Phishing, smishing. No, we’re not saying bah-humbug to cybersecurity – smishing is, in fact, yet another form of online attack.
While you may not be familiar with all the different ways that criminals may set out to defraud you online, a spate of data breaches over the past decade has put cybersecurity firmly at the forefront of consumer consciousness. More recently and in local news, a well-known credit bureau confirmed that it has been the victim of a cybersecurity attack, with the hacker gaining access to the data of the millions of South Africans who had entered into a credit agreement at some point in their lives.
“While no one wants to have their private data accessed by an unauthorised party, the very real repercussion is that phishing attacks have the potential to put your finances at risk, specifically with so many of us transacting online these days,” warns Liezel Gordon, Client Engagement Team Lead at Metropolitan GetUp,
Gordon unpacks the different types of ‘phishing’ attacks and what to be on the lookout for.
Gone Phishing
‘Phishing’ refers to someone trying to defraud you or steal your money by getting you to reveal your personal information.
Phishing generally involves a message – often sent by email – that appears to be from a trusted source…but it’s not. “The criminal aims to steal your information or money by getting you to click on a malicious link, download an attachment or share sensitive information.
“Phishing targets humans, not computers. These scammers play on your emotions to trigger their desired reaction. They may tempt you into responding by creating a fraudulent scenario where you’re the beneficiary of a large sum of money; or they might claim that your account has been locked, throwing you into a state of panic where you are more amenable to doing as they suggest.”
Gordon shares a few red flags. “Watch out for signs that make the communication seem unprofessional: a messy layout, pixellated and distorted logos, or poor spelling and grammar. Is the wording and phrasing of the copy disjointed and not what you’d expect from a professional organisation? Are there capital letters used in odd places, random spacing, and are certain words in different fonts or sizes?”
She also advises to look at the sender’s email address. Does it display a random string of characters, or does it purport to be from a professional organisation, but reflect a Gmail or Yahoo email address? These are all warning signs.
Finally, she says, if something sounds too good to be true, it generally is. “If the email claims that you’re due large sums of money – especially if the sender doesn’t address you by name – it’s very likely a phishing attempt.
Smishing, Vishing and Spear-Phishing
‘Smishing’ is the same as phishing, but instead of the attempt being made via email, a fraudulent link appears via SMS. “Criminals use this mechanism as people often trust updates that are delivered to their phones. If an SMS contains banking info or alerts, tread carefully. Rather call your bank before clicking on the link.”
‘Vishing’ is a new tactic that refers to ‘voice phishing’, generally conducted via phone call. “During a vishing expedition, a scammer uses social engineering to get you to share personal information and financial details. Reputable companies will never call you at home asking you to transfer funds, provide confidential information or supply passwords. If you’re unsure, simply hang up and call the institution back, using the official phone number found on the company website.”
‘Spear-phishing’ – also known as whale-phishing – targets specific subcategories of people (for example, an HR manager or a doctor). “These are generally more sophisticated and thus harder to spot, warns Gordon.
“These scammers use e-mail spoofing to fool the receiver into thinking the email originated from somewhere else. The criminals usually know a bit more about the person that they are targeting, and often their communication is more personalised. This is an advanced phishing attack and warrants extra caution and vigilance.”
Avoid the bait
Conducting your financial affairs online makes sense, says Gordon. “It’s convenient, often cheaper and allows you access at any time of the day or night. In many ways, it is far safer and more secure than carrying cash or conducting transactions in person.”
However, it is important to remain vigilant, she says. “Firstly, ensure that your passwords are secure. These should be long and contain a combination of different characters, capital and sentence case letters, as well as numbers. Avoid using personal details such as surnames and birthdays, and don’t use the same password for different accounts. You can also look into two-factor authentication or biometric options, if available.”
Secondly, use your common sense, she says. Stay focused on what you are doing, slow down and be vigilant. “Criminals like creating a sense of urgency to get you to act quickly.”
Finally, think before you click, or proceed with a transaction or request. “Trust your intuition – if you suspect anything, rather stop and do the due diligence. A credible institution will never mind you taking the time to verify their authenticity – and you may save yourself a great deal of stress down the line.”