Gone Phishing

We would be remise if we highlighted cybersecurity awareness without delving deeper into phishing. We have all received notifications from our banks or even employers warning us against phishing attacks. What is phishing exactly?

“Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”¹

The data obtained from such an attack is then used to access essential accounts and often leads to identity theft and loss of finances. This cybersecurity awareness month, we’d like to draw your attention to common features of phishing emails or SMSes to avoid falling into the traps of cybercriminals:

1. Too Good to Be True – Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many claim that you have won an iPhone, a lottery, or some other lavish prize. Do not click on these suspicious emails.
2. Sense of Urgency – A favourite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you only have a few minutes to respond. Should you encounter such an email or message, it is best to ignore it. Even if the message says that your account will be suspended if you do not respond, do not click on any links. Your bank or any other service provider will never ask you to provide sensitive information via email or SMS.
3. Hyperlinks – A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance www.standabank.co.za – the ‘rd’ is missing, so look carefully.
4. Attachments – If you see an attachment in an email you were not expecting or that does not make sense, do not open it! They often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .txt file.
5. Unusual Sender – Whether it looks like it is from someone you do not know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general – do not click on it!¹

Here are some tips on how to prevent phishing attacks:

• To protect against spam mails, spam filters can be used. Generally, the filters assess the origin of the message, the software used to send the message, and the appearance of the message to determine if it is spam. Occasionally, spam filters may even block emails from legitimate sources, so it is not always 100% accurate, so check your spam folder regularly.
• The browser settings should be changed to prevent fraudulent websites from opening. Browsers keep a list of illegitimate websites and when you try to access the website, the address is blocked or an alert message is shown. The settings of the browser should only allow legitimate websites to open up.
• Many websites require users to enter login information while the user image is displayed. This type of system may be open to security attacks. One way to ensure security is to change passwords on a regular basis, and never use the same password for multiple accounts. It is also a good idea for websites to use a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart): A category of technologies used to ensure that a human is making an online transaction rather than a computer)² system for added security.
• Banks and financial organisations use monitoring systems to prevent phishing. Individuals can report phishing to industry groups where legal actions can be taken against these fraudulent websites.
• Changes in browsing habits are required to prevent phishing. If verification is required, always contact the company personally before entering any details online.
• If there is a link in an email, hover over the URL first. Secure websites with a valid Secure Socket Layer (SSL) certificate begin with “https”.¹

South Africa has the Cybercrimes Act 19 of 2020 that aims to prevent cybercrimes and malicious communications, including provisions that address Unlawful access to, interception of, and interference with data or computer programs and systems.³ Contravention of the provisions of the Act can result in a hefty fine or even imprisonment.

References:

1. https://www.phishing.org/what-is-phishing
2. https://www.pcmag.com/encyclopedia/term/captcha
3. https://cybercrime.org.za/law#:~:text=The%20Cybercrimes%20Act%2019%20of,or%20computer%20programs%20and%20systems