About IndikaWimalasiri

  Dear Subscribers, The Australian Cyber Security Centre (ACSC) has published an  alert to the industry , noting it has observed a growing trend of cybercriminals targeting the property and real estate sector to conduct business email compromise (BEC) scams.   Typically, cybercriminals will impersonate parties to a property transaction (such as real estate agents or conveyancers) and insert illegitimate bank details for settlement or rental payments. Victims assume this request is legitimate and will unknowingly send ­payment to the cybercriminal’s bank account.      What do these emails look like?   These fraudulent emails may come from hacked email accounts, or cybercriminals might register domain names that are similar to legitimate companies (typically by swapping letters or adding additional characters).      They might also create email addresses with Gmail, Yahoo or Outlook that use the legitimate business name. At a quick glance, an email address may look legitimate when it is actually being operated by a cybercriminal.     Cybercriminals are targeting all parties involved in the real estate sector, with a particular focus on impersonating conveyancing lawyers and communicating with their clients. Cybercriminals are also singling out mortgage lenders in order to intercept property settlements.   Below is an example of a  fraudulent  email received by a PEXA member.       Best practice   When communicating via email, please ensure to take the time to review the legitimacy of the communication – and if you’re unsure, please contact PEXA Security.   However, the use of email is strongly discouraged for exchanging bank account details – this is NOT a safe channel for the communication of sensitive information.   Instructing your client to provide their bank account details via email directly places you and your firm at significant risk of a cyber-attack.   Subscribers are urged to verbally confirm bank account details with clients before entering them into the PEXA workspace.     Support for you   We highly recommend you make use of PEXA Key. This free app has been specifically built for the industry to eliminate the risk of email phishing and enables clients to provide their bank account details to their legal representatives safely.     If you believe you have clicked on a malicious link or downloaded a suspicious attachment, please reach out to us at  security@pexa.com.au  and we'll be happy to assist you.     Thank you. Indika Wimalasiri Senior Information Security Manager - PEXA ------------------------------------------------------------------------------------------------------ Please note that PEXA will never:   Call you from unverified phone numbers. Ask for your multi-factor authentication code. Request files or information from you via a third-party service. Email you from unofficial addresses (emails that don’t end in @pexa.com.au). Send you an email advising you to click a link to log in to the platform. ... View more

Dear Members,   We have been notified scammers are purporting to be from the Australian Cyber Security Centre (ACSC) are calling and emailing the Australian public attempting to trick them into installing malicious software on your computer devices. ACSC is attached to the Australian Government Cyber Security Division. ACSC does not approach the Australian public for such activities hence any calls, emails, or text messages pretending to be coming from ACSC requesting to click on links should not be actioned. The recommendation is to delete them immediately and notify ACSC on  1300 292 371 (1330 CYBER)     More on this can be found out on the ACSC website or through the URL below.   https://www.cyber.gov.au/acsc/view-all-content/alerts/phone-and-email-scammers-impersonating-acsc   As always verify the source before actioning on any information received via digital channels to make sure you are getting it from a verified reputed entity.   Thank you.   PEXA Security Team. ... View more

Dear members,   PEXA would like to advise that we have reported instances of malicious parties, purporting to be from PEXA, reaching out to members and their clients via telephone.   In these cases, the caller requests that the member and/or client “opt in” for financial services related to PEXA Key. Please note that PEXA does not have any such opt in or opt out functionality built into PEXA Key. PEXA Key provides three core services:               A secure channel for communicating bank account details Notifications providing your clients with a countdown to their property settlement Settlement tracking and ‘what to expect’ information   Any requests for account details are securely completed within the app or actioned by the practitioner within the PEXA Exchange.   Additionally, PEXA does not use or authorise any third party to contact members or their clients regarding PEXA Key or any other PEXA service.   Legitimate communications from our team will be delivered from email addresses ending in “@pexa.com.au” or via our PEXA Support Centre: 1300 084 515.   As always, do not act on any unknown phone calls, emails, text messages. If you are unsure of the caller ID, hang up and redial the number. Further, do not click on links or open attachments in any email unless you are sure of the sender’s authenticity.   If you encounter suspicious activity, email PEXA’s security team at security@pexa.com.au and we’ll kindly assist.   Thank you. PEXA Security. ... View more

