About IndikaWimalasiri

This week is # StaySmartOnline Week. The campaign aims to reverse the threat of cyber-crime by empowering people to discuss and own their cyber-security. Over the next few days we’ll be sharing a number of best-practice resources to assist you, here on Community and on PEXA's social channels.   ... View more

Security Advisory   Every now and again we come across security issues that can impact you at home. There is one that is making some noise in the security world. The new virus/malware discovered can infect your home or small business router (the box that connects to the Internet). It’s called “VPNFilter” and the estimated number of infected devices is around 500,000; in at least 54 countries.   Read on to see if this affects your internet box (router/modem) and what to do to protect yourself.           1. How does this affect you? If you have a router/modem from the following companies, it’s suggested you review your vendor’s update steps. Vendor Action to take Telstra No action – Telstra reports that your modem is updated automatically Linksys Follow the vendor directions Netgear Follow the vendor directions MikroTik Follow the vendor directions TP-Link (TP-R600VPN model only) Follow the vendor directions QNAP Systems Follow the vendor directions            2. Can I learn more about the VPNFilter issue? If you would like to get into the details, follow this link (https://blog.talosintelligence.com/2018/05/VPNFilter.html)          3. Is there anything we can do to be secure? A few helpful tips to keep your home devices secure are: Always change the default password. Put a password on your home wireless network. Use a strong password with at least 8 characters, a combination of upper and lower case, include numbers and special characters such as @, #,and !. Use a different password on your PC, to your email, to your work, and so on. Make sure you update your software regularly so that security patching occurs.   If you still have questions, email security@pexa.com.au ... View more

Dear Members,   Below is an example of an actual phishing email for awareness purposes. Please take a moment to look at the pointers to understand how you can be misguided by a hacker. Being on top of this can help you to stay safe online. Remember, one click is all that matters to open the door to whole new level of issues.       Here are few helpful steps and questions to try/ask yourselves before clicking on any suspicious/unknown email. Reputable & legitimate organizations:   Don't request your sensitive information via email - Legitimate organisations do not send you emails asking you to download certain content e.g. utility bills, gift card link etc. or request you to verify your account details by clicking on a link.   Don't call or address you by a common greeting - Most of the time it will not include generic greetings e.g. "PayPal User", unless it’s advisory and openly available information.   Have their own email domains - Don't just look at the person's name sending the email. Check the full email address including the domain to make sure it is actually from the organisation represented, as most of the time they'll have their own domain. Hover your mouse over the email to verify this and make sure there's no additional numbers or special characters attached to the address. If there are, it is most likely a phishing e-mail.    Don't make grammatical errors - Spelling mistakes and bad grammar are key giveaways that it's phishing.   Don’t force you to their website - Most of the phishing emails contain multiple hyperlinks to maximize their chances of you clicking on one of them.   Don't send unsolicited attachments in the emails - Attractive attachment headings are another giveaway that it is a phishing scam. Another common case is utility bills or any other public event happening around the same time. Scammers use these events or news items to grab your attention and potentially to get you click on the links.   Send legitimate URLs - It may look like it is but it may send you somewhere else. Hover your mouse on the link (do not click) to check the link is actually legitimate and does not represent a different suspicious name. Always type the URL into your browser rather than using links on emails if you want to access the website. Don’t trust the email, instead call the sender to validate the request.   I clicked on it... Now what happens?   If you click on a phishing link accidentally, it does certain actions behind the scenes which you cannot see. These actions could be anything from a simple add popup on your screen to a stealing of your personal/customer data. So, if you fall into this category, speak up and seek help by contacting your internal security professionals or IT partners. Sending phishing emails and inviting people to click on these links are by far the most successful way for organisations to experience data breaches.     if you find any phishing/spam material referring to PEXA, please forward it to security@pexa.com.au     ... View more

Dear Members,   Forwarding suspicious emails to security@pexa.com.au   We have made changes to our security configurations when you forward a phishing/suspicious email to PEXA via security@pexa.com.au Previously when you forward an email to security@pexa.com.au with potential malicious content it denied successful delivery and often you would have received a delivery fail/bounce back message. But not any more.... Now you can click the forward button on the actual malicious/phishing email and send directly to us via security@pexa.com.au without the email being blocked.   It is important members forward us the actual email to PEXA instead of trying to send it as PDF or a Screenshot of the email.      Thank You.   PEXA Cyber Security Team       ... View more

