South African National Cybersecurity Awareness Portal

Qaphela Online

Phishing

Phishing is a method of deceitfully obtaining personal information such as passwords, identity numbers, credit card details and sometimes, indirectly, money. Essentially, it is an online con game, and phishers are nothing more than tech-savvy con artists and identity thieves. Phisher might call you or send e-mails that appear to be from trusted sources such as banks, other financial institutions or legitimate companies. If they used emails, such may direct you to click on a link to a website where you are asked to update your personal information such as passwords, credit card details, social security number or bank account number. This fake website is specifically designed for information theft. One of the most common forms of Phishing is “Spear Phishing”, which is a more targeted version of Phishing where an e-mail is sent to a targeted individual. Spear Phishing often has a high success rate as it bypasses traditional security defences and exploits vulnerable software. Spam, fake websites and other techniques are used to trick people into divulging sensitive information, such as bank and credit card account details. Once they have captured enough victims' information, they either use the stolen information themselves to defraud the victims (e.g., by opening up new accounts using the victim's name or draining the victim's bank accounts) or they sell it on the black market for a profit.

How to spot a phishing attack:

Generic greeting – Phishing emails are usually sent in large batches. Phishers use generic names like "First Generic Bank Customer”. If you do not see your name, be suspicious. Forged links – Even if a link has a name you recognise somewhere in it, it does not mean it links to the real website. Roll your mouse over the link and see if it matches what appears in the email. If it does not match, do not click on it. Requests personal information – The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt. Sense of urgency – Cybercriminals wants you to provide your personal information now.

Recommendations:

The most effective defence against phishing attacks is prevention. To prevent, or at least cut down, on phishing attacks, you must: Avoid providing personal identifiable information to strangers or unknown websites, replying to unknown numbers, etc. Always type in the full URL of the website. Do not follow links from another website. Send request to hosting company to take down the fraudulent website. Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future. Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organisation, try to verify his or her identity directly with the company. Do not provide personal information or information about your organisation, including its structure or networks, unless you are certain of a person's authority to have the information. Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in emails. Don't send sensitive information over the Internet before checking a website's security. Pay attention to the URL of a website. Malicious websites may look identical to a legitimate website, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Never use contact information provided on a website connected to the request; instead, check previous statements for contact information. Install and maintain antivirus software, firewalls, and email filters to reduce some of this traffic. Take advantage of any anti-phishing features offered by your email client and web browser. Consider reporting the attack to the police, and file a report with the Cybersecurity Hub Phishing Department

More Information

www.saps.gov.za/alert/safety_awareness_fraud_scams.php

www.saps.gov.za/alert/phishing.php

scambuster.co.za/phishing/