In this episode, Rob catches up with Mike Ouwerkerk from Web Safe Staff.

This is the recording from a live interactive webinar where we discuss practical ways of protecting yourself online.

The theme was “phishing and drinks”, so it was a bit of fun, and included some hard hitting yet easy to understand topics. Some of our guests joined in on the action giving both perspective and valuable insights into the discussed topics.

This is a MUST WATCH for any email user, at any level of technical competency.

Get it as a Podcast

Or watch the recording on Youtube below!

TRANSCRIPT

Note, this transcript has not been editted from the speech to text engine it was generated from

OK, just kick this off. Welcome everyone. This is Mike. And we’ve got robbed. I teach people how not to screw up the business and Rob deals with the tech side. So 20 two of us we kinda thought would have a bit of a bit of a chat around how people can avoid few nastys with emails and the three parts to IIT. Those people, processes and technology, and I think that’s probably the first point we’ve got. Actually based around it is the fact that there are three distinct parts. Inviting security at a few miss any one of those packs you’ve gotta wait point and get bridge. So good luck with that. Can everyone hear me right? Definitely yeah Co OK. Look not one of the first things I want to say around this stuff. Is that we were talking around IT security. One of the biggest problems that we have that that we see is what I would not so politely called the giver **** factor. Basically people need to care about the stuff a lot more. They don’t really see it as their problem that comes back to people like me, I guess largely just trying to do a better job around getting things. I understand that there are massive part of the solution when we get breached. It sucks, you know, we’re not just talking about it. Organizations we were talking about about home use talking about our kids as well, so it’s really important that people just realized that we all have to do our thing and try and be aware of this day in, day out when I can get it into the culture of organization. And then being suspicious so you know this is massive. There’s a lot for people to know around this stuff. There’s a lots of lots of rules and you can go to example is you know it’s pretty much endless with the people. Will remember this stuff, probably not. You know there’s so much, but if you are at least suspicious, that will drive you to stop and think before You. Act. The criminals always wanted to act before you stop and things, but if you do this. You really won the battle, right? I mean literally you will just go. Yeah, I’m not sure what you gonna do. You gonna go ask someone who knows more about this stuff than you know, that’s great. You’ve done the right thing. I’ll tell you hey, that’s a scam. Don’t click on that.. You’ll learn you’ll get better next time you won’t get troops.. Maybe you can help someone else so it’s just a massive part of it. Just being suspicious and that like when we train people, that’s literally what we say. The court outcome here is just having you guys. Suspicious ‘cause that’ll. Drive your learning and drive better decisions overall. Coach Rob, you wanna do some check stuff and have a talk about multi factor and how that can protect people with with email compromise? Absolutely. So yeah, it was a good intro on a good lead in there Mike and it’s got.. It’s definitely the give a **** factor. It’s you know people just in autopilot all the time with Tech and they everyone loves to blame Tech and technologist. Love to blame people but I think we are equally responsible so you can throw as much technology at it as you like and it’s not actually going to make the problem go away every day. You know we we see there’s adaptations of technology like it’s moving fast, moving fast, moving fast. And using hackers on keeping up with that, and that’s what they do. That’s what they do. So they they’re changing their pitch. They’re changing their angle and the change in the tech they’re using to try and compromise you. And now they’re attacking people as much as they are attacking technology. Why? Because people are easier. It’s easy enough to put in Tech, but it’s hard to educate people enough so that they understand and it’s hard to make them give a **** And yeah, that’s the an easy point of attack. So I love what Mike. I love what you’re doing. Love the education and I’d love to. To say more of that in more people doing that proactively, rather than reactively and the stop thinking, acting is a big deal as well, so when people are in autopilot, they don’t stop. They don’t think, but the other thing they don’t do sometimes act as well. So people are afraid to ask people for advice, or hey, should I be doing this snap out of that? Just talk about it. It’s like men don’t like talking about their feelings. Talk about your security or cybersecurity, right? I love you Rob. Talking about my feelings, I’m sorry. Sure, an appropriate time keep going. Are you OK? Day was yesterday by yeah you could. I’m gonna miss the yeah, the corporate virtue signalling anyway. So yeah, it’s it’s OK to ask people like you know if someone rings mean says oh hey,. I got this thing I’m not going to go haha. You don’t know what you’re talking about haha like I don’t care right? I just want the best outcome for people and most security professionals will want the same. So never be afraid to pick up the phone and ask somebody. So as part of your act process do that or look it up or taken action. That’s not going to put you at risk or it’s going to mitigate the risk, but that’s a really good point. Because you’re talking about corporate culture there, and that’s something that we like to bang on about is that if you have got a bit little someone when they ask a question, you’ve lost the battle like it. If someone says, hey, I’ve got a question you know, is this a scam or hey, I think I clicked on something and you beat them over the head with a book. Well, it’s like that goal.. You’ve lost them for good now and they will never be on site with you. But if you treat that as an opportunity to nurture them and reward them for doing the right thing, you’ve got them on your side. It’s such a big part of it. How people act absolutely absolutely. Now leading on from that. Speaking of acting and doing things and taking action. One of the biggest things from the technology side that people can do to protect them. Particularly argens business email compromise fishing is a big thing. I love Mike on his LinkedIn. Has no don’t click that