Reduce your cyber-security risk significantly by implementing these simple steps     2020 has been one we never thought it would be. The ongoing global COVID-19 pandemic is forcing us to change our ways of work. Today’s technology provides great flexibility, enabling us to work from anywhere, with many of us presently using our homes as our primary places of work. Let’s refer to this as “remote working”.   Remote working has been part of our lives for some time, but never previously in the capacity it is today. There are reports that people are spending more time on work than they were doing pre-COVID in the office. Employees tend to use multiple devices to get work done while managing other personal aspects of their daily lives during these times. As we increase our use of mobile devices to continue to work and connect, there’s never been a more important time to be diligent in securing our devices. With the convenience of remote working comes the challenge of protecting against parties with malicious intentions to steal your information or cause damage to your professional/personal lives.   The Australian Cyber Security Centre (ACSC) is the Government agency that provides guidance to the Australian public on cyber-security and increases awareness of cyber related matters. PEXA is a proud partner of the ACSC.   There’s lots of information in the public domain covering the what and why of cyber-security but not so much clarity on the how. To address this, the ACSC has put together some very simple, but very important step by step guides on 12 cyber security controls to immediately assist with reducing the cyber-security risk to you and your organisation. These are explained in an easy-to-understand format – focusing on actions such as updating your devices across multiple device/operating system types to backing up your data and enabling two-factor authentication on your applications.   Please use the safe link below to access this information and also take the time to share it with your family and friends. Together we can create a cyber-safe environment for everyone.   https://www.cyber.gov.au/acsc/individuals-and-families/step-by-step-guides   Here are some key recommendations for you to stay secure:   Keep your devices/apps up to date at all times Keep a backup of your data (it is very easy to backup data now with cloud storage services) Be aware of the website and the apps you use. Delete the apps you no longer use or require Remain vigilant on emails asking to take your actions and seeing a level of urgency (do not solely rely on the email appears on the email as they can be easily spoofed) Be aware of the ongoing scams so you know when something is not right (Scam Watch has a great list of ongoing scams in Australia and regularly updated) Do not use the same password across all your apps/services – use a password manager Use websites like HaveIbeenPwned to check your email addresses are part of the previous breaches periodically   Join the discussion on the PEXA Community below and follow us on social media for more tips and articles like this.   PEXA Security Team ... View more

Dear Members,   Legal Practitioners Liability Committee (LPLC) recently published an article about an ongoing fraudulent document sharing email circulating among the legal community. They are essentially looking to steal your credentials to login to your email  accounts by tricking you to click on a link. Highly recommend you are taking time to read the publication to increase your awareness and your staff on this matter.   This is a great reminder to implement two factor authentication on your email accounts (for that matter on all the online services you use where 2 factor authentication is offered) which will significantly reduce the risk of falling in to this type of scams.   Access to the LPLC article below or browsing to the LPC website.   FILE SHARING EMAIL SCAM – MULTI-FACTOR AUTHENTICATION WILL HELP PROTECT YOU    Few quick actions you can take to increase your cybersecurity awareness,   1.Take time to assess your online presence and enable two factor authentication on applications 2. Share the LPLC article with your staff and your colleagues in the industry to increase the awareness 3. Print the PDF in the article and leave them where everyone can see them. Example - on a common wall. 4.Generate and build a cyber risk aware culture by creating space for your staff to learn and stay safe about cyber risks and threats.   Thank you ... View more

Dear members,   We are aware of an email phishing attempt targeting PEXA members, asking about the "PEXA Residential Seller Guarantee". Please be vigilant for similar emails and take time to validate before taking any action within emails. I have attached a sample email a member received on 12 February 2020 for your reference.   If you come across any or similar email notifications, please don't click on any links, inform your PDS/PEXA Partner and forward it to security@pexa.com.au.   ---------------------------------- Phishing email capture below   End of image. ----------------------------------   Thank you.   PEXA Security Team ... View more

