Menu
On the cybercrime timeline, phishing dates back to the mid-1990s when hackers exploited one of the earliest internet service providers to steal passwords and credit card data from unsuspecting users. Technology has evolved significantly since then, but phishing remains a popular attack method because it’s specifically designed to take advantage of human nature.
Phishing is the practice of using fake, fraudulent, or deceptive communication to lure or convince a targeted person (or group) to hand over sensitive information.
Cybercriminals pretend to be legitimate, trustworthy sources and contact their victims by email, phone, or SMS with the goal of acquiring anything from personal data and banking details to usernames and passwords.
The scammers then leverage the newly acquired information for their own illicit purposes, which may include identity theft, credit card fraud, or privileged account access, among other things.
Email phishing, spear phishing, whaling, smishing, and vishing are five common types of phishing attacks. Learn to recognise the warning signs so that you’re less likely to be fooled by a scam message.
Email phishing (also called deception phishing or deceptive phishing) is perhaps the most well-known type of phishing. In this kind of scam, attackers impersonate a real company, organisation, or group and send out mass emails to as many email addresses as they can find. This so-called “spray and pray” approach is a numbers game for the perpetrators, and even if they only hook a handful of victims, the attack may still prove worthwhile and lucrative.
How do they do it? The scam email message is intended to make you perform an action, like downloading an attachment or clicking on a link. Malware embedded inside the attachment is activated when you open the file, and the link destination is often a malicious website primed to steal your credentials or install nefarious code on your device.
Consider this example… You receive a legitimate-looking email from your streaming service, saying your account has been temporarily suspended because of unusual activity. You’re instructed to click on a link inside the email, to verify your account credentials. You expect to be directed to the streaming service’s login page, but the link actually takes you to a lookalike login page that harvests your username and password.
Spear phishing takes the concept of email phishing and applies it to a specific individual or group. Instead of the bulk, generic communication associated with regular email phishing, spear phishing involves customised messaging for a selected target. As the name implies, spear phishing is a pointed attack, not a wide-net manoeuvre, and scammers will often leverage publicly available corporate collateral to fine-tune the elements of their email trap.
How do they do it? Detailed, personalised messaging is key to the success of any spear-phishing campaign – because the attackers have to make you, the recipient, trust them enough to do what is asked in the email. They may spend days or even weeks on research and information-gathering (from your company’s website, social media pages, and published reports) as part of their efforts to trick you into action.
Consider this example… You’re the accounting clerk responsible for processing vendor invoices. You receive an email from an unknown vendor, with a PDF invoice attached. The message is well-written and friendly. The email sender knows your name and is knowledgeable about your company; they even send their best wishes to your colleague, John, whose motorcycle accident was addressed in your company newsletter last week. You believe that the vendor is legitimate and open the attachment, which then delivers malware to your laptop.
Whaling (also called whale phishing) is the term used to describe phishing attacks aimed at a company’s most senior, most connected, or most influential leaders – the whales. The chief executive officer, chief operating officer, chief financial officer, chief technology officer, and other senior managers are attractive targets because of their high-level access to company resources. With an executive’s login credentials in their possession, scammers may be able to transfer corporate funds, expose private data, or impersonate the target to disrupt or damage the business.
How do they do it? Like spear phishing, whaling requires a tailored approach. Cybercriminals may have to profile the chosen individual for months to gain sufficient insight into their personal and professional lives. But as soon as the phishers have enough information, they can create believable, persuasive messages to try to deceive their victims into downloading malicious files or visiting compromised websites.
Consider this example… A new email lands in your inbox – and it’s from a law firm. The subject line and the content of the message imply that your company is being sued for millions by a former employee. The preliminary paperwork is attached to the email. As the chief legal officer, it’s your responsibility to investigate – but you don’t realise that the attachment is tainted.
Smishing (also called SMS phishing) uses a text message rather than an email message to conduct a phishing attack, but the rationale is the same: scammers want to fool you into clicking on a risky link, downloading a malicious application, or surrendering your personal information.
How do they do it? Digital fraudsters take advantage of the fact that you keep your smartphone within reach and probably read your text messages soon after they arrive. And, as with other phishing methods, deception is their key tool. By masquerading as bona fide businesses (like your supermarket) or trusted sources (like your bank), they can deliver compelling texts directly to you – quickly, easily, and more than once.
Consider this example… You receive an SMS offering 20% off your next clothing purchase. The offer appears to come from your favourite fashion outlet, and uses the same language and style (right down to the abbreviations and emojis) that you’ve seen from the store in the past. To receive the discount, which is only available to the first 100 customers, you need to click the link and claim your coupon code online. You don’t know that the link, when clicked, installs malware on your phone.
Vishing (also called voice phishing or phone phishing) is when scammers call you directly – on your home landline, your work phone, or your cell – and try to make you give out personal or corporate information. Often, they will exploit annual trends and public concerns, or create a sense of panic that makes you feel compelled to comply with their requests.
How do they do it? The person making the fraudulent phone call may pretend to be a tax official who needs your company registration number for verification before refunding money to you. They may claim to be a health official calling to put you on the list for a COVID-19 vaccination. They may even claim to be a customer service agent from your bank, alerting you to suspicious withdrawals from your account. In every scenario, the phisher on the other end of the line will do their utmost to extract sensitive information from you.
