Did you know that 11% of people open malicious attachments or click on bad links in phishing emails and 80% of malicious software attacks come from phishing? Every day hundreds of phishing scams are floating around on emails and SMS. So, how savvy are you at identifying a scam and avoiding the bait?
Hendus Venter, Chief Information Officer at African Bank, explains that phishing is when criminals, pretending to be a trustworthy entity, use a form of electronic communication, either SMS or email, to try and extract sensitive information. This information can include usernames, passwords, credit card details and sometimes, indirectly, money, often for malicious reasons.
“Your first line of defence against phishing scams is to be suspicious of everything you receive electronically. Don’t trust or open any communication that you may have a moment’s doubt about. Rather get in touch with the company in question to check whether they actually sent it. Don’t click on the link to get hold of the company in question,” he says.
Being able to identify a phishing scam is also helpful so here are four things you can look out for:
- Generic greeting. Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like First Generic Bank Customer so they don’t have to type all recipients’ names out and send emails one-by-one. If you don’t see your name, be suspicious.
- Forged link. Even if a link has a name you recognise somewhere in it, it doesn’t mean it links to the real organisation. Roll your mouse over the link and see if it matches what appears in the email. If there is a discrepancy, don’t click on the link. Remember websites where it is safe to enter personal information begin with https — the s stands for secure. If you don’t see https do not proceed. You should also always question the sender but be careful because hackers can spoof a sender’s email address to make the mail look like it comes from someone you know. Some common phishing emails include: you have voice mail; payment/invoice notifications; shipment notifications; and flight or hotel booking confirmations.
- Requests personal information. The point of sending phishing emails is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt. It will ask you to click on a link, open an attachment or provide details of some kind.
- Sense of urgency. Internet criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim. If the message triggers an emotional reaction such as curiosity or fear, or tries to pressurise you there’s a good chance it’s a fake.
So you’ve done the dreaded deed and accidentally responded to what you think may be a phishing scam. Now what? Venter says you need to immediately contact the company directly and inform them of the incident. “They should have a standard procedure on how to handle the event and protect the information you have disclosed i.e. reset logon credentials. But remember don’t use company contact details on the phishing mail but rather use contact details found on a statement, at the back of a card or look for a website.”
“In the event that there is a loss of money through the phishing scam, companies generally handle each case on its individual merits. The first port of call is to contact the fraud department and an investigation will be opened,” adds Venter.
He explains that while the onus lies on individuals not to take the bait, companies are doing what they can to educate their customers and staff on phishing scams. “Most companies have a dedicated department that focuses purely on this type of fraud, educating customers and dealing with enquiries. There are also generally web pages with educational material available for customers to use. Companies are also using professionals, such as those at Popcorn Training, to train their staff.”
Sacha O’Reilly, from Popcorn Training emphasises just how important it is to conduct training and awareness around phishing scams. “The public also needs to be aware that phishing doesn’t stop with emails. Fraudsters make use of many different channels such as social media, Whatsapp, SMS and even call you to apply further pressure via the phone. This is called vishing.”
Spear-phishing, another type of phishing, is where criminals personalise their attacks for individuals specifically. “They know things about you, call you by name and create a tailored scam that looks legit. For example, they may pretend to be one of your Facebook friends, a supplier or someone from an internal department. They aim to steal your personal information and target your insider user account to escalate its privilege, gain access to sensitive information or infect your computer with malicious software such as ransomware,” she explains.
People also make the mistake of assuming that SMSs are safer than e-mails, because they appear to be more of a personal communication method. “Unfortunately, this is not the case. Just like a bank will never ask for your confidential information over e-mail, they would never ask for them through an SMS either.”
“Remember be alert and always think before you click. It’s also a good idea to save the phone number of your bank on your mobile, and always phone your bank to verify potentially fraudulent emails or SMSs,” she says.
Venter adds that it’s also important to practice good security hygiene. “Make sure that your security software is up-to-date.”
“Don’t become a victim. Educate yourself and remember, think before you click!” concludes Venter.