right. So what happens? You know this is really easy. You get an email and they say hey do this click this thing you need. You need to download that or you need to go to this website and you need to check this. They click and they go. You need to log into whatever Microsoft Google whatever you put in your username and password and you go. Oh I didn’t go anywhere. It didn’t do anything. There must be something wrong with it. Too late you don’t, that’s it. It’s all over you’ve given it away if you don’t have multi factor authentication so quickly what it is. It’s a second factor or second form of identity. To prove that you are the one who’s authenticating. So as an example, you put in username and password and then it should send a little text to your phone. Or you might have an authenticator app, or you might have a security key. You might have hardware token, just a second factor of authentication. Go. Hey, it’s legitimately me trying to log in, so if you do put in your past username and password somewhere Dodgy and they get it and they try and log in, you get a little text on your phone going Ding Ding. You need to put in this code and you’ll be going well. I’m not logging in anywhere. So what’s going on here? Update your password problem gone right, email not compromised or your user account not compromised. So multi factor authentication is the biggest one. You know in terms of statistics more than 90% of hacks could be stopped just by using MF. A super simple stuff. Most applications have it turn it on for all of your applications. If you’re in the. Microsoft Stack it has it. If you’re in the Google Stack, it has it. If you’re in Amazon, it has it. They Australian government just released legislation saying that if you have your. Financial transactions in a system that the Etios said you have to have multi factor authentication turned on two factor authentication. You have to have that as legislated so this isn’t a you know. Some knew novel concepts. This is just something that you can turn on and your system support it. So my recommendation go find out how you can turn it on. If you don’t have it already or find a professional someone who supports your software or your IT provider. Ask him to turn on FA on everything. Not a hard thing either, as some people think. What I’m gonna have to be challenged every time I log in with the second method notes on you device is the first time you log in on your device or a new browser. You do it once you could like until you change to a new device. You don’t get charged again, so it’s easy going. Can I chime in there? Yeah, just as casual. That’s interesting group. I actually didn’t know that was legislated, but I did know that O made two factor authentication mandatory for all licenses, probably about. Would have been 6 to 8 months ago. I reckon that was obviously because of that legislation. ‘cause I was like that’s kind of OK, except that that that’s good, but I was like why are you forcing people to do this now? I understand why. Thanks, come from it. Makes a massive difference but not being breached, it really does and we recommend that wherever you can, general title and if the. Australian governments legislating it, you know Deb 10 years behind on everything tech related. So if their legislating that that’s how old it is. Yeah, I can appreciate why they’re saying that for financials, right? Because like in particularly for somewhere assistant like 0 like 0 is connecting through and uploading tax business taxation information directly to the tax office right? And super and super, that’s right. And so you want that information to be tickety Boo so so I can understand and appreciate why the government would see that right? Because? You know, I’m sure the Chinese would be interested in being able to hack into taxation and business information of that nature, so if they make that law then that makes sense. Yeah, absolutely, and financial fraud too. Yeah cool alright? Don’t look back to me now. I guess. I think I think one of the things that we come across. The awareness space quite a lot. Is the fact that people don’t recognize these five potential scam warning signs are pretty simple. First one is fear factor. This is massive and scams. Write that in the free lunch when you get this stuff. Peoples brains just don’t work. Logically they go into this almost fight or flight modes with the fear stuff anyway with the reward stuff you’re going on the garden you know or want something nice, but you bypass this rational thinking.. You just you do things I considered. Here click on stuff will get tricked. Curiosity is another big one in that you’ll get stuff that doesn’t quite make sense. And if you’re not suspicious about it and you go, what is that you want to have a look? And some of the stuff we received today? It gives us real sense of fear of missing out, and you really curious about it and you wanna open the damn thing and might be a PDF? Well, maybe not such a great idea. ‘cause even a benign PDF. Yeah,. I think it’s like an image based document, but that can hold some code called JavaScript. I can be like ruin your day pretty badly urgency as well. You know trying to just get people to do things quickly. Unconsidered crims know that Hey, we finish work at 5:00 o’clock or just before lunchtime and do this thing urgently and authority as well pretending to be the boss you know do it now or your *** is grass. That’s when stuff. But really, I think it’s almost in order of how prevalent these are. The fear factor is massive and people are aware of that. Like companies don’t do business like this. You know what sort of companies is? You know you’re gonna go to jail if you don’t do this, so it’s not a good way of doing business right? Everyone is respectful, so see that stuff. Just assume it’s a scam. Be suspicious and chase about, and then around the email stuff three simple questions to ask that that we find really help. Did you request the email? We are expecting the email and does the email make sense if one of those three things don’t add up then again, just be suspicious. Get on the phone. It like getting on the phone’s massive. Alright, it’s so good because you have their number. Or you can look up their number.. Don’t use number you find on a dodgy email, but just get on the phone. Make a phone call. If someone says, well, no, that wasn’t me, you just mailed it. You hit it out of the park. You could save your company and like countless dollars just with a simple phone call. It doesn’t take a lot of time, frankly. You know, getting on the phone ever check. Do you want to customers or