  This advisory applies to   Microsoft Internet Explorer   Web Browser       What is the new software vulnerability? PEXA Security is aware of a Microsoft Windows Internet Explorer zero day vulnerability which is being attacked by malicious actors and other cyber criminals over the internet. You can be a target of this attack by clicking on a link or opening an attachment sent you by an unknown party or malicious actor. More information on this can be found on the links below   How do I address/mitigate the vulnerability? Currently there is no patch available from Microsoft for this vulnerability. However, they have provided a workaround to protect users from being a target of this attack.   Important - Given the use of malicious websites as part of the vulnerability’s exploitation routine, individual users are encouraged to practice caution when it comes to clicking links, especially those embedded in a suspicious email message.   Do I need to take any action? Reach out to your IT support service team or your regular System Maintenance team about this vulnerability. They may already be aware of this and it would be important to check with them and follow the instructions given.   https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001 https://thehackernews.com/2020/01/internet-explorer-zero-day-attack.html   Thank you. PEXA Security ... View more

  We are aware of a critical zero day vulnerability discovered in the Citrix application.  This vulnerability is still without any permanent fixes and patch is yet to be released by the Citrix vendor.   If you are using Citrix applications (example - for digital signing certificate) described in the article below there is a potential you may be vulnerable.  Your IT team/ support services may already be aware of this and it would be important to check with them and follow the instructions. We recommend you consider implementing the mitigation strategies explained in the advisories below.   https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/   https://support.citrix.com/article/CTX267027   https://support.citrix.com/article/CTX267679   Thank you PEXA Security Team ... View more

  Dear PEXA Community,   This advisory applies to Firefox Web Browser installed on all device types.   What is the new software vulnerability?   New critical vulnerability in the Firefox web browser has been discovered by security researches which is currently being attacked by malicious parties and criminal groups. Attackers could use this vulnerability to gain access to your devices by exploiting the way Firefox browser works on your devices.   Do I need to take any action? Yes. Firefox vendor has released an emergency security update which addresses the vulnerability and has advised everyone who uses Firefox to immediately update to the latest version.   How do I update my Firefox Web Browser? PEXA Security always advise to keep your software, including web browsers, up to date. Please follow the steps below to update your browser,     Open your Firefox Web Browser and Click on the “Menu” and then Click on the “Help"  (As indicated in red colour on the screen capture below)                 2. Click on the “About Firefox”. This will start the update automatically            3.  Make sure version it displays is as same as below highlighted in red text box     PEXA Security recommends members enable automatic updates to make sure in the future, new browser updates are done automatically.     Go to the top right-hand corner “Menu” and click on “Options” from the dropdown menu             2.  Scroll down to the section “Firefox Updates” and tick the “Automatically install updates” check box. This will install updates automatically without any manual intervention in the future.     Thank you. PEXA Security ... View more

