Capitalism 101: If something is financially worth doing, somebody, somewhere, will do it.
It’s a rule that applies equally to legitimate businesses as it does to the mushrooming number of criminals exploiting people and organisations on the internet. Quite often the perpetrators net just a few dollars per victim. However, the scale of reach possible in the digital world means untold thousands of accounts can be reached, so that perpetrators need only a small proportion of victims to make handsome returns.
Attacks can - and do - occur anywhere online where ‘value’ is at stake.
‘Phishing’ is an increasingly common type of attack that is seen across many different sectors (including both loyalty and cryptocurrency).
Often unsuspecting customers are invited to click on links diverting them to a fake website. Once there they are duped into entering their login details - such as passwords and usernames - which are then harvested and exploited by criminals.
A growing number of phishing attacks are occurring on social media platforms.
Australian supermarket giant Woolworths was recently forced to tighten security for its loyalty programme, after 130 customer loyalty accounts were compromised in this way.
The fraudsters acquired legitimate usernames and passwords which they used to log into customers’ loyalty accounts. Once there they were able to redeem their victims’ points for gift cards. While the points themselves have no financial value, gift cards do – and are difficult to track.
As more and more financial activity moves online, we can expect these and other scams to become more common and more sophisticated.
That said, taking a few simple precautions will ensure you keep the majority of malicious attacks at bay.
Top 7 tips for thwarting fishing attacks
- Check the authenticity of any promotions. If it sounds too good to be true, it probably is. Either way, if the company’s official social media accounts aren’t making the same promise, be very wary.
- Ensure links are legitimate. A favourite trick for fraudsters is to use a link on social media or in an email to redirect you to a fake site. The URL for this will not be the same as the company’s real website. Check links by hovering over them, and pay attention to characters that have been substituted for similar ones – e.g. ‘woo1worths.com’.
- Double check social media handles. That’s also a classic trick for fake social media accounts, especially on Twitter (@woo1worths). The blue ‘verified’ badge can help you tell the difference for official accounts, though not every business will have one.
- Activate two-factor authentication whenever it’s offered.
- Use strong passwords. Passwords should have at least eight characters, and a mixture of upper and lowercase letters and numbers in them.
- Be very careful about reusing passwords. Lists of usernames and passwords from hacked sites are routinely sold on the dark web. If your details are on one of those lists, and you’ve used the same credentials on other sites, those accounts have also potentially been compromised too – or will be soon.
- Run a malware and antivirus checker regularly. You can find many decent free ones online, from big and trustworthy names. This is especially important if you’ve recently downloaded any software from dubious sources, clicked any links you think might be malicious, or somehow ended up on sites of varying forms of shadiness.
Disclaimer: The above is not an advice on Information Security and Incent Loyalty Pty Ltd (and its associated entity) will not accept any liability of any (direct and consequential) loss as a result of the above content.