BEWARE OF PHISHING SCAMS! warns Mr Thayne Breetzke Information Systems Lecturer
As technology becomes increasingly pervasive, the more vulnerable we are to cybercrime attacks such as phishing (pronounced “fishing”), the most common type of cybercrime.
In fact, it is likely that you have already been a target of an attempted phishing scam - possibly without even realising it.
What is a phishing scam?
Phishing is a type of social engineering attack where a person pretends to be someone they are not (e.g. your bank, SARS, or an employee). The attacker’s goal is simple: to get you to give them your personal information.
In a phishing attack you receive fake correspondence, very often as an e-mail message that seems to come from a legitimate organisation (but it does not). It tricks you into providing personal information such as a username and password or your bank account/card details.
How serious is it?
A successful phishing attack can lead to:
- Fraudulent activities: The fraudster uses the information you provided to log into your account(s), steal information, steal money from your bank account, etc.
- Identity theft: Someone uses your stolen personal information to pretend to be you, by making purchases in your name, opening credit card accounts or spending credit in your name. You will usually only become aware of this fraud when you are denied credit or receive statements that show overdue balances. Resolving such fraud can be very difficult and expensive and can take years.
How can I avoid being a victim?
A phishing e-mail often looks legitimate but it’s fake. So, do not be fooled!
Consider this example of an e-mail received that appears to be from the South African Revenue Services (SARS):
The following are common signs to look out for, many of which are evident in the example above:
- It looks legitimate: The e-mail often uses the organisation’s logos and details that the scammer is posing as. Sometimes it can lack official looking logos, etc. (as in this case) which makes it easier to identify as possibly unofficial correspondence. Never trust an e-mail simply because it looks real. Even the sender’s address displayed on the e-mail might be a fake display name that might look legitimate, yet the actual e-mail address that the message was sent from may belong to the scammer,.
- It contains spelling and/or grammatical errors: Phishing scam e-mails very often contain grammatical and/or spelling errors. The e-mail in this example is littered with grammatical errors (more than five of them). Be very suspicious of e-mails with errors like this.
- It is usually sent to many people: A phishing scam e-mail is sent to a large number of people, but often, the recipients are not listed (as in this example). Treat any e-mail that does not list any recipients, or where the sender and the receiver’s addresses are the same, with much caution.
- It contains no personal information: In this example, no personal taxpayer information was provided in the e-mail, such as the taxpayer’s name or tax number. This makes the e-mail very likely to be spam and therefore fake (“spam” is junk e-mail that is sent to a large number of recipients in the hope that some respond or react). However, note that spear phishing is another form of phishing that targets a specific person. In such cases, the e-mails can include personal information, so be very cautious.
- It often calls for urgent action: A phishing scam message often requires urgent action from you (e.g. that you must log in to update your account before it is closed, receive funds owing to you before they are lost, claim your winnings, or urgently help a friend by sending them money). Be cautious when urged to act fast.
- It contains one or more attachments: Beware of all e-mail attachments and downloads. If an e-mail has an attachment that ends with .html (like in the example above), never click on or download the attachment; treat the e-mail as extremely dangerous. The same is true for attachments that end with .exe (which signifies executable content). Even image files, PDF documents, and other commonly used files attached to an e-mail can be malicious.
In this example, when the victim downloads and opens the REFUNDSARS.htmlfile, a web page that appears to be legitimate will open in their browser (i.e. a web page that looks real will open in their browser). Refer to the point below entitled “It takes you to a web page.” Before downloading or opening any attachment, always ask yourself whether you trust the sender.
- It contains links: A link is text that can be clicked on (it’s usually blue and underlined). When a phishing scam link in an e-mail is clicked on, you will be taken to what appears to be a legitimate web site (i.e. a web page that looks real will open in your browser). Refer to the point below entitled “It takes you to a web page.” Before you click a link, point your mouse cursor to the link and look at the address that appears above the cursor or at the bottom of the browser. Often the link will look unusual and not point to the address of the legitimate web site. For example, a link in an e-mail from ABSA Bank may point to aeiou.absbank.net/activate.aspx instead of to their legitimate site, www.absa.co.za).
- It takes you to a web page: The phishing e-mail will usually take you to a web page, either when you click a link or download and open an attachment. Although the web page might look perfectly legitimate, it is actually the scammer’s web page, complete with copied content, logos, etc. The page will ask you to enter personal information (e.g. to receive funds owed to you or to claim your prize). As soon as you enter this information, the scammer has all of it.
Just like a phishing e-mail, the associated phishing website often looks legitimate. But it is fake, so do not be fooled. In this example, upon opening the REFUNDSARS.html attachment, the following web page appears in the browser, ready to steal your personal information:
The following are common signs to look out for, many of which are evident in the web page above:
- It looks legitimate: Don’t be fooled by a web page that looks real. In this example, the page looks like a legitimate SARS page. Although not shown above, the page even has the correct SARS e-filing logo and the official SARS web site background. It is extremely dangerous to enter personal information on a web page that you are not certain is legitimate.
- The address is suspicious: Before entering any information on a web page, be sure that the address in the browser’s address bar points to the legitimate web site address of the company or organisation. An address can even appear to be correct, but on closer inspection you may see a spelling error in the address which is a likely indication that you have opened, or been directed to, a phishing web site.
In this SARS phishing scam, the browser’s address bar would’ve shown an address that refers to your local computer (which would’ve looked very unusual, such as C:\Users\Anda\Downloads\REFUNDSARS.html) instead of SARS’ web site on the Internet (www.sars.gov.za or www.sarsefiling.co.za).
- It asks for personal information: The web page will ask for information such as a bank account/card number, a password, a PIN or ID number. Sometimes this is required in order for you to “verify” yourself. We must be very suspicious when asked to enter account/card numbers, especially the three digit security number on the back of a bank card, as well as personal information such as an ID number or a phone number. Don’t provide personal/sensitive information unless it is absolutely necessary and you know who will use that information and how it will be used.
- It does not use a secure connection or it uses an invalid one: Only type personal/sensitive information on a web page that uses a secure connection. A secure connection will usually be indicated with a lock indicator next to the address in the browser’s address bar, as shown below. The address in the address bar will also begin with “https:” instead of “http:” (you may have to click on the address first to see it).
Be careful though because even a phishing web site can use a secure connection! Click on the lock indicator and view the security certificate details to ensure that it was issued to the legitimate company/organisation that you are providing your information to.
Phishing attempts can also take place through social media, instant messages, SMS messages, and when browsing the web. The goal is the same: to steal your personal information for nefarious reasons. Clicking a phishing link can also install spyware on your device that can then secretly collect passwords, bank account/card numbers and other sensitive information and transfer it to the phisher without your knowledge.
Now, more than ever, individuals need to be vigilant against cybercrime attacks such as phishing scams. Use these tips to avoid being the next victim. Stay safe!