Recently, one of my acquaintances, Frank, received an email late on a Monday afternoon with the subject line, “Are you still in the office?” It appeared to come from his manager, who claimed to be stuck in a long meeting without the means to urgently purchase online gift vouchers for clients. He asked for help and shared a link to an online platform, from which Frank bought R6,000 (about US$325) worth of gift vouchers. Once he’d sent the codes he received a second email from the “boss” requesting one more voucher.
At that point, Frank reached out to his boss through WhatsApp and discovered he’d been duped. Frank had fallen prey to a phishing scam.
This is just one example of many from my own circles. Other friends and relatives – some of them seasoned internet users who know about the importance of cybersecurity – have also fallen prey to phishing scams.
I am a cybersecurity professional who conducts research on and teaches various cybersecurity topics. In recent years I have noticed (and confirmed through research) that some organisations and individuals seem fatigued by cybersecurity awareness efforts. Is it possible that they assume most people are technologically astute and constantly well-informed? Or could it simply be that fatigue has set in because of the demanding nature of cybersecurity awareness campaigns? Though I have no definitive answer, I suspect the latter.
The reality is that phishing scams are here to stay and the methods employed in their execution continue to evolve. Given my expertise and experience, I would like to offer seven tips to help you stay safe from phishing scams. This is especially important during the festive season as people shop for gifts and book holidays online. These activities create more opportunities for cybercriminals to net new victims. However, these tips are appropriate throughout the year. Cybercriminals don’t take breaks – so you shouldn’t ever drop your guard.
What is phishing?
“Phishing” is a strategy designed to deceive people into revealing sensitive information such as credit card details, login credentials and, in some instances, identification numbers.
The most common form of phishing is via email: phishers send fraudulent emails that appear to be from legitimate sources. The messages often contain links to fake websites designed to steal login credentials or other sensitive information. The same email will be sent to many addresses. Phishers can obtain emails from places such as corporate websites, existing data breaches, social media platforms, business cards or other publicly available company documents.
Cybercriminals know that casting their net wide means they’ll surely catch some.
Voice phishing (vishing) is another form of this scam. Here, perpetrators use voice communication, like a phone call in which the caller falsely claims to be a bank official and seeks to assist you in resetting your password or updating your account details. Other common vishing scams centre on offering discounts or rewards if you join a vacation club, provided you disclose your personal credit card information.
Social media phishing, meanwhile, happens when scammers create fake accounts purporting to be real people (for instance, posing as Frank’s boss). They then start interacting with the real person’s connections to deceive them into giving up sensitive information or performing financial favours.
Cybercriminals also employ SMS phishing (smishing), using text messages to target individuals to reveal sensitive information such as login credentials or credit card details by clicking on malicious links or downloading harmful attachments.
Who is behind these scams? Typically, these are seasoned and cunning scammers who have honed their skills in the world of phishing over an extended period. Some work alone; others belong to syndicates.
Phishing skills
Successful phishers have a variety of skills. They combine psychological tactics and technical prowess.
They are master manipulators, playing on victims’ emotions. Individuals are deceived into believing they’ve secured a substantial sum, often millions, through a jackpot win. This scheme falsely claims that their cellphone number or email was used for entry. Consequently, the victim doesn’t seek clarification. Excited about getting the windfall payment quickly, they give their personal information to cybercriminals.
These scammers even tailor their approach to match individuals’ personal beliefs. For example, if you have an affinity for ancestral worship, be prepared for a message from someone claiming to be a medium, asserting that your great-great-grandfather is requesting a money ritual involving a deposit to a particular account and promising multiplication of your funds – even though your ancestors have communicated no such information.
Likewise, if you are a devout Christian, someone claiming to be “Prophet Profit” might attempt to contact you through a messaging platform, suggesting that a monetary offering to their ministry will miraculously resolve all your financial challenges. It’s simply too good to be true.
Seven tips
So, how can you avoid e-mail phishing scams? Here are my tips.
1. Before acting on an email that seems to be from a trusted colleague or friend – especially if it involves an unusual request – check whether the communication is authentic. Contact them directly through a telephone call.
2. If you encounter suspicious emails at work and are unsure of what to do, promptly report them to your IT department.
3. Exercise caution when disclosing your contact information, such as email addresses and phone numbers, on public platforms. Malicious individuals may exploit this information for harmful purposes.
4. Be vigilant when responding to unsolicited emails or messages that request personal information or immediate action.
5. Validate the sender’s email address. When in doubt, use official contact details from an organisation’s official website to get in touch instead of replying to the message.
6. Don’t click on dubious links. Always double-check the URL before entering sensitive data.
7. Keep your devices, anti-spam and anti-malware software up to date. Use strong and unique passwords or multi-factor authentication.