something? It’s always good. Good touch point, you know so. It’s not a bad thing back to you Rob patching. How does this help with that? With the email for order? Patching, patching, patching. So we we all know what Windows Update is. We all love. Windows Update how it asks you to reboot your machine right when you’re in the middle of something really, really important. So patches come out from from Microsoft Patch. Tuesday, but patching for everything for all your software, right? So behind the scenes? What your software vendors are doing is they’re looking for potential vulnerabilities within their software and as things move on and as things progressed to identify new vulnerabilities, they. Patch those vulnerabilities with software patches right so that it so that people can’t hack your systems. Keep everything up to date. Just keep everything up today it’s it’s not hard. It’s not a difficult thing to do when you meet, but if you were just a basic end user right? And and you don’t know, OK, well is my system up to date on my applications up to date. I just don’t know do I have vulnerabilities? It’s pretty simple, managed services IT.. There’s a reason that that people move to that it’s because that’s what people like us too. So for us it’s super simple.. Write a 10 Bucks a device in months I will manage all that stuff for you. Don’t need to worry about it, right? Well, just make sure that all of your applications are up to date. We get reporting back on it. We can see all of that and we can make sure that those vulnerabilities are patched as soon as the updates come out from the software vendors. So really good stuff to do. Keep everything up to date I think just having to the it’s really important that people understand that when a vulnerability is first found, it is found by a good guy are bad guy. Right, good guy can investigate it and they can report it to the company. Bad guys can sit on it and exploit that vulnerability. In either case, when the company finds out about a vulnerability in their own system and they report that well, everyone knows about it, right? Good and bad. So until you Patch it, we’ve got this window of opportunity for the crims to have a crack. So did you see, did you see Mike? So the security analyst looked at this months patching that came out. And identified a Patch that was coming out for exchange and that Patch was basically identified a vulnerability where an email could execute code within the exchange environment. No one had to touch the email, it just hit the system and it could execute code within the. Exchange Server environment. That’s scary, that was that’s terrifying. There was a similar one with preview awhile back.. When you just preview an email and that could cause some grief.. Yeah, and they patched that of course, but that’s that’s terrific, and this is exactly why it Patch comes out. Slap it all and that muck around and that was public information, right? So what do you think every hack is doing right now? Yeah, exactly. Yeah, so the question for question for you Rob on this slide. So what are you? What’s the response to the CIO? Or no? Actually, it’s not the CIO. It’s the CFO or the CEO who says non we can’t do that. Patch because that’s going to break our business process because we did a test and it screws up our system so we can’t. ‘cause we got these legacy systems that were there.. They’re running our core businesses. We can’t do the update. Yeah, so that’s so.. That’s a mega challenging one. It’s it’s basically the you know. You run the old cost benefit analysis and just go OK, well, let’s let’s risk profile this bots. The chances that it’s going to happen. So if you look at the risk analysis and go OK, well, what’s the risk that we’re going to hit by this and then and then? What’s the cost? If we do, what’s it actually gonna look like? Yeah, break legacy systems? Are there always my? There was my favorite. I came from background in the software so it is Oh my Mikes getting into a moment. Just my mom and dad calling me from New Zealand. Turn Skype on the computer I forgot on the mobile my bed, yeah. Yeah, so looking at all they just they’re not going to leave you alone. Go Rob, sorry I’m gonna deal with us, that’s OK. Sorry Kyle, coming back to you.. Yeah. So always looking at at the risk you know and what’s what’s the cost going to be? So is it? Is it low risk or is it high risk? And is it low cost? Is it high cost to the business?. You know if we do get penetrated there and then if you’re talking particularly to see if I see if I was always my favorite, right? ‘cause they’re driven by balance sheet an you know risk isn’t a big thing, but cost is. So if you can pin a financial figure to it and just go OK well if we get breached and this happens. Here are the the potential things that could occur, right? So if they execute code might bring down a Mail system, which means we can’t communicate with our clients and if our sales team can’t communicate with our clients and potential revenue losses X the potential reputational damages X, it’s going to equate to a loss of X.. This is why it’s critically important for us to be able to. Patch this stuff now in terms of the business systems and the business processes that need to be executed internally, and what that looks like analyzing what’s going to break in that system. Of course there needs. You need to strike a balance as well as technologists. We always got.. You put the Patch on, put the Patch on, put the Patch on, update the system if it is going to break a critical business process, making the decision as to whether you proceed with that or not. Technologists in me always says proceed with the. Patch, mitigate the risk, but breaking internal systems and looking for a work around there. It depends what degree of impact that is as well, so it’s a good question and really, really hard to answer. I think it’s a case by case basis thing. Yeah, you’re right. Robert goes to the risk management and how they deal with risks and costs, and I think our was gonna unmute himself and and come back to me on that one. How was he so my arm? I’m not spying on your car. And for that purpose, but they. I totally agree. What I find in practice is that. The actual security, the security aspect of it, the security risk and cost thing is actually a really, really really good motivator to change legacy systems. ‘cause the thing what I found in my in my work is that it’s actually the people side of things is why people don’t update their legacy systems, right? So you get over that by saying hang on, you have a significant security risk because this is a known