This is the familiar tale of the notorious 419 scams of which most people are aware. Cybercrime has, however, evolved over the years with the significant emergence of malware attacks, ransomware attacks, hacking, spamming and phishing.
Spamming and phishing are two very common forms of cybercrimes mainly because email is still the most common way to perpetrate a cyber-attack. Significant reliance on email communication has also made both individuals and organisations vulnerable. 91% of cybercrime attacks are initiated via email, whilst 88% of South African organisations have experienced a phishing attack in the last 12 months. This is according to the Mimecast State of Email Security 2019 Report. Phishing has, however, remained a persistent problem because of the human element: people are inadequately prepared or trained to identify and prevent against becoming victims of phishing scams.
Phishing is a type of social engineered cybercrime which tricks people into divulging their personal information. Phishing occurs when an email is sent to a person by a cybercriminal who is pretending to be a legitimate source. The goal is to mislead the email recipient into believing that the message contains information that he or she requires. There are different types of phishing attacks and it can occur in one of the following ways:
Bulk-phishing: where the attack is not specifically targeted or tailored toward one recipient;
Spear-phishing: where the attack is targeted at specific individuals or companies and tailored accordingly;
Clone-phishing: where the cybercriminal takes a legitimate email containing an attachment or link, and replaces it with the incorrect details; and
Whaling: when the phishing attack is specifically targeted towards high-value individuals in senior positions in companies.
There are also variations of phishing attacks such as smishing, which is a form of phishing where a cybercriminal sends malicious SMS text and social media messages to obtain valuable information. Smishing is becoming a popular cybercrime as people tend to open text messages more often than emails. Phishing can also occur in the form of a telephone call or voice message purporting to be from a reputable institution such as a bank. This is called vishing.
Despite the cliché names given to these malicious attacks, phishing should not be trivialised. Cybercriminals are no longer just targeting individuals, but organisations are also being affected with elaborate attacks to access company data, intellectual property, senior executive’s e-mails or any other sensitive information. Phishing can result in the loss of sensitive data which can ultimately affect a business’s revenue or brand. Individuals and organisations need to be aware of these various types of phishing attacks. The cardinal rule when it comes to preventing cyber-attacks is to be sensitised to cyber risks.
Red flags which could indicate a phishing attempt include emails or text messages that suggest urgency or a limited time to respond, spelling errors or bad grammar, an unusual sender or an unexpected message. Individuals should also be weary of being asked to provide personal details such as a banking password over the telephone or email as well as avoid installing or updating mobile apps from links received in a text message.
In order to not take the bait, if an email or text message which resembles the features that are described above is received, the best response would be to delete the email or text message and/or contact available technical support. Most importantly, where there is doubt about the authenticity of the message, it would be prudent to independently contact the purported sender to verify the contents thereof by using a known contact number. The contact details contained in the email or message should not be used as cybercriminals have in many cases resorted to providing ‘fake’ contact numbers so they can deal with the queries should the victim try to verify the information, thus making the entire scenario appear to be legitimate.
Cybercriminals are intimately familiar with how corporate email users interact with the internet and they are constantly evolving their techniques to trick users in order to obtain information. This is why individuals in their private capacity and individuals in their capacity as employees need adequate cyber security awareness training. Lack of adequate cybersecurity measures also contributes to the risk of a phishing attack or another cyber attack on organisations and individuals. Organisations need to devote resources to implement effective cybersecurity measures and risk management controls. These measures should include keeping system software updated, implementing endpoint protection, using secure internet connections as well as securing web browsing and emails. These measures are also available for individuals for personal computers and for mobile phones. In addition to technical measures, organisations and individuals may also consider obtaining cyber liability insurance. Cyber liability coverage can help to cover the costs related to the effects and consequences of a cyberattack. The cost of preventative measures outweighs the cost of falling victim to a cyber-attack.
Individuals and organisation need to take a proactive approach to protect against the loss of personal and business data. Both groups must invest time and resources to adequately address the fact that cybercriminals continue to exploit the human element. This can be done by receiving training on how to not only to recognize a phishing attack, but to also respond appropriately to such threats. As the old adage goes, prevention is better than cure. In the case of cybercrime, prevention is also the first line of defence against falling victim to cyberattacks.