How to Spot a Phishing Email    The typical phishing email will contain a concocted story designed to lure you into taking an action such as clicking a link or button in the email or calling a phone number. In an email, there will be links or buttons that take you to a fraudulent website. The fraudulent website will also mimic the appearance of a popular website or company (in this case PEXA). The scam site will present you almost identical login page looks like PEXA waiting for you to login with your actual PEXA login credentials. Where malicious party able to collect your credentials and then they can re-use this to login to PEXA or sell them on the internet. If you felt you have accidentally just did that then your next best option to change the PEXA password immediately.   How to Protect Yourselves? Whenever you get an email about your PEXA account, or a workspace needs action the safest and easiest course of action is to open a new browser, type https://www.pexa.com.au/ OR https://workspaces.pexa.com.au , and log in to your PEXA account directly. Also you can call your known contact which appears to be sent the email to validate. Do not click on any link in an email that requests personal information.   How to report a phishing email ? Follow these steps:   Forward the entire email to security@pexa.com.au .  (Refer to "How to forward a phishing email to PEXA") Do not alter the subject line OR forward the message as an attachment. Delete the suspicious email from your email account. We’ll let you know quickly if the email is legitimate. Your vigilance helps protect other PEXA users.   A genuine PEXA email will never ask you for Credit and debit card numbers      Bank account numbers Driver's license numbers Email addresses Passwords Your full name Further steps to protect you from Phishing   Monitor your PEXA account. Check your account periodically for suspicious activity. If you notice unauthorized use, report it to us. Be smart about your password.Change passwords often and use unique passwords that include letters, numbers, and symbols. Keep security software current. Update your firewalls and security patches frequently.           Below is an identical looking malicious PEXA website.   ---  END --- ... View more

Risky behavior exposing you to data leakage   Here’s an simple opportunity to check whether you’re exposed to data leakage.   Do you find yourself guilty of the following?   I don’t keep my software (apps, browsers, etc.) and my operating system up to date by installing updates as soon as they’re released. I don’t use antivirus and additional layers of security that can protect me against second-generation malware. I don’t pay attention to password security and I reuse passwords. I use public Wi-Fi networks for online banking and online shopping. I frequently share personal details on social media or in emails. I don’t use two-factor authentication. I don’t have anything to hide or nothing valuable that cyber criminals may want. I open emails from unknown senders. (Remember your emails have pretty much the full digital print of your life. You have your Driver’s License, Passport, Bank Account details sent to an authority or another business. Don’t you?) I download and open attachments from unknown senders. I am just a small business and no one is interested in what I do.   This is not meant to be an incriminatory interrogatory, but rather a way to evaluate your own cyber security practices. You may find out that your online safety measures are inadequate, but that doesn’t mean you can’t make a change for the better. ... View more

Dear Community Members,   Staying secure online has never been as challenging as it is today. There is so much at stake as we all embrace more of the digital revolution everywhere around us. Cyber Security has been well thought out from beginning here at PEXA and we're extending some of our handy tips to our members through this space.   Visit the new space created for Online Security in the Help Centre where we collect and publish all our cyber security related materials. Please feel free to browse the content and apply them to your everyday work. We will keep adding materials of interest to keep our the community up to date with Online Security.   Enjoy.     Indika Wimlasiri Senior Security Advisor at PEXA.     ... View more

  Spam and what is it? Spam or spamming is big business and a mechanism criminals use as well as marketing companies to get your attention, or to convince you to click on a malicious link. Spam is the electronic equivalent of junk mail. The term refers to unsolicited, bulk – and often unwanted – email.  See below for a few tips  to reduce the number of spam emails you get.   Enable filters on your email programs Most internet service providers (ISPs) and email providers offer spam filters, however, depending on the level you set, you may end up blocking emails you want. It’s a good idea to occasionally check your junk folder to ensure the filters are working properly.   Report spam Most email clients offer ways to mark an email as spam or report instances of spam. Reporting spam will also help to prevent the messages from being directly delivered to your inbox.   Own your online presence Consider hiding your email address from online profiles and social networking sites or only allowing certain people to view your personal information.   ... View more

        1. MAKE YOUR PASSWORDS STRONG Short and simple passwords might be easy for you to remember, but unfortunately they are also easier for cyber criminals to crack. Strong passwords have a minimum of 10 characters and use a mix of: Uppercase and lowercase letters Numbers Special characters like!, &, and *. # (Using a special character in your password will increase the difficulty of breaking it significantly) Use passphrases Criminals often perform password brute force attacks, in which a computer program tries to guess every possible password combination to match your password. Using passphrases will significantly reduce this attempt.  What is a passphrase? A passphrase is collection of words that is meaningful to you, but not to someone else. For example: "horseswimminghigh#" is 18 characters long. Depending on the systems you access, you may be limited to a defined number of characters.   2. CREATE PASSWORDS HARD TO GUESS   Avoid using personal information such as your children, partner or pets name, favorite football team or date of birth as your password, as they can be easy for others to guess and for computer programs criminals use to guess passwords.  When trying to hack into an online account, cyber criminals start with commonly found words and number combinations. Here are some things to avoid using: Dictionary words A keyboard pattern like qwerty Repeated characters ( ex : aaaaa) Personal information such as your date of birth or driver’s license number   3. CREATE UNIQUE PASSWORDS EVERY TIME If you need to reset a password, don’t just change one part of it. Instead of changing a number at the beginning or end, create something completely new you’ve never used before. Get into the practice of changing your password often, ideally every few months.   4. DON’T SHARE PASSWORDS, EVER. Never share your password with someone, not even with someone you trust or in the family. What if a business or company I know asks for my password? Reputable companies won’t ask you to give them your password over the phone, via emails, or SMS messages. This might be a warning sign of phishing or a scam. PEXA will never ask you for your password or PIN; either by email, SMS, over the phone or at a branch.   5. DO NOT USE SAME PASSWORD FOR ALL THE ACCOUNTS AND SERVICES This is a common mistake a lot of people make. Using different passwords means that if one of your accounts is breached, criminals won’t have access to other accounts that use the same password. If a criminal has access to several of your online accounts, it increases the chance that they may impersonate you to your online friends, or businesses you deal with.   6. STORE PASSWORDS SAFELY As your online presence grows you may have many accounts with different passwords. You can store these passwords in a password manager. There are many password manager apps available. Almost all of these password manager solution allows PIN access method to make it more secure. If a web browser you are visiting asking you to save your password think twice whether you want to do that. This is not a good practice. Do not allow web browser to save your PEXA account passwords.   ... View more