Staying safe online has never been more important for individuals and business’ worldwide. In 2018 alone, Australian businesses lost more than $60 million to e-mail scams. It is also estimated that by the end of 2019, cyber-scam losses will exceed $532 million, surpassing half a billion dollars for the first time.    Understandably, it can be difficult to know where to begin to ensure you’re taking the appropriate steps to avoid falling victim to cybercrime. First, it’s important to get the basics right. Below is a checklist of 12 initial steps that you and your business can take to boost your safety while online.     Anti-Virus — As your first line of defence, ensure you have antivirus protection on all of your devices, including mobile devices.   Two Factor Authentication(2FA)    for e-mail  — Most email providers, such as Google and Hotmail, provide 2FA to protect user accounts. This significantly reduces the threat of intrusion by a hacker if your password is compromised, as your account is secured by an additional layer of protection (the passcode that you receive through SMS or the mobile app).   PEXA members must use Multi-factor authentication (MFA)  to access the platform, providing an extra layer of security when logging into your account.    (Note: It is recommended to use an app-based security PIN generator for 2FA, such as Google Authenticator, rather than SMS).  Phishing  — E-mail phishing is the number one avenue used in cybercrime. The typical phishing email will contain a false and/or mimicked story designed to lure you into taking an action such as clicking a link or button in the email or calling a phone number. Learn how to identify a phishing e-mail with the help of this  interactive tool .   Password  — Do not use the same  passwords  on multiple systems. If your password is compromised, then hackers can access all of your other services as well. Use a password manager to maintain your varying passwords or pin codes.   Additionally, instead of passwords, use passphrases. Passphrases can be a minimum of three words combined that are easy to remember with numbers and special characters e.g. UniverseAthletic4!  Use host-based firewalls  — Both Windows and Apple OS offer firewall capability. These are not difficult to set up and easy to follow help videos are easily found online.  Update operating systems and applications  — Operating systems (OS) and application vendors frequently release security updates to address vulnerabilities. We highly recommend you have automatic updates enabled so it all happens in the background without waiting for your intervention.  Review applications  — Spend 5-10 minutes inspecting your system and applications. If there are unwanted applications in your program list, uninstall them. This is because third party apps can contain vulnerabilities that hackers may then exploit.  Email Rules  — Email providers offer the capability to create  rules.  If your email is compromised, there is a possibility that the hacker created rules in your email system to forward mail to a hacker managed email account without you knowing it. Go in to the e-mail rules section of your account and make sure that only the rules you’ve created are present. We recommend you complete this action at least once per month.  If you find that there are rules you have not created, delete these rules before immediately changing your password. Back-up  —   Backing up all of your data  is paramount. Ensure your back up solution is on a separate device and is accessible if you cannot or are denied access to your files’ original location. Removable Storage  — Do you use removable media such as USB drives? If yes, we recommend using a Cloud file storage instead, as removable media is easily corrupted or infected with malware.  Browser Security  — There are a few important tips to remember here, including:  a. Do not save password/passphrases on browsers b. Frequently update your web browsers  c. Lookout for duplicate or unsecure web pages  Social Media and App Privacy/Security settings  – Do you use your social media,  such as Facebook, to access third party services? If so, we highly recommend  you review the privacy settings on your social media apps to determine what it has access to. Again, 2FA is your friend here. Other privacy tips include:            a. Check settings to ensure you're not providing unnecessary access to your information to apps you've installed.           b. Switch off Bluetooth when it’s not being used.            c. Do not connect to Free Wi-Fi access points no matter how secure it claims to be. If you have no option, then use a VPN service to secure your communications.           d. Don’t let others including family members, use your device without your supervision. They may unknowingly click on links and pop-ups which will expose your device to the hackers. Where possible use parental controls.    Finally, maintain your cyber security awareness. A great place to refer to is the Australian governments’ Staysmartonline resource and, of course, PEXA’s dedicated security page on the e-Conveyancing Community.      Indika Wimalasiri   ... View more

  The threat of cyber-attacks are real but there is something you can do about it.      The Australian Government’s Cyber Security Center has released a critical security advisory to individuals and business organizations using older versions of Microsoft Windows operating systems (Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008) to apply security update/upgrade to newer operating system version to avoid being compromised for the vulnerability named as “Bluekeep”.   What is Bluekeep ? Bluekeep is a vulnerability in the Windows operating system’s Remote Desktop Protocol (RDP – service use to connect to another computer/network remotely) which allows an attacker to execute commands to compromise your computer. BlueKeep exploit has the potential to spread in a virus fashion and self-replicate without requiring any user interaction.   An unpatched system gives criminals a front door to break into your computer or network and steal your corporate and customer information. The threat of cyber-attacks are real but there is something you can do about it.   How to protect my systems? It is critical that organisations and individuals operating older versions of Windows systems  immediately install Windows BlueKeep vulnerability patch , available at Microsoft website.   Recommendations   Identify the Computer Systems operating older version of Windows Operating Systems. ( Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008 operating systems) Confirm you have backup of data available if needed. Apply the updates through Windows Update or manually by downloading it from Microsoft website. Reach out to your IT service support team and ask them to address the Bluekeep if not already.   Mitigation activities until patch is applied.   Practice due diligence and be alerted around what happens in your computer. If any unusual activities observed, engage your IT personnel to look in to it. Avoid using Remote Desktop Services from internet. (If needed use it only over a Virtual Private Network and with multi-factor authentication.) Always keep operating systems and application up to date. Backup your data to a secure location. (Cloud storage/offsite volume)   More Info - https://www.cyber.gov.au/news/update-acsc-confirms-potential-exploitation-bluekeep-vulnerability ... View more

