When Ruby spoke with Stephanie Williams Principal Information Security Consultant about what cybersecurity means for you and me, it seemed super smple. And it is, but it's surprising how much a regular check in on these tips can help keep you safe and secure online.
Stephanie’s work directly feeds into ensuring the bank’s information and technology is safe. Her team assesses threats to the environment and finds ways to neutralise those threats.
“I’ve noticed the people I work with talk about security a lot. They love it. They are there to protect and that influences them when it comes to how they do their work and what drives them,” says Stephanie.
If she had to sum her colleagues up in a word it would be: “altruistic”.
“They are also, really interesting. One guy I work with makes his own Samurai swords,” she says.
The importance of altruism cannot be understated when we know one in five of us have experienced identity theft. Why? Because it means those people who can support us and who do care, have ‘our backs’.
“We want to reverse identity theft and help people stay safe,” says Stephanie, “but we can’t do it without all of us taking our own protection online seriously.”
“If someone emailed or rang or SMSed you offering a $10 prize to provide your details,” says Stephanie.
“What would you do,” she asks?
“You’d do nothing, but you’d be surprised how many people do,” she finishes.
What other tips for both personal and business security does she recommend?
“Report any scam or hoax, review your privacy settings, use strong passwords and take care with links,” are her simple tips.
1) Review your privacy settings on all your accounts
Take a few moments to review your privacy settings on your apps to make sure they match your intent – do you really want to share your holiday or family photos with everyone on the internet? Read our guide on how to check your privacy settings across some popular online services such as LinkedIn and Facebook.
2) Use strong passwords
Protect your online accounts by using a passphrase, a password manager, or by using three random words. For personal use, you could use a cross-platform cloud-based solution that works across smart phones, tablets and desktops:
1Password – works well in the apple ecosystem (e.g. iPhones/MacOS). It costs money and you can get it from the app store.
LastPass – is a fully cloud based password wallet.
Such security devices require a ‘master password’ to unlock the password wallet. This password needs to be very strong. No system can claim to be 100 percent safe. This includes password vaults.
Want to know if your personal information has been compromised?
Visit Have I been Pwned and insert your email address to find out. Don’t leave it at that, you must change your passwords for any accounts that have been breached including where you've used the same password.
You should also enable two-factor authentication (2FA) to add an additional layer to your security, and use it wherever offered.
Two factor authentication (often shortened to 2FA) provides a way of 'double-checking' that you’re really the person you’re claiming to be when you log into your online accounts, such as banking, email or social media.
When you log into an online account with a username and password, you’re using what’s called 'single factor' authentication. You only need one thing (your password) to verify that you are who you say you are.
With 2FA, you need to provide two things – your password and something else such as an SMS code sent to your mobile or a biometric identifier such as your fingerprint or voice – before you can access your account.
We've listed a few popular services below that offer 2FA. And remember, never share these codes or your passwords with anyone.
3) Take care with links in emails and SMS messages
Always be vigilant for phishing scams - fraudsters attempts to trick you into providing sensitive information by email, SMS, over the phone or online.
Stop and think before you click on unusual links or attachments as it only takes one wrong click to potentially compromise your online security and device.
Please report suspicious emails to a body such as https://www.scamwatch.gov.au/report-a-scam
Phishing attacks or scams are the number one cyber risk and the main source of malware infections. Your vigilance is key to spotting and responding to these threats early.
Scammers use many tactics to try and trick us into providing our sensitive information and often impersonate a reputable business such as your bank, telco or government department.
More recently there has been an increase in SMS phishing scams (also known as 'Smishing') and voice-based scams (known as 'Vishing') continue to be a threat where fraudsters using social engineering techniques try and trick us over the phone.
Preying on human emotions to manipulate you, they use information technology for the purpose of gathering information, attempting fraud, or gaining system access.
Social engineers can approach at various levels, from the lounge-room to the boardroom and may contact you in person, through phone, email or instant message. They might use techniques that appeal to urgency, human fear and curiosity or simply relying on a person’s willingness to be helpful.
Social engineers primarily gather information from technology, the Internet and social media sites such as Facebook, LinkedIn and Twitter. They also get information from publications, e.g. annual reports or interviews as well as material and documents thrown out.
How to recognise potential attack
Someone asks for sensitive information e.g. contacts/birthdays/bank account details.
Inconsistencies with the request e.g. someone says they are from the ATO and they are asking for your Tax File number.
Technology where the attackers email address does not match who they say they are.
Calls requesting personal information or access to your computer, both at home and in the office
How to protect yourself
Don't open an email, click on a link, open attachments or use a phone number in an email if you're not sure it has come from a verified source. Verify the source by contacting the person via phone if email content seems 'unlike' them.
Don't give offers from strangers the benefit of the doubt. If something seems too good to be true, it probably is.
A new type of phishing attack gaining traction in the cyber world is called a ‘Business Email Compromise Scam’ or ‘CEO Fraud’ which targets employees of corporate organisations specifically.
These convincing emails seem work related and will appear to come from someone you know such as a colleague or customer. Be vigilant when helping customers over email and always validate that the request is legitimate before actioning, especially with payment transfer requests or changes to account payment details.
What should you look out for?
Instructions to click on a link, pop-up or attachment.
Requests for sensitive personal and/or financial information.
Requests for immediate or urgent action by attempting to rush, scare or entice you.
Unusual or unexpected requests such as a change of payment details or money transfer from a customer.
A different URL is displayed than the one you’re expecting when you hover over it.
The branding, spelling or the request itself just doesn't feel quite right.
Remember: Westpac will never send you links to sign in pages via email or SMS, or ask you to update, verify or correct any Online Banking details by replying to an email.
Report all scams: https://www.scamwatch.gov.au/report-a-scam
For more online security information: https://www.staysmartonline.gov.au/