Cybersecurity alert: How to spot (and avoid) a phishing attack

We’ve all either heard about it or perhaps even received an email from a ‘Nigerian Prince’ ourselves. It’s a notorious phishing scam that has made its way into urban lore.

The scam is simple. The scammer sends an email claiming to be a deposed prince or a wealthy foreigner. They tell a story about having a large sum of money that they need help moving out of the country, often millions of dollars. They promise that if you help them by providing your bank account details, you’ll get a significant portion of this money as a reward.

The catch is that you need to pay some form of upfront fee (for taxes, legal fees, banking fees, etc.) to release the funds. If a victim pays this fee, the scammer might disappear, or they might come back asking for more money for additional unexpected fees.

The Nigerian Prince scam has been run everywhere, from South Africa to Canada. It’s one of the original phishing scams.

The problem is that like all cyberthreats, phishing scams have become increasingly sophisticated, which is why they are still the primary way that hackers access sensitive information.

Phishing attacks are a kind of digital deception where hackers send emails, create websites or send other forms of online communications pretending to be from legitimate businesses, such as a bank, an insurance company or even the local revenue service. The goal is to trick individuals into divulging confidential details such as passwords, login details, banking details, or other personal identifiers. They rely on a sense of urgency or fear to lure victims into clicking a link, opening a suspicious attachment, or revealing sensitive data.

Successful phishing attacks can have far-reaching consequences, from individuals suffering financial losses, to hackers gaining the information they need to enter a business’s digital network and launch a malware attack, potentially accessing the personal information of customers.

Financial profit: By using stolen financial details, cybercriminals can make unauthorised purchases or fund transfers.

Identity fraud: Cybercriminals can misuse personal identifiers to create new identities or exploit the victim’s identity for fraudulent activities.

Corporate espionage: Phishers might target specific individuals or businesses to access confidential details like trade secrets or sensitive data.

Organisational disruption: Cybercriminals might also use phishing to interfere with an organisation’s operations, deploy malware to steal data and hold it ransom, or damage the business’s reputation. In South Africa, businesses can face large fines if the personal data of customers is stolen and exploited as well.

Successful phishing attacks can be highly profitable for cybercriminals if they manage to gather sensitive data from multiple victims.

While phishing emails can arrive at any time, they are usually sent when individuals are more prone to distraction or susceptible to manipulative tactics. For example, phishing attempts could be more frequent:

• During holiday seasons or weekends when individuals are less focused on work-related security risks.
• Following major occurrences like natural disasters, terror attacks, or other emergencies when people are more prone to respond to seemingly urgent communications. This is one of the reasons why we saw a large uptick in phishing attacks during the COVID-19 pandemic.
• At financial year-ends or other crucial business periods when employees are pressured to meet deadlines and might act hastily.
• Around the time of significant events or public announcements when people’s curiosity might lead them to click on links.
• During tax filing season when people are expected to receive communications relating to their taxes.

The most important thing to remember is that cybercriminals pay attention to local events and news and will use seemingly legitimate ways to try and trick individuals into believing their communications are real.

There are many different types of phishing attacks, but they all have one thing in common – the goal is to get an individual to believe the communication is real and to follow the requested steps. Simply receiving a phishing email or text is not enough – the reader must take action. That’s when the phisher gets what they want. Here are a few common phishing techniques:

• Email phishing: Attackers generate counterfeit emails that seem to originate from a trustworthy source, with a link or attachment directing to a fraudulent website.
• Spear phishing: This is a more personalised phishing attack targeted at specific individuals or groups. Cybercriminals will often use personal information about the victim to make their attempts more persuasive.
• Smishing: This phishing technique leverages SMS or text messages instead of emails. The message usually includes a link to a counterfeit website or a phone number to share sensitive details.
• Vishing: Phishing via telephone where manipulative tactics are used to trick victims into sharing sensitive details like credit card numbers, one-time pins or passwords.
• Malware: Phishers can also use malware to gather information. Malware can include keyloggers or other malicious software that can track keystrokes, capture screen images, or steal confidential data.

The best way to defeat phishing scams is through a human firewall. In other words, phishing scams are designed and carried out by people – and it’s people who can defeat them. Here are the top ways to protect yourself, your personal information and the companies you work within:

Always question unsolicited emails or messages: Be wary of emails or messages from unknown sources or any communications you were not expecting. Even if the message seems to be from a reliable source, validate its authenticity before proceeding. When in doubt, double check.

Look for spelling and grammar mistakes: Phishing emails often contain spelling or grammatical errors. If an email looks doubtful or has errors, it’s safer to delete it. You can also double check the email address or any websites listed – if the phishing scam is trying to look like a legitimate and well-known organisation, the email or website may be similar but with one or two telling differences.

Confirm the sender’s authenticity: Check the sender’s email address and compare it with the verified email address of the entity or individual. Phishers often use spoofed or counterfeit email addresses to deceive victims.

Implement two-factor authentication: Two-factor authentication (2FA) enhances account security by requiring a second form of verification, such as a code sent to your mobile phone or a biometric scan, in addition to your password.

Use anti-phishing software: There are many anti-phishing software tools available that can help identify and block phishing attempts before they reach your inbox.

Keep software and antivirus updated: Ensure your devices are equipped with the latest software updates and up-to-date antivirus protection. This can help prevent malware infections and other security threats.

Create strong, unique passwords: Using a unique password for each account increases security. A strong password should be a minimum of 12 characters long and contain a combination of uppercase and lowercase letters, numbers, and symbols.

By employing these simple strategies and remaining vigilant, you can minimise the risk of becoming a victim of a phishing attack and enhance the protection of your sensitive information.