What is phishing and different variants attached to it?   An email appears to come from a someone you trust, such as your bank, online store, credit card company or a popular website. At first it all appears normal, but it will try to trick you in to giving away sensitive information, installing malware on your device or open an attachment while indicating an urgency.   Phishing is one of the easiest and very successful avenue for hackers to gain access to your organization's information. Security researchers say more than 90% of the data breaches worldwide are started with a phishing email. For us to defend against this malicious attack type we need to be able to identify the threat as there are multiple variants of methods used by hackers.           Key indicators of a phishing email. What to look for? Article below showcase what you need to look for in an email to make sure it is not part of a phishing campaign. This will help to increase your awareness both in and out of work place.     Thank you.   - Indika Wimalasiri -       ... View more

Con artists have been constant figures throughout our society’s evolution. From ‘short-cons’, like the Three-Card Monte to ‘long-cons’, when Victor Lustig sold the Eiffel Tower as scrap metal back in 1925. They use their smarts and charisma to gain the trust of unexpectant victims, all for financial gain. Over the past 20-30 years, the world has evolved dramatically, with advances in technology taking precedence. This has given rise to the modern-day con artist; hackers or cyber-criminals. Since the emergence of e-mail, it has been one of the most prominent and successful mediums for fraud world-wide, including the conveyancing industry; as an entry way to more elaborate scams. For us, the every-day person, employee or business owner, it is essential that we are aware of the real risks of cyber-crime. The following scenario is one example of a hacker at large, trying to ‘con’ their way into the conveyancing industry with a duplicate website.   The Hacker Elliot has been dabbling in cyber-crime for some time. It’s quite a lucrative career – if you know what you’re doing – which he and his team do. He is involved in penetrating computer systems, collecting passwords and then selling them to other cyber-criminals for profit.  However, this time, Elliott decided to do something more elaborate than simply selling these credentials.   “One of these usernames and passwords has landed me a gold-mine. I noticed a few ‘PEXA’ e-mails in this person’s inbox. I did my research and figured it could be a big win for the team. The username and password I have doesn’t match his PEXA account, but I have another way in. The team and I set about duplicating the PEXA login page. In the end it looked almost identical to the original and we placed it on a hosting service based in Belize. Next step, we sent the link via a duplicate PEXA e-mail and waited for our victim, Barry, to enter his details into the fake website. Once we capture his credentials, we’ll have easy access to his account, and his client’s money! The Victim Barry’s firm keeps its staff up-to-date with the latest cyber-security trends. They complete security awareness training to maintain the firm's security posture and the integrity of its service. Barry considers himself to be security-savvy, so he had no worries that morning when he opened his inbox.   “I scrolled through my e-mails and noticed a PEXA workspace notification which I opened straight away. I have a million-dollar settlement today and want it to go smoothly. I clicked on the link in the e-mail and instantly thought twice about my decision – it’s unusual for any company to send you a link to their login page. However, the PEXA login page looks legitimate. Although, before I progress any further, I’d better ensure the web page is secure… I look up at the address bar to check for a padlock symbol – no joy. Instead there’s a red triangle with a white exclamation mark inside. Next, I check the URL begins with ‘https’. It didn’t - Oh no! I exit the page immediately and sigh a breath of relief that I hadn’t entered my credentials into the page. I’d better let PEXA know, other practitioners might not check the website’s security level…”   The Hacker On the other side of the world, Elliot checks if Barry has fallen for his scam.   “It looks like Barry is more tech-savvy than we expected. He didn’t enter his details into our fake website. But not to worry, we’ve sent it to multiple others in his industry. Someone is bound to fall for it. Hold on. The website has been removed, Barry must have also informed PEXA. **bleep** it, all that time and money wasted…”  Elliot and his team quickly bounce back from their failed website scam and start planning their next con. “We didn’t fool them this time, but wait until they see what else we have up our sleeves…”       To learn more about how to identify duplicate websites, please refer to the article " How to identify duplicate or unsafe websites"   ... View more

