Jesse Mulligan: RNZ National. It's Time for Tech Tuesday, and I'm joined by Daniel Watson from Vertech IT Services. Hey there, Dan.
Daniel Watson: Hello. Hello, hello. How you ju?
Jesse Mulligan: No, I'm good, thanks. You're talking to scams today. Is it just me or is I feel like there's just a real increase in the amount of banks and other institutions really aggressively targeting scammers at the moment in ads.Either things have got worse or this is a major problem.
Daniel Watson: A little bit of both columns there. I reckon it is a fact that people are being more aware, not that the ground continues to evolve. I get a security feed of threat intelligence that gets sent to me on a daily basis about what's going on. One of the emails that came through I thought would be worth sharing with you because it's probably a direction I don't think I've spoken about before. Now, email attachments. We're all kind of aware that bad things can be put inside attachments. Well, the fact is that payloads that are just straight attachments have dropped in half from 72% down to 35%, although it's still enough.
Jesse Mulligan: Sorry, can you explain that to me again, Dan? I didn't quite follow that.
Daniel Watson: Oh, right. Okay. So in order for bad guys to try and subvert your computer, often they send you a phishing email. They're trying to get you to click on the attachment.
Jesse Mulligan: I can't believe this video of you is online.
Daniel Watson: Yes, exactly that. Right? That's the social engineering bit, that tagline to get you to go, oh, what is it? And then drag you into click on it. Now, most mail systems have been improving their filtering of attachments. So the one that we are using for our clients actually opens up the attachments and runs the contents up in the cloud to determine what it is actually trying to do before it gets to your computer. Now, so what the intelligence is saying is that the amount of attacks that are based on attachments is decreasing, but there's been a tenfold increase in what is called Cushing, which exploits QR codes, those blocky barcode looking things that people are putting up on ads and websites and various things that you scan with your smartphone.
Jesse Mulligan: QR codes. Yeah, yeah,
Daniel Watson: Yeah, yeah. QR codes. So if you embed one of those inside an email, same idea here is a link to something, people are going to get that in their Outlook or Yahoo, gmail, hold up their phone, scan it, click it, boom. Okay. It is a way of just making it slightly harder for you to do things like, I don't know, read the URL that it's sending you to.
Jesse Mulligan:Oh, that's clever.
Daniel Watson: It gives usually less security on people's phones and you can post it pretty much anywhere and people will eventually just walk up to it and give it
Jesse Mulligan: Are you in trouble as soon as you scan it or is it just taken you to a website where you could get in trouble?
Daniel Watson: Usually the second one, because to do an instant, a file attack takes more technical resources. It's going to have a lower rate of success. Whereas if you can dial it up into something that seems feasible from a social engineering point of view, then yeah, it's more likely to work. So it's trying to just get you to go to places where they can get you to hand over your passwords. Generally, that's more likely than them trying to subvert your phone directly. But hey, now we're seeing attacks coming into messaging like worker related messaging platforms like Slack and Teams, and so if they can send a message to you through that, then you're probably more likely to get that. And those attacks have gone up by 104% in 2024 compared to the previous quarter. So there's that. And the other point to note is that apparently the length of the emails that they're sending for phishing attacks, the emails are just more complex. So the supposition there that people, the attackers are using generative AI to craft more sophisticated, engaging and likely messages.
Jesse Mulligan: Can I ask you something, Dan? When I occasionally look in the spam folder of my Gmail, there's never much in there, but I've got a lot of emails from my wife's email, not email address, my wife's name. So somehow they have worked out, either they've worked out who emails me a lot and they've set up a fake account to email, I'm more likely to click open or she's been compromised or what do you think might be going on?
Daniel Watson: Impersonation attacks are pretty common. You, you're a public figure, and to be fair, it doesn't take much to be a public figure on the internet. I'm not saying you're not a big deal, Jesse. I'm just
Jesse Mulligan: Well, hang on a second. This is back five
Daniel Watson: If you have a company website.
Jesse Mulligan: Yeah,
Daniel Watson: I was saying if you've got a company website where it lists you and you mentioned that you've got a wife, Sarah, then it doesn't take much for 'em to put two and two together and go, oh, well, okay, I'm going to send an email based as, so it's more likely an impersonation attack trying to get you to do something.
Jesse Mulligan: Okay. Thank you. Thank you. What else is going on in the world of tech?
Daniel Watson: Oh, I noticed a news article about Extra is now is going to start charging for the extra mail service, the old Spark Extra
Jesse Mulligan: It's been ages since I ran into someone with an extra mail address.
Daniel Watson: Oh, occasionally you see businesses out there, if so-and-So at extra.co nz, which I always think is like, oh, okay, you're just advertising. You're a very small business, but that's fine. Now, that has been a free service since the late nineties. I was working for a telecom subsidiary back then when Extra all got going and it was like a funny little portal that you dialed into now giving away that free at that time is that email was actually, it is a fairly small service in terms of size going way back within. But these days people store documents, they store photos, they email videos around in it. The size capacity of an average mailbox is getting up into the gigs and gigs and gigs. Now, like many businesses on the internet, there's been a bit of a squeeze. We're not paying double the amount for internet connections that we were paying in two thousands, right?
It's just the number that you're paying for an internet connection, it's probably stayed about the same for quite some time, which means that they're having to find efficiencies elsewhere in the system or their margins are shrinking. And realistically, these days for business customers, we need to have a backup for their mail system. We need to have email filtering. And clients expect you to be able to turn around a question on how do I find this email pretty damn quick. Now, in this article, this chap who is described as a tech veteran lost 30 years of research into his family genealogy, which is like a massive shame. I imagine if he'd been willing to pay that $5 95 per month, he would've retained that service and actually would've been better as a result.
Jesse Mulligan: So what Spark bought in this thing that if you want to keep all your massive archives, you've got to start paying subscription. He didn't pay it, and as a result, he lost this massive amount of family tree research.
Daniel Watson: It looks like he mucked up on the export process. Hauling his email out of to his local machine. So if he'd actually stored all the email on his computer, chances are you'd, I mean, hopefully you'd think, oh, I got to backup up my files on my computer using a free service and expecting it to have good quality backups, I think is a bit unreasonable these days. If you're paying nothing, get what you expect. Yeah, and I think it is a case of that it's been a service that's been around for so long that people kind just assume that it has backups. Realistically, it might've had backups back in the day, but then they've gone, well, we need to cut costs. Where can we cut it? And who actually reads the terms and conditions these days? Right? That's the problem too. If you don't know exactly what you're paying for, it doesn't matter what your expectations are, they can't control everything and would just cost too much.
Jesse Mulligan: So what's the lesson, Dan? Sometimes it's worth a few bucks a month to get the premium service, and often I notice too, with those free services you find online, you'll also get some pretty good support if you pay the subscription, which compared to the other things that you spend your money on in life, right? Takeaway coffee is always the obvious one. A few bucks a week for a service that you really value and use all the time and might even be valuable to your business. It's kind of a no-brainer
Daniel Watson: The advantages for privacy as well. But if you're not going to do that, then you need to take more responsibility for it. So have the email downloaded onto your computer and then make sure that you've got a backup system in place so that something happened to your computer the way you go, you've got something you can do with it. But yeah, it's a real shame. I hate it when people lose data. It's the worst crime that we can do as an IT company is lose somebodies data. So I prefer the belt and braces approach and make sure that we've got a second and a third plan.
Jesse Mulligan: Nice. Dan Watson, Vertech IT Services for Tech Tuesday and great to chat as always, Dan.
Daniel Watson: Awesome mate. All right.