vulnerability. The fact that they’ve got a Patch. Tells you it’s a known vulnerability, right? So the Patch comes, you know, after all hackers know that they can get you this way. So so so that opens you up and the potential of that. Because it’s a, you know it’s a critical business system, so if you get hacked through that system that cost, you know as you would know when you do the cost benefit analysis there’s, that’s honestly, it’s not objective, it’s all about the assumptions that you make, you know so. If you’re clever business analysts like me, you, you encourage you make assumptions that make it clear that you need to make this change. Yeah, absolutely. You overcome that and you and and you deal with the The The The The business process problems. They’re always manageable, but when you get into the environment, I’ll **** I’ve been hacked. That’s not a place you want to be. You can’t. You can’t change the fact that there’s a vulnerability, but you can change the business process, right? So as always as a good be a, you know that you know we we can change what we do but we can’t change it. There’s a vulnerability and we can’t change if we get hacked. That’s that’s just it is what it is. So that’s exactly right, yeah, so so that’s really valuable. That’s actually the angle that I find is really has a lot of influence. Yeah, don’t know if you get the patching as a control, that’s a risk control. And there are other controls, so maybe you can do the Patch, but maybe you can implement some other tech solutions as well that would mitigate that risk to a satisfactory Level I guess. Alright look getting back to the people side of emails, there’s two things and emails that are the pain train. Immediately file attachments. If you double click on the file attachment and it’s infected with some malware or whatever, that’s it, you’ve done your toast. It done pretty much. The other thing is clickable links and clickable links we find are a massive vulnerability for people is so much misunderstanding around how to handle these things. Always use this thing. It’s literally just a poo hitting the fan straightaway year in trouble. So when you see those two things. Just take a pause, right? Just haven’t think about it again. Be suspicious. Stop think we act, and if you’re not sure I’d get some help. There are some other scam indicators as well, like asking for personal information when the from address does not make sense, but people should probably aware that it’s really easy to forward the Brahma. Trysts to make it look legit. You can, with taking him back to. Rob. You can’t block that stuff if you do a few things on your network. Imark, Demark, Demark, Yep, Yep. 5 common scam indicators. Again, you’ll find these things laced throughout the scam emails and phishing emails fee reward curiosity. Curiosity urgency authority.. Here’s a really interesting one. Poor formatting, grammar and spelling. This one only really probably got me hit around this or not too long ago. If someone is sending out an email to a million people trying to get in to click on a link right, it should bloody well look fantastic, like the fact that it doesn’t is because these guys are Muppets. OK, English is not their first language. OK, cool, but geez, how hard is it to? To do a good job, or at least someone to do a spell check for you so there’s no excuse, but good for us. We can see these these mistakes. They make. The interesting part is. If you get an email and it’s like the Nigerian Prince scam, or you know the, I’ve got $10,000,000 and I’d like to share it with you if you help me get it out of the country they actually will on purpose have poor formatting, grammar and spelling. What they want to do is pick up the most gullible people in the population. So if you don’t notice this, email sucks horrifically then you’re super gullible and they want to speak to you, right? So obviously that’s not a good place to be, and you really want to be picking up on this stuff.. There should be no excuse for that at all if you see that it’s a big indicator of discount, but did you know that? Just just Middle Earth, may. I follow you on LinkedIn? So involved in this conversation in you, but yeah, I just find that really fascinating and they do it on purpose in some situations. But I’m look the other thing, they should always say. Yeah, go for it. So I said programmer think it’s hilarious, right? Because? It depends on the industry, so some of my clients are in the construction industry. Where you got, you know, a number of sort of self made success stories that maybe only finished junior high school. And there you know they’re trying to get paid there sending out emails that sound really threatening to you. Know people who owe them money. And the emails on the face of it on the surface, they actually do look like scams ‘cause? The grammar, or the addictions?. Just. It’s just not necessarily what it ought to be. So I think that a really important thing is to kind of, I guess, have your five points of the star right. That that just because communication you received from somebody only kind of triggers one point and makes you think. You you really you do need to sort of explore the other points of the star too. That’s why we say get on the phone would be appalled to think that someone thinks they’re skimmer. Grammar was poor, right? Yeah, yeah, yeah. Wolfli or something? I’m looking right. You’re right, it is a sort of waiting this stuff up and hidden going. Watch the likelihood of it being a scam. And like I said right at the start kit on the phone like you know it’s gonna come from someone you know doesn’t make sense. Yeah, did you request that year? Were you expecting it? Yeah, you know it’s got some indicators that look at it. Dodge doubling threw everything away. That means if you’re unsure and you can communicate on the phone, get on the phone and just chase it up. Or if you delete it, what’s gonna happen there? Gonna Chase you up so you’re gonna find out another way. But yeah, you’re right.. Some people. That’s OK. Scammers like famous for it, but they generally do suck at this stuff, which is great for us. Oh yeah, the other thing is going to be changes. You don’t forget inconsistencies in email so. You’ll notice that like them, the from email address, the domain name in there. What match up with links? So if. I send an email that Mike from website stuff, it’s gonna have a link on it to some content on my website that goes to website stuff and you know the signature goes to website staff. You’ll often find that with the scammer emails that just copied some stuff from someone else is