Beware the dangers of phishing attacks and data breach fatigue

UNSW cybersecurity expert Professor Sanjay Jha says companies and the public should remain on high alert in the face of continual cyber attacks

Cybersecurity expert Professor Sanjay Jha has urged the public to remain vigilant and not become complacent to ever-increasing cyberattacks. The most recent report relating to data breaches from the Office of the Australian Information Commissioner (OAIC)  recorded 483 breaches in the period from July to December 2023. That was up 19 per cent from the six months previous.

Two-thirds (67 per cent) of those breaches were caused by malicious or criminal attacks, with the other third made up of human error (30 per cent) and system faults (3 per cent). Although 312 of the 483 breaches affected 100 or fewer people worldwide, there were also four separate incidents where 250,000 or more Australians had their data improperly accessed.

Prof. Jha, UNSW Lead of the Cybersecurity Cooperative Research Centre (CSCRC), hopes that the public will not start to tune out and ignore such data breaches as they become more and more prevalent – especially given the dangers of not taking steps to protect personal information which may have been compromised.

“I understand that it’s human nature that you start to just get used to certain things, but I think it's important to keep raising awareness about trying to protect your personal information and even if we reach only a small percentage of people who listen, then it's worth it,” he says.

“It’s obviously a big danger if your bank account is compromised, for example, and lots of money is stolen from you. But there are other private details you probably don’t want random people to know about – such as your health or medical records, which can also get broken into.”

Professor Sanjay Jha, UNSW Sydney.png
UNSW Sydney cybersecurity expert Professor Sanjay Jha says the problem of phishing attacks is so widespread that even he is targeted regularly. Photo: supplied

Data as a commodity

Prof. Jha says that when malicious cyberattacks on companies and organisations result in breaches, it can take some time for that personal information to make its way to professional hackers or others who try to make money from the stolen data. “Personal data is a valuable commodity. Even if credentials aren’t stolen, then it can still be sold as marketing information,” he says.

“But if there is a specific piece of identity then that can kickstart cybercrime because it helps bad actors create your profile and maybe use social engineering to try to get the full information they need to log into your banking system or compromise your medical records.

“Even just knowing your mobile phone number and whether you are a male or female can be enough for criminals to start getting to work. A lot of this information when it is obtained by a cyberattack is then sold on the darkweb and maybe it then gets bought by hackers who are building phishing sites designed to get the additional credentials they need to get into bank accounts and steal money.”

Read more: As cyberthreats evolve, businesses need more than just tech solutions

Phishing for personal information

The problem is so widespread that even a cybersecurity expert such as Prof. Jha himself is targeted regularly by those he believes have obtained some of his personal information.

Many of these attempts come via phishing scams to his mobile phone, where fraudulent messages purportedly from large reputable companies are actually being sent by cybercriminals attempting to get even more valuable information such as online banking logins, credit card details or passwords.

But Prof. Jha acknowledges that it’s sometimes hard for the general public to know what communications they can trust. “Phishing attacks continue. They aren’t stopping and in fact they are getting ever more innovative,” the academic from the School of Computer Science and Engineering says.

“Even I get those types of messages which say something like, ‘This is Coles and your reward points are about to expire’. The cybercriminals know that almost every Australian is buying their groceries from Coles or Woolworths, so they have a good chance of getting your attention. People can then fall into the trap of clicking on the link and giving out their information. More and more education is always needed about this, but it’s also hard to know what is real and what is fake.

AdobeStock_716541928 (1).jpeg
Phishing techniques are designed to obtain personal details such as credit card information. Photo: Adobe Stock

“I also get legitimate messages from Australia Post when I have a parcel delivery and they send a URL for me to click on. But they use a tiny-URL system which just shows a series of random scrambled numbers and, as a cybersecurity expert, that makes me very afraid to click on a link where I can’t see the full address. And that creates a problem because it is the same technology being used for a legitimate purpose, but it’s lost its trustworthiness and should make you wary of clicking.”

Prof. Jha says companies should be doing more to keep personal data safe from hackers, but admits that as information and communications technology systems get more and more complicated, that means that points of weakness are always likely to exist.

And attacks are unlikely to decrease while there is a lucrative market for stolen credentials. “The problem is that ICT systems are very complex and every day new applications are deployed and new information is stored and exchanged. It is a very dynamic field – and anyone who says they can secure an entire system where no attack is possible is not being very truthful. What we need to do is to ensure we are trying our best to minimise the attacks, and if they happen make sure we are resilient enough to deal with them and recover,” he says. 

Subscribe to BusinessThink for the latest research, analysis and insights from UNSW Business School

“But some systems need to be more secure than others. If you take down the power grid then you could take down the whole country, and the banking system is another. I do think that companies in general can do a lot more to protect people’s privacy. If a new system is deployed then do proper testing and check integration with other systems in case it causes a possible vulnerability in terms of security.

“In addition, keep track of any vulnerabilities that are reported. And monitor cyber threat intelligence from reliable sources to check if your system is at risk. Another good measure is regularly scanning and sanitising the system – all of these are protocols that build up strong security.”

Republish

You are free to republish this article both online and in print. We ask that you follow some simple guidelines.

Please do not edit the piece, ensure that you attribute the author, their institute, and mention that the article was originally published on Business Think.

By copying the HTML below, you will be adhering to all our guidelines.

Press Ctrl-C to copy