It’s important to be aware of how to identify a duplicate or unsafe website. You can easily check the security certificate beside the web address (URL). You’ll see one of the following three symbols.     Tips If a website does not display the first symbol above (padlock), this confirms that it is not secure and everything you do is susceptible to a cyber-attack. We recommend you close the browser without completing any further actions such as inserting your login credentials etc. Check if the address begins with "https” (not "http)". This will be another indicator of a website’s security level. If you see "http", this means that there is no encryption in place, and information you provide on that page is at risk of being seen by unauthorized personnel.   If you’d like more information about website safety or other aspects of cyber security, the Australian Government’s Stay Safe Online website provides practical tips to assist everyone in staying secure while online.    Regards, Indika Wimalasiri (PEXA Security Team) ... View more

Dear PEXA Community, This advisory applies to Microsoft Outlook App installed on Android devices. New vulnerability in the Microsoft Outlook App for Android has been discovered. Attackers could use this vulnerability to gain access to your emails and phone by inviting you to click on a crafted link. Microsoft has released an update to its Outlook app through the Android Google Play Store. PEXA Security advises its members using Outlook app for emails on Android devices to update the app at your earliest window.   How do I get the update for Outlook for Android? 1. Tap the Google Play icon on your home screen. 2. Swipe in from the left edge of the screen. 3. Tap My apps & games. 4. Tap the Update box next to the Outlook app.   Note - Security always recommends keeping your mobile device OS and Apps up to-date by applying updates as soon as they are available.   PEXA Security Team   ... View more

  Dear PEXA Community,   This security vulnerability notice only applies to members using an ASUS branded laptop device.   Security researchers have discovered a critical vulnerability with ASUS laptop computers relating to its “Live Update” software component. Live Update is functionality on ASUS laptop computers that keeps your ASUS laptop software up-to-date .   As a user, you are required to update the “Live Update” software component to Version 3.6.8 or higher at your earliest window to ensure your device is secure.   The article linked below, published by the vendor, outlines the steps you are required follow to make your device secure. To ensure your device is safe please follow the details here.   PEXA recommends you reach out to your IT Support team/provider if you require further assistance in addressing this security issue.   PEXA Security Team ... View more

Dear PEXA Community,   High severity vulnerability has been discovered in the Google Chrome Internet browser. Attackers can use this unpatched vulnerability to steal information from your computer. Google has issued an update to the Chrome Internet browser to address the vulnerability. PEXA Security strongly recommend PEXA members check the version of the Chrome browser used and make sure it is up to date.    Please follow the steps and figure shown below.   Open Chrome browser -> Click on settings -> Help -> Click on “About Google Chrome” Check your version number to make sure it’s 72.0.3626.121 or later.   PEXA Security Team ... View more

This week is # StaySmartOnline Week. The campaign aims to reverse the threat of cyber-crime by empowering people to discuss and own their cyber-security. Over the next few days we’ll be sharing a number of best-practice resources to assist you, here on Community and on PEXA's social channels.   ... View more