Keep Up to Date with Software and Applications – "Known as Patching"   No matter which phones, tablets, laptops or computers your organisation uses, it’s important they are kept up to date at all times. This is true for both Operating Systems and installed apps or software. Doing so is quick, easy, and free.  Smart Phones/Tablet Manufacturers and developer owners frequently release new updates to their products. The purpose of updates are to update the device with new features and to also fix newly found vulnerabilities. Staying up to date with updates is critical to staying safe online. If you don’t apply these regular patches to you computers, tablets and other smart devices then you are at high risk of being a victim of online scams and frauds. All devices have a limited lifespan. When new updates cease to appear for your hardware or software, you should consider a modern replacement. If you don’t wish to manually update there is an option to set it to “automatic update” which will require no action from you when a new update is available.   Happy Updating ......     ... View more

  Our lives are increasingly dependent on the internet and our digital devices. Digital copy of our lives always lives on these devices. Our personal data is a big business for some organizations. On top of that cyber criminals are increasingly interested in your personal data so they can impersonate you and use your details to carry out illegal activities. This is the main reason why we should think twice and take effective actions to secure our digital devices.   This article provides few tips how you can be on top of this. Set up a password, pass-code, PIN or fingerprint/face-id to lock your devices especially mobile devices. Keep your devices up to date at all time. Think about setting automatic updates. Enable automatic screen lockout after a set period of time. Develop a habit of deleting your web browsing history regularly on your mobile devices and other browsers. Enable remote locking and remote wipe capabilities on your devices. This will greatly help to take action in case you have lost the possession and control of your device. Be vary of public Wi-Fi spots specially the free offers. – Wi-Fi is a great tool for criminals to lure you in to traps so they can get easy access to your data. Switch off your Bluetooth when not used. If you don’t use Bluetooth regularly it is recommended you switch this capability off on your device. Be mindful operating your device in crowded places. Shoulder surfing is a good technique cyber criminals use. Shoulder surfing refers to looking over your shoulder as you type in our password/PIN/financial details to try and capture them. ... View more

  Video provides information security awareness in and around your workplace. Simple tips how you can create a secure working environment for yourself and colleagues around you without any technical controls. Video runs just over 2 minutes.   ... View more

Video provides great insight in to Phishing attacks and how they are conducted. Video is just over 3 minutes and would be helpful to identify and defend against these sort of common attacks. ... View more

Protect Yourself with these STOP. THINK. ACTION   When in doubt, throw it out Links in email, tweets, posts and online advertising are often how cyber criminals try to compromise your information. If it looks suspicious, even if you know the source, it’s best to delete or – if appropriate – mark it as junk.   Think before you act Be wary of communications that asks you to act immediately, offers something that sounds too good to be true, or asks for your personal information.   Make your password a sentence A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!   Unique account, unique password Having separate passwords for every account helps to protect you against cyber-criminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.   Lock down your login Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.   Awareness Be generally aware about the issues, incidents, current affairs happening in the world. Cyber criminals try to take advantage of these events by using them to grab your attention.  ... View more

  Have you ever received an email that looked like it came from a colleague, friend, employer or your utility company? Did you think twice before opening it or clicking on the link in that email? No matter the controls we have in place there might be a time when one weak link provides an attacker access via a malicious email. A malicious email can look like it comes from someone you know at PEXA, a Financial institution, an e-commerce site, a government agency or any other service or business. The email often urges you to act quickly, because your account has been compromised, your order cannot be fulfilled or there is another urgent matter to address.   If you are unsure whether an email request is legitimate, try to verify it with these steps Contact the company or the person you know directly – using information provided on an account statement, on the company’s official website or any other previous legitimate official transcript. Search for the company online – but not with information provided in the email. Read it carefully. Most likely you will see grammar or spelling mistakes. Watch out for anything asking urgent action. Requesting urgent action is a common phishing technique. Hove your mouse pointer over the link provided (do not click) and it should show you the actual web address its trying to take you to. Most of the times these are malicious websites created just to infect your computer just by visiting them. What to Do if You Are a Victim Report it to the appropriate people within the organization or your IT & Network service provider, including network administrators. They will be alert for any suspicious or unusual activity. If you believe your financial accounts may be compromised, contact your financial institution immediately to take actions to protect your accounts. Watch for any unauthorized charges to your account. Consider reporting the attack to your local police department, and file a report with the Federal Trade Commission or the Internet Crime Complaint Centre. ... View more