Domain names: The secret tool of cyber scam artists
Angus Richardson explains the security risks associated with domain names, and the importance…
Angus Richardson explains the security risks associated with domain names, and the importance for SMEs to have a domain strategy to protect themselves from cyber-scams.
The war against cyber-crime is a global issue, and one that we cannot hide from here in New Zealand. Throughout 2016, more than NZ$1 billion was exploited from trusting Kiwis through identity theft and other scams. Global cyber security firm, Symantec, reported that there were approximately 108 cyber-attacks per day in New Zealand and the Department of the Prime Minister and Cabinet reported that one in five New Zealanders were affected by some sort of cyber-crime in 2016.
The frequency of reported cyber-attacks is on the rise, following the recent discovery of 711 million leaked emails and passwords stored on a “spambot” server in the Netherlands. Internet security researchers believe the list to be the biggest ever used to deliver spam and malware to unsuspecting web users across the globe. It’s safe to say that cyber-crime is here to stay.
Businesses cannot afford to ignore this risk, yet our own research of 600 small business owners shows 57% of SME businesses in New Zealand don’t consider rogue domain names to be a risk to their business, while 20% admit they see the risk but do nothing about it.
KPMG found cyber-attacks are typically carried out by email, and commonly appear as a legitimate party that the victim has a relationship with. This is because skilled scam artists use an email address that appears to be legitimate. The easiest way to detect a phishing scam, apart from poor grammar, is to check the email address it comes from, and the truth is often revealed by the domain name.
This can happen in many ways, but below is an example of how easy it can be for scammers:
• If you signed up for a newsletter at www.newsletter.co.nz, and received an email from [email protected], you can be reasonably certain that email is legitimate.
• If you received an email from [email protected], however, there’s no chance you’d dare open that email.
• What if, however, the email comes from [email protected], would you think it was legitimate and open it? I suspect many of us would, given how confusingly similar it is, and that’s how a skilled scam artist tricks their victims.
While this seems like common sense, it is easy to miss. Especially if you don’t know what you’re looking for. One of the ways you can protect your customers lies in having a domain strategy, such as purchasing domain names that criminals might use in association with your brand, to target them.
Though you can’t protect all the domain names in the world, you can and should protect those which your customers see regularly and trust such as .NZ, .CO.NZ, .KIWI, and .COM.
When businesses don’t protect the domain names similar to their business name, who should be liable for those damages? My feeling is that the blame lies with the company that didn’t pay the extra $25 to secure that extra domain name, and to ensure its customers knew which email addresses they could trust.
It’s not just SMEs that do not understand the security risks associated with domain names. A quick glance at the top 150 websites in New Zealand by traffic, reveals that roughly 20% haven’t secured their .NZ equivalent. For these companies, cost is not an excuse.
For instance, do you think Bunnings was unable to afford to secure “Bunnings.nz” when it first became available in 2015? Now, because it’s owned by someone in Whakatane, Bunnings has left open the risk that someone could create phishing emails from [email protected].
Not only can you be scammed, there is risk you could be impersonated to scam the people and businesses you know or work with. There was a case recently where a university was impersonated to scam an electronics supplier in NZ into sending product to a fake recipient, and those goods were immediately shipped overseas.
In this case, from the university’s perspective, they weren’t scammed but they were impersonated to scam their supplier. In short, being lazy about the protection of domain names leaves those you know and work with at risk of being scammed.
When you consider that owning multiple domains is good for business, (18% of respondents to our survey admitted still searching the Internet by typing in domain names straight into their browser), it makes even more sense to purchase what you can.
The advantages to yourself, your business and your customers couldn’t be clearer.
Angus Richardson is managing director of Dot Kiwi.