Security Advisory   Every now and again we come across security issues that can impact you at home. There is one that is making some noise in the security world. The new virus/malware discovered can infect your home or small business router (the box that connects to the Internet). It’s called “VPNFilter” and the estimated number of infected devices is around 500,000; in at least 54 countries.   Read on to see if this affects your internet box (router/modem) and what to do to protect yourself.           1. How does this affect you? If you have a router/modem from the following companies, it’s suggested you review your vendor’s update steps. Vendor Action to take Telstra No action – Telstra reports that your modem is updated automatically Linksys Follow the vendor directions Netgear Follow the vendor directions MikroTik Follow the vendor directions TP-Link (TP-R600VPN model only) Follow the vendor directions QNAP Systems Follow the vendor directions            2. Can I learn more about the VPNFilter issue? If you would like to get into the details, follow this link (https://blog.talosintelligence.com/2018/05/VPNFilter.html)          3. Is there anything we can do to be secure? A few helpful tips to keep your home devices secure are: Always change the default password. Put a password on your home wireless network. Use a strong password with at least 8 characters, a combination of upper and lower case, include numbers and special characters such as @, #,and !. Use a different password on your PC, to your email, to your work, and so on. Make sure you update your software regularly so that security patching occurs.   If you still have questions, email security@pexa.com.au ... View more

Dear Members,   Below is an example of an actual phishing email for awareness purposes. Please take a moment to look at the pointers to understand how you can be misguided by a hacker. Being on top of this can help you to stay safe online. Remember, one click is all that matters to open the door to whole new level of issues.       Here are few helpful steps and questions to try/ask yourselves before clicking on any suspicious/unknown email. Reputable & legitimate organizations:   Don't request your sensitive information via email - Legitimate organisations do not send you emails asking you to download certain content e.g. utility bills, gift card link etc. or request you to verify your account details by clicking on a link.   Don't call or address you by a common greeting - Most of the time it will not include generic greetings e.g. "PayPal User", unless it’s advisory and openly available information.   Have their own email domains - Don't just look at the person's name sending the email. Check the full email address including the domain to make sure it is actually from the organisation represented, as most of the time they'll have their own domain. Hover your mouse over the email to verify this and make sure there's no additional numbers or special characters attached to the address. If there are, it is most likely a phishing e-mail.    Don't make grammatical errors - Spelling mistakes and bad grammar are key giveaways that it's phishing.   Don’t force you to their website - Most of the phishing emails contain multiple hyperlinks to maximize their chances of you clicking on one of them.   Don't send unsolicited attachments in the emails - Attractive attachment headings are another giveaway that it is a phishing scam. Another common case is utility bills or any other public event happening around the same time. Scammers use these events or news items to grab your attention and potentially to get you click on the links.   Send legitimate URLs - It may look like it is but it may send you somewhere else. Hover your mouse on the link (do not click) to check the link is actually legitimate and does not represent a different suspicious name. Always type the URL into your browser rather than using links on emails if you want to access the website. Don’t trust the email, instead call the sender to validate the request.   I clicked on it... Now what happens?   If you click on a phishing link accidentally, it does certain actions behind the scenes which you cannot see. These actions could be anything from a simple add popup on your screen to a stealing of your personal/customer data. So, if you fall into this category, speak up and seek help by contacting your internal security professionals or IT partners. Sending phishing emails and inviting people to click on these links are by far the most successful way for organisations to experience data breaches.     if you find any phishing/spam material referring to PEXA, please forward it to security@pexa.com.au     ... View more

Dear Members,   Forwarding suspicious emails to security@pexa.com.au   We have made changes to our security configurations when you forward a phishing/suspicious email to PEXA via security@pexa.com.au Previously when you forward an email to security@pexa.com.au with potential malicious content it denied successful delivery and often you would have received a delivery fail/bounce back message. But not any more.... Now you can click the forward button on the actual malicious/phishing email and send directly to us via security@pexa.com.au without the email being blocked.   It is important members forward us the actual email to PEXA instead of trying to send it as PDF or a Screenshot of the email.      Thank You.   PEXA Cyber Security Team       ... View more