in the Mail. Or those three things do not match up at all. Over here Rob tick stuff. Tough. Put on anti virus and proper antivirus. Not not kids. Stuff that you buy retail by particularly your business by proper Gray business grade antivirus. There are some distinct advantages getting the business grade stuff. Uh, the scope of what they cover is a bit broader, so they got some cool functionality. All of the security providers released their best tech into their business grade stuff. There is a reason it’s more expensive, it’s it’s more expensive, ‘cause it’s better getting painful. You get what you pay for and the angle of the approach that they take is enterprise wide security, not just endpoint security. So you think about endpoint being your desktop maybe, but these companies that you can see here so so we do so far so I can. I can really talk about in a Sophos perspective. So far, you know they have a gateway Firewall, an all of their endpoints, which is your computer that have antivirus are connected to that right. They talk to one another and the reason that they do. That is because if you get ransomware on your computer? What you don’t want to do is infecting. The server or other computers in your network or being uploaded to to to share points in your SharePoint. OneDrive librarian, ransom wearing everything up there across the entire company right So what I will do is go. Hey this computers got ransomware and lock it from the network because it’s talking to the firewall so there’s some cool stuff that you can get. By putting in place some business grade antivirus solutions and security solutions, they make a big difference, so it’s a bit more investment, not much more. You’d be surprised at how affordable it is, but it makes a big difference if you do get that enterprise wide tech. Yep, and keep it up to date and. God keep it up to date. Pay your renewal. Download the updates.. Download the definition. Yeah, make sure it’s up today. We can sequences every year old. You’re not gonna do well. Cool thanks this is this is one that is close to my heart. This when we teach this section it blows my mind. That so many people still do not know this. When you have a lick, you hover on it, right? What it actually says website stuff.com dot AU. The Linker you’re presented with at least. It’s near CVS message which you can’t actually delinquencies where it’s going. It’s well with. This can pass that the hover is everything right. That is where it’s going OK. The link that you see initially before you hover means literally nothing, right? So people get confronted with stuff like this. It could be a bank or whatever you know you hover on it, cool comes up with something totally different.. This is I’d say 20% of people that we train still do not know that you need to hover and hover on everything right? We gotta link in an email, hover the damn thing, you’re on a website you know and trust? Hover on the damn thing and have a look at it because websites we know and trust get hacked. And what do they do? They want to change the links. OK so it’s a big part of. Study links that we actually see. Probably the other thing is now your destination, so if you get a link that says something like that Office 365 login you hover over. And it’s going.. There you go. Yeah, that looks alright. Well, is that actually correct? It may look alright but you know, do a quick search on this stuff. Office 365 login. Oh, I should be going to office.com you know. Kinda like multi factor authentication.. They need to do it once in less you changing the device matter rather but look office.com. That’s in your brain now, right?. You know. Next time I need to go to office.com. This is a dodgy link. OK, did you see much of that Rob that people don’t? Know about the horror. Yeah, I I do. I see it all the time and and people not not thinking about just not checking just it takes why just go. They just go and click don’t know because This is why my tagline says no. Don’t click on that ‘cause I see so much of this crazy it’s just I’ll be mouse over it just for a second. And for people who are only listening to the audio of this Mike as well, I might just explain what’s going on so you know my counter URL so. Aurora clickable link so I can tell ‘cause it’s underlined, right? You wave your mouse over it and it’s going to take you off to somewhere and it will show the actual URL or the address that is going through the web address that it’s actually going to go to so you know how you can have those buttons that say click here and when you move your mouse over it will tell you what website it’s gonna go to. That’s what we’re talking about and just even if it says you know for for Mike here at saying web safe staff.com dot AU he hovers his mouse over it. It actually says website staff.com dot AU, so you know that you’re going to the right destination. The second link is demonstrated is N ab.com dot AU, but when he waved his mouse over it and I love this, you is scamedsucker.com, right? So it’s actually pointing to somewhere else and it’s using the same sort of tech that you see for that. Click here or click this button or click button to register. Kind of like we sent out to everyone for this web and R. Which is, you know, ironic, I know, but you will click with trusted us. Will get back. Will get back to that. Yeah, it’s it’s a big deal and honestly is I I have to I have to pop in here. I’m sorry to interrupt, but this is. This is where it’s at. This is the biggest weakness right here in all of cyber security. In my life I work with small to medium businesses, helping them to upgrade their business systems right? I had a client that got hacked using this method. They lost $70,000 from from from a hack where the financial manager got access to the Microsoft Environment and they gave him the password right? And that and the hackers were logging into the Microsoft Environment and sending the businesses clients updates. Of banking details, so that’s and it happened because of this. The regular person doesn’t know how to read a URL. Sure, that’s OK. Oh yeah, I see, yeah, that that. This is where it’s at this, I know. I like it. I totally agree with you. This is a big deal. It is this is a big deal. Call Commission kickbacks from Mike. If you put him in touch with everyone. Workout a referral arrangement.. This is why I love my stuff. I love my stuff on LinkedIn because he’s trying to educate everyday people on this stuff like it some passionate about this. This is this is primary.. The reality is is this is primary school stuff right for for users of the Internet? Yeah, the regular