Christopher Riley from Pretoria found this out the hard way.
“I noticed the landing pages of 11 of my websites had been defaced and I realised they had been hacked.”
He believed the cyber criminals were after financial information but said fortunately, all the systems were adequately protected.
Part of the problem is the Internet where would-be hackers can choose from about 162 million options on learning how to hack. The other way is through phishing, a practice where a criminal convinces a gullible person to hand over personal information voluntarily.
“South Africa is an attractive market for phishers,” said Edwin Frauenstein of the the Walter Sisulu University in East London. He is a lecturer in the department of information technology and said most anti-phishing measures cite security education, training and awareness.
“But what about the man on the street who is the victim? We do not see enough marketing of anti-phishing although financial institutions do provide some awareness on their corporate websites.”
10 Phishing best practices
1. Do not trust strangers.
2. Legitimate e-mails should address you by your name. Check for spelling mistakes or missing words. If any offer or story seems too good to be true, it most likely is.
3. Do not respond to e-mails that are in HTML format with embedded submission forms. Images embedded in e-mails can contain a virus code and potentially be links to spoofed websites. This process is known as click.
4. Do not download e-mail attachments from unknown sources.
5. Delete the e-mail especially if it warns you, with little or no notice, that an account will be terminated unless one complies with demands.
7. Do not submit any personal information such as passwords and PINs via e-mail, or telephonically, or on websites to any authority no matter how enticing or credible the story may seem.
8. Do not use identical usernames and/or passwords for different websites.
9. Always remember to validate your credit card and bank account statements as soon as you receive them.
10. Do not leave an unoccupied computer terminal logged in on websites, especially a banking website.
Riley said in the 1990s it was break-ins and armed robberies. “Now we have cyber-crime. All a hacker needs is your password and he is in.
“It is a growing problem.”
Five factors for a successful attack:
1. The phisher determines the method (eg spear phishing, whaling) to be used, the intended victim as well as the type of
information to be gained from the victim.
2. The phisher usually establishes the first contact with the victim through e-mail with an attention grabbing header such as such, Tax Refund Notification, Important Claim or Warning.
3. Typically, a fabricated story is used to gain the victim’s attention with the e-mail usually warning the victim of a supposed problem or threat which exists for example, customer accounts have been hijacked, a security breach or to update details.
4. To ensure that the victim responds to the phisher’s demand, the phisher will try to add a threatening element such as should they not verify their particulars, this may lead to the suspension or termination of the account.
5. The victim is sent to a spoofed website which appears legitimate as it usually contains institutional logos. As a result, the victim tends to trust the website and will enter his/her credentials which are then, unbeknown to the victim, captured by the phisher.