which is a bit geeky but I thought you might like to see it.

What we’re looking at here is the Visual Basic for applications editor. This is the actual window that you can use to work with these malicious macros and scripts and so on. And there’s one here. See that one there. Project Bill Pay Cancelled? That is essentially the malicious little script which will try to do nasty stuff to our computer. When I click on that, they’ve got it password protected so that you can’t go in there and see exactly what the scripts are trying to do, etc. etc.

That’s the end of this particular video but I did just want to step you through that. If you get those emails coming through, it’s from somebody who you do not know. Big giveaway. It’s got that zip file attachment. It ends in .zip. Be super careful about those. Probably best just to delete them to be honest. In this case, because I knew what I was doing ahead of time, I went through, opened up a Word document with macros there that would try to do something nasty to my computer and infect it. I don’t know what it was going to try to do to my computer but you know what? I’d rather not find out.

For another example of a suspicious and potentially infectious email, have a look at this other post for one pretending to be from the Apple store.


Get the latest Updates