financial administrator, the regular person who does financial accounts and bookkeeping. I don’t even know how to reality is as they don’t understand the URL and and and and hackers are clever, right? Because the reality is a hackers don’t have my soccer. You know you are a sucker.com. They have NAB forward slash like N ab-mybank.com or.net. That is exactly what I’m just about to show, yeah? But I’ll, I’ll get into the example ‘cause this talks exactly what you’re talking about when we teach this stuff, we show people how to re. URLs. That stuff is actually difficult, right? We? We take them through about five specific examples and build it up. I’ll just show you guys one example, but this is the way most people will get tripped, and this is what we build up to when we train. Here’s a link, right? We want to go to mybanking.com. So what are we gonna do? You hover on that, and that’s where it’s going OK? So that was the hover URL. And then I we show people how to read this stuff right? But just quickly for you guys ignore the stuff at the beginning right? Ignore HTTPS blah blah blah. But I will just say quickly. The reason this works is big because people read left to right, right? So they’re gonna read left to right and see www.mybanking.com and think we’re all good, right? So don’t do that, ignore the bit at the start. Go and find the first slash if there’s no slash, you go to the end, right? So he was gonna slash great.. This is where we’re working from now you look to the left of the slash and you looking for this domain extension as a symbol for. We build up to this so this is a bit brief but and this one here we’ve got dot info that one part in the domain extension itcouldbe.com dot AU. That’s two parts in a debate extension, but simple rule is if there’s one part to the domain extension, go left two dots. If there’s two parts in that domain extension like. Dot com dot AU go left three dots. So here we’ve got that info. One part of the main extension go left, two dots cool. So while this thing reading left to right goes to mybanking.com, when you apply the rules, that’s going to loginmount.info that that’s got nothing to do with my banking.com. This is really easy to do for a scammer because they register logannow.info. They slap some folders on there in their website and in the in the files and folders like. That’s what websites are files and folders and database and they just run a website out of this my banking thing and you can’t stop that. But this is massive.. This is where we find we teach people and you just see the light bulb moments go off in their eyes around the room that’s done and then the kind of freaking out ‘cause it going.. Holy **** we been clicking noise years. It’s quite confronting to a lot of people that stuff so. Count is that that’s what you’re talking about, right? 100 percent 100%. So it’s it’s a big deal relation to that as well. Shorten URLs. Another way to trick people. You know these Bitlis and things you know you can turn a long link into a short link, right? But when you hover on that thing, it doesn’t tell you where it’s going. It just gives you exact same information, so you know a lot of these links that were centralny shorten URLs.. Something will do well even if you are offering on them. You don’t get any information,. So what we always say is just expand them out. I personally is checkedshorturl.com you plug it in at the top here with little lazy plug it in at the top you click expand. It tells you the long URL. Then you can read it and then you can make a decision whether it’s safe. So yeah, it’s good to know that the other great one at the moment. So while others Q are codes. These things are all over the place. Trying to have some issues with this stuff ‘cause these are short near else this is a link to a website and if you take your phone you just hover on that and you get taken to a website. How do you know where you’re going and how do you know what’s on that website? So Nicole, you probably not a big fan of QR codes together. No, not a fan, no, and it’s, you know we are presented with a lot of them at the moment. Add restaurant to go sit down and take a photo of these QR codes and I’m just like. Concern that I have because I actually see malicious actors, potentially excluding small businesses. You know, and even treating them in a real, legitimate way. Saying yes, hey, dudes use my use our use our product, use our code, send your customers there, remembering that that sort of not all crime is about directly stealing somebody’s money, but it could be about just hiving off there. Their personal information or gathering data about them that they wouldn’t otherwise give, so that does that. Does worry me in sort in the covid space. I would love to see city based Chambers of Commerce may be getting behind one or two providers. Where? You know, they’ve said, yet we vetted this provider. So if you go into a restaurant in your *** to hover over QR code for the purposes of contact tracing that that you know that that’s legitimate, and then someone’s gone to some extent to find out about this company who they are, where they store their data, who they sell it to, and all of that. One thing that I’m noticing from a privacy perspective is a lot of people will will go to this exercise because they are required to, but then they end up being marketed to or contacted in some other way that’s outside of their reasonable expectation. Not sort of in the realm of cyber crime necessarily, but it’s unsavory, right? Doesn’t help build trust the issue I have around these things as though even, even though you could have some bidding process to say, yeah, we’re all cool.. We’ve done the right thing. May is A is a scumbag could print my own QR code, make up a Dodge website with some malware on it. In counts in the restaurant, stick it on the table and stick it over there.. QR code, but you can go to any pub in Sydney and do that and you’d get 1000 people much more than their covid safe limit they been getting busted left, right, and Center. Much more than just go and sign up. I don’t care about their privacy that, like, yeah, I’ve been drinking. Let’s go on. Sign up for stuff like. I’ve had a big problem with this. I’ve been talking about. It was. Is a lawyer. We went out for lunch Saturday. We’re like where’s the privacy policy like we used to remember when we would hand right into a book and. I’m like they literally want me to put my mobile number and email address. And you know. They want to know what what brand of car I have, and you know what my password is and like why you asking for this and and the and I