Phishing: The Line, The Bait And The Hook
According to the African Fraud Barometer, fraud cost the African continent approximately $5.5billion in the second half of 2012. A key component of the high cost of fraud is phishing attacks. South Africa is considered to be the second most vulnerable country prone to phishing. In the first half of 2012 alone, phishing fraud cost South Africa R 71 million. Symantec Intelligence reports that one in every 170 emails sent in 2011 were phishing attacks. Furthermore, Kaspersky Lab noted that in 2012 there was an 8 percent increase in the number of phishing attacks; 45 percent of phishing attacks made use of the names of reputable banks and online payment systems.
Phishing is a form of fraud in which cybercriminals attempt to obtain personal information such as passwords, usernames, identity numbers, and financial information, by impersonating a trustworthy organisation. Various forms of electronic communication are employed as the ‘phishing line’, such as emails, text messages, phone calls, adverts, online payment gateways and social websites. The aim of phishing is to obtain private information which allows the cybercriminal to access one’s bank account. Commonly, phishing messages convey that the entity experienced problems with their computer systems or data and they either need to verify your account information, or to process a payment to your bank account.
The victim’s belief that he or she must provide their correct personal information or that a payment will be received, is what acts as the ‘bait’. Once the victim has fallen prey to the bait by clicking an embedded hyperlink in the phishing message the victim is lead to the spoofed website - the ’phishing hook’. The victim has been misled to what has appeared as a genuine website, in which he or she provides their personal information to the cybercriminal who initiated the phishing attack ii.
Example of a phishing message:
This is one such example of a phishing attack, other indicators which can be used to identify a phishing message includes: the request for any personal information (legitimate companies do not request any form of personal information via electronic communication), the threat of suspension or closure of a bank account, and if the message contains a sense of urgency ii.
Steps to prevent phishing attacks ii:
- Never give out personal information via an email;
- Do not click on links embedded within an email which come from a bank or other financial institutions;
- If one is unsure they are visiting a spoof website, one can first enter a false password. A spoofed website will always accept the password whilst a genuine website will not accept the password;
- Use dedicated systems for online payments;
- Use authentication mechanisms for all online payments;
- Do not open attachments or links in unsolicited emails;
- Educate employees on how to identify phishing scams;
- Ensure use of adequate anti-virus and malware software;
- Risk mitigation through Indemnity insurance; and
- Risk management services such as penetrating testing and security audits.
The number of phishing attacks are expected to continue to increase in the coming years as they are a low cost exercise, yet effective and simple to deploy . It is important to stress the increasing use of this form of cybercrime; as phishing websites are difficult to identify by even the most savvy computer users. Therefore, it is imperative that one remains vigilant to ensure that financial online payments remain a trustworthy transaction mechanism – do not fall victim to these phishermen and their casted lines!