Our smartphones can be easy prey
THE Australian Communications and Media Authority estimates 92% of Australians use the internet and two-thirds use three or more devices to access it.
The device of choice is increasingly our smartphone and it is these devices that are emerging as the focus for cybercriminals.
Cybersecurity firm Skycure has uncovered a new smartphone spyware threat called Exaspy. This virus, executed via phishing emails, targets android devices and masquerades as "Google Services".
The virus is able to access the smartphone's chats and messaging, including SMS, Facebook Messenger, Skype, Gmail, WhatsApp, as well as what's stored on the device, including pictures, contact lists and calendars.
What could this virus enable? Aside from intellectual property and trade secrets, false invoicing scams are also a likely beneficiary when criminals use these types of viruses.
False invoicing scams are common across the world and are enabled because cybercriminals know enough about who holds what position in an organisation, the services they deliver, the contracts they pay and the amounts they are owed.
In these instances a person working for a business receives a communication requesting payment for an invoice to another entity. The communication will request payment to an account controlled by the cybercriminal.
Both the invoice and the communication are often expected. The poor staff member who thinks they are doing their job, actions the invoice and the criminal comes away with their ill-gotten gain.
It's a perfect ruse in a world where time is money and technology is about unquestionable convenience.
Apart from the obvious in avoiding clicking on links or attachments in phishing emails, in these cases prevention often comes from communication. The staff member asks questions first, either from the real company that has apparently sent the invoice, or from a colleague.
Detection after the event often comes when the company which has paid the invoice receives another one for the same payment. The original invoice was paid to the criminal but the company the criminal has impersonated obviously doesn't know this and still thinks money is owed.
It's a tricky situation. The invoicing company has had its identity stolen and used in a scam invoice sent to the company that has paid the invoice.
If there was an enabling virus, it could have been at the invoicing company's end or the payer's end. Either way, one party is still owed money and the other party has already paid money.
These scams can so easily begin because of vulnerabilities in not having anti-virus and not talking to each other.
Professor David Lacey is a Senior Research Fellow at the USC and managing director of IDCARE.