sought 50 names and 50 mobile numbers and email addresses and it’s like there’s there’s no thing about privacy. There’s nothing about marketing consent to think about anything, and I’ve already received stuff from them. Yeah, it’s it’s a real shame it needs to be a lot better. The difficulty though there Rob is, is that if a business isn’t required to comply with the privacy law, they are not going to have a privacy policy or they’re going to just avoid that. This kind of an extra detail that they just don’t have the money at the time for. So unless businesses have a $3,000,000 turnover or more, or they collect health information which you could argue collecting the kovid safe data now that collection at the door of name, address, etc because of the purpose for which is. Collected you might be able to argue that they are collecting health information about a person you might be. Be able to hurt you, Yeah, but. Even so most of like you know the nail salons. The you know the hairdressers, the cafes, the pop-up food trucks, you know these guys are not going to be across their lawful obligations around privacy and it really. I find it really disappointing that you’ve got companies that are marketing to them and saying hey here, use our product because it looks good from a community or consumer trust point of view. But the company using it, the food truck or the hair salon they don’t actually have the nouns to back it up. In terms of privacy practice, right? So they can click the link in a Safeway an maybe secure it in a somewhat Safeway, but all the other elements of privacy law that they should be complying with, let’s say around transparency as an example or not further using that data they are not going to have the ability to do that. I’m just a plug from the call.. If anyone’s interested, she’s definitely one of the high profile privacy people around Australia with ground up consultant. So if you wait privacy concerns and we connected on LinkedIn, Nicole. I don’t think so, but I’ll click. I’ll connect with you now, so Mike, did you put in a marketing consent on registering for this web and R by the way? Or yeah. Yeah, very. And you know, I don’t know, I don’t know. So for people who don’t know, can I add let me? I want to add something else to this conversation here that I actually hadn’t ever thought about this until and until you have until you have mentioned this. But can you just go back a slide there? Mike the back to that QR code. Alright, let’s think about the hairdresser or the nail salon manager that Nicole was referencing there.. They see that thing right now. Every single to human, every single QR code looks the same. Now. Do you know? Do you know who else uses QR code in a very legitimate security way? Google Authenticator. If you if you want to set up your two factor authentication on Google authenticator, it shows a QR code on the screen. Microsoft and Michael and you and you and you point your camera your camera on your phone right now from a human from a human perspective, the human psychology perspective is, well,. I’m doing this with Microsoft and Google. Therefore I’m thinking Q are codes are safe. Man, I didn’t realize how much of a vulnerability this just introduces to you was one of the things we do to cyber security. Yeah, let’s consider going to a trade show and these things are up on the walk saying scan this to get your free. You know trade show pack or something. This stuff is so easy to do it like they like. These Q are codes are like I live in Blogger in New South Wales and I can tell you a cyber security is not a thing in Waaga Waaga in New South Wales and every single cafe has a QR code in it right? This is you know, make sure you log with your covid safe app and you know if a malicious actor. They could easily just replace that just. Just take the cafe one off and put their own one there and they could be collecting all the all the details. Look at you giving your email address and your phone number. I’ve got Internet information. So.. Yeah, this is. Maybe I’ll send. A false sense of security or an elevated and elevated sense of security, when in fact they shouldn’t necessarily be trusting on the face of it. That you know whomever has provided the QR code is is trustworthy or reliable in terms of what’s going to happen to their data. I mean, that’s that’s an issue for me, right? I know if I see a QR code in bus stop, I’m not going to scan it ‘cause I don’t know anything about it or the provider of it, but that’s me. I mean, I’m a privacy professional and do that kind of thing for living. I think like that for a living, but but other people might say Oh, QR code. I’m going to scan that and see what I can get. Maybe the there’s a coupon that I can redeem, or a sweepstakes that I might win. Right, yeah, This is why I do what I do. I think I would say Nicole. That’s even more simple and that is that like in an environment like the covid like the kovid thing is that when you go to the cafe and you have two and a cafe owner saying You have to scan the key that the QR code because otherwise the police are going to come to my cafe and they go. You know they’re going to order me to make sure that. I’ve got 2. I’ve got my my list. This happens, no. This is the cafes here in country NSW. This is happening in Alright so and they’ve all got Q are codes right? But I can I’m very confident it when I say that the cafe owners they not really monitoring that they’re just doing it because they have to. Not because they want to orcas.. They even know what’s going on. So if someone actually snuck in and switched over those codes You know there there’s no. There’s no way that’s gonna kick get captured. And everyones actually they’re doing the QR code ‘cause they genuinely think they’re actually doing the right thing. Alright, so yeah, they think it’s they think it’s more appropriate for records management to write, but that by doing everything electronically that the dad is going to the right place in a secure way quickly as opposed to, you know, being on a list that we can all see. Did anyone can take a picture up? I think we should probably keep moving on ‘cause they are removing the codes for this, but it’s good that you guys have got some questions around this and getting some awareness around the issues around this stuff which is great. Alright, what else? We got robbed in Eurospeech about this one. This is so this is the process. Side of it, maybe we both speak to this. Rob is still there. Oh God, he’s actually gone. Hello know Rob is not here. He’s gone. Gone, you’re going to hear you come for more than an hour you’re taking too long. I don’t know what’s happening.. Hopefully he’ll come back look, I’ll briefly speak to this were nearly gonna we’re gonna wrap up pretty soon. If someone you accompany you deal with has their email hacked, that’s a big deal. If they can download all the emails and see the communications to you then they can craft an email to you that is believable and that’s a massive problem because you know, did you request? Did you expect it doesn’t make sense?. Yeah, yeah yeah, you’re gonna get. You’re not going to be suspicious. So this takes next level suspicion to look for anything that can be wrong.. Maybe you know the grammar is slightly out, or you know the timing is slightly out. Typically what they’re gonna do is try and send through a scene through him. Just let me just check. No, he’s not. He doesn’t come back in the waiting room.. Typically they’re going to try and send through a invoice and hope that you pay it so from the process side, the really important part here is to say for any new or changed information. Coming into our business that can damage that business, we confirm it.. Typically with a phone call. So hey, if you get an invoice and you’ve never paid to that bank account before, that’s new information. So get on the phone. If you get an invoice and it’s gotta change bank account in there, that’s changed information. Get on the phone that really there is gonna stop you from getting smashed with a fraudulent invoice. It’s it’s really that simple that that’s the basis of it. You can do a bit more around that, but. I know that would have helped out a lot of companies that I have come across. Um? Backups of Rob’s, not here. I’m going to speak about backups and all cool with that. Just back his stuff up if you’re not already cool with this stuff, there’s things you can do around regimes. Gran father, father son 321. Look into that stuff. Make sure you backup so disconnected they call it air gap. Some people say that’s not a thing.. It’s not possible, but look at the end of the day. Get your backups done. Make sure you can restore from different points in time and keep your weeklies and monthlies and yearly’s. And if something does go wrong, at least you got your data that you can get back. It’s just a massive thing. Test your backups are working. Trying to restore the damn thing. You know there’s no point having the backups running and then when you actually go to need them,. You can’t restore them where you found that they weren’t actually running. And this happens a lot and it’s the downfall. Very many companies unfortunately. It’s the inch. Don’t know if you got questions, but probably quite a few three decisions, so I think we’ve done alright. Are you guys going? That was really great. You guys, thank you. Thanks for attending. I hope you guys got something out of it and thanks for your input. That was really good though. Some really great discussions there and and good input so appreciated that. But yeah, until next time or next beverage or next lunch. Thanks for tonight, thanks very much mark. I really appreciate. I appreciate that I did get a few. I did get a good some good stuff out of that but I I I want to take double check ‘cause we haven’t I I know you’re online.. We are connected on LinkedIn. And no we haven’t met but I do want to say keep on doing what you’re doing because it is making a difference and your content is really good. You are one of the very few people on LinkedIn who doesn’t promote themselves who actually generates. LinkedIn is full of people promoting themselves and Ann just trying to sell their own **** You’re actually trying to educate people on something that’s really important, so I love your stuff and I think you’re doing a great job and I just want to give you a bit of Kudos. To say, keep on doing it ‘cause I I can appreciate can be, it’s probably a pretty hard might feel like a pretty hard slog for you at sometimes, but look my brain works in mysterious ways and I do like to keep things interesting. I find hey look, this is Rob’s coming back. Hang on, I’ll finish. Participants should have given the kudos friend Rob was there. Maybe I need to do it again.. Look, I will just say that this is a very boring topic for most people. Most companies they literally start talking about this stuff and they switch off. And if you can’t talk about this in a simple and engaging and funny way, you’re wasting your time. So and I am passionate. Listen, I want to share my knowledge English. I’m always seeing more seeing ways to relate so I’m security awareness to general life as well so. I’ll just throw out right on that stuff so nicely it’s appreciated. It is, I appreciate it. Thank you. Again, thank you Rob as well. That was, I thought that was great. Rob’s back so he can have a couple of parting words, and then we’ll wrap up. Yeah, thanks everyone so we can know I’m on headphones. I’m in a different location in the house now. The NBA and the no Business. Network decide to let me down, so I’m tethering from my phone, so thankfully our do get good. Good Wi-Fi on my phone. Well, we finished down. We spent the last five minutes talking about how crap you after jumping off their fair and reasonable. No, it’s a It’s been good and look it’s it’s been really enjoyable. I’m glad this was so casual. Thank you for those of you who turned up to join us.. Really appreciate it was nice to meet everybody. That’s here that. I don’t know. Always good or and a pleasure to see those people that I do know and Mike we need to do this again man. Well, this is recorded so everyones gonna hear it in post, podcast and video form. It will be shared everywhere. Everyone who’s in the meeting will get marketing emails from me. Oh, just in case nobody was looking. Sales and marketing guys, so. I’ll definitely add you to that many list. It’s OK like you guys so it’s all good. Well you know you can reciprocate, I think by coming as a double act on the privacy matters podcast that I do for smart cities in critical infrastructure. Love you, my can come and talk about cyber for for employees that work in that space love too. I would be. That would be really, really great reciprocation for all the marketing. Alright, I will. I’ll take you up on that. Sounds great. Gonna have some dinner or not at you guys, but my liquid diet is not sufficient. I’m shading actually saying the case for me, Mike, appreciate it. Thanks very much, Mike and. Rob for just doing it. Even it was a small crowd but it was like. High quality crowd image.. More crowd is 303 hundred people on this issue. We were talking about. Exactly exactly alright, thanks. Hi.