Consider this example… You’re called by someone who claims to be from an insurance firm. They say that you’ve been named as a beneficiary in the estate of their deceased client, and you stand to receive a substantial sum of money if you can verify your identity in line with the facts in their possession. You may be asked for your full name, your ID number, your physical address, and your other phone numbers as the impersonator tricks you into providing confidential, high-value information over the phone.
These five types of phishing attacks are among the most prevalent, but they’re not the only ones used by cybercriminals. You need to be able to spot the tactics (and teach your teams to spot them, too) so that would-be phishers do not succeed when they target you and your staff.
Prepare your business teams for the dangers of cyberspace with comprehensive security training from BUI and Cyber Risk Aware.
Check out the on-demand webinar featuring our own Wayne Nel and Cyber Risk Aware CEO Stephen Burke to learn more.
BUI CISSP Neil du Plessis and First Digital KZN Managing Executive Gabriel Malherbe discuss why a security strategy is critical for any enterprise with web-facing assets.
In 2019, South Africa had the third-highest number of cybercrime victims in the world. Attacks from the darkest corners of the web cost our economy more than R2.2bn. From government portals to municipal networks and databases, the public sector was a regular target. In the private sector too, cyberattackers zeroed in on e-commerce platforms, internet service providers, and financial institutions.
There’s a similar trend in 2020. Since the beginning of the year, hackers have taken aim at local enterprises including chemical supplier Omnia, hospital group Life Healthcare, and vehicle-recovery firm Tracker. Internationally, headline-making incidents involving car manufacturer Honda, GPS technology company Garmin, and energy group Enel have also highlighted the consequences of digital villainy, and put corporate cybersecurity practices in focus across the globe.
In 2019, South Africa had the third-highest number of cybercrime victims in the world, according to researchers.
“When it comes to defending against cyberattacks, modern enterprises must consider the growing complexity of their operational environments and the web-enabled commercial landscape at large,” explains Neil du Plessis, our CISSP and cloud security architect. Connectivity can be a powerful business driver, but it can also be a double-edged sword: the greater the number of integrated platforms, systems, and applications, the broader the attack surface. “You no longer have the luxury of drawing a perimeter around your organisation,” states Du Plessis.
Gabriel Malherbe, the KZN managing executive at our sister company First Digital, agrees. “In a hyperconnected world, your cybersecurity measures cannot stop at the front gate. Those days are long gone. Today, a business environment is not just a physical space: it extends beyond walls and fences, across devices, across networks, and across borders. The challenge now – especially for those moving ahead with digital transformation – is holistic protection,” says Malherbe.
South Africa is one of the fastest-growing countries globally for IT expenditure, and local enterprises are spending significant funds on software and services delivered via the internet. They’re also moving core systems online. “Modernisation is a big motivator,” says Malherbe. “There’s a growing interest in disruptive technologies, and how they can be leveraged to help people accomplish more. The ‘more’ factor may change from company to company, but I think the stimulus is the same in many cases, and that’s the desire to prepare for an increasingly digital future,” he explains.
Being online can open the door for businesses to become more agile, more productive, more efficient, more responsive, and more cost-effective – but there are risks to consider in pursuit of such rewards, cautions Du Plessis. “Whether an online presence is part of your overall business development strategy, or a planned transition to serve your customers where they are, or even a productivity requirement to enable remote work right now, cybersecurity should be a primary concern. Unfortunately, this is not always the case, and some of the biggest security incidents in recent history are now cautionary tales about the perils of poor cyber hygiene,” he says.
Du Plessis highlights the 2018 ViewFines data leak as an example. “The PII records of almost a million South African motorists were leaked publicly, and sensitive personal information – including full names, ID numbers, and plaintext passwords – was compromised. The root cause was a web server vulnerability that could have been addressed beforehand through mitigation techniques like vulnerability scanning, penetration testing, server hardening, and patch management,” he explains.
Malicious actors continue to employ a wide range of scams to try to gain access to valuable data and corporate assets. Phishing, smishing, and vishing are common methods of attack, but malware is becoming a popular choice as cyber villains look beyond everyday IT infrastructure to more complex OT ecosystems in sectors as diverse as retail and industrial manufacturing.
“The EKANS ransomware used against Honda earlier this year is a case in point,” Du Plessis says, referencing the sophisticated malware that targeted the auto-maker’s industrial control systems and affected production lines in Europe, Japan, and the United States. “It’s absolutely critical for modern enterprises to establish cybersecurity practices that include all web-enabled processes, not only traditional IT,” he advises.
Security should be built in from the ground up and across the board, concurs Malherbe. “There’s a duality to the internet that you need to remember: it connects you to the world and it connects the world to you. Every web-facing resource, from your homepage to your e-commerce store, is exposed to a degree of risk. When you understand that, then you can take action to protect your assets while you reap the rewards of doing business on the web,” he says.
“Cost, convenience, and customisation potential are all factors pushing local businesses to explore some kind of online presence,” continues Malherbe, adding that First Digital has seen a dramatic increase in the number of clients asking for e-commerce solutions in recent months. The trend, he argues, can be attributed to the prevailing market conditions as well as the changing behaviour of tech-savvy consumers.
“Even before the movement restrictions imposed during the COVID-19 lockdown, brick-and-mortar stores and shopping malls had started to feel the ripple effect of our stagnant economy: dwindling foot traffic, conservative spending, and tougher competition for every available rand. On top of that, there’s growing consumer demand for personalised, intuitive retail experiences. More and more, we’re seeing brands turn to e-commerce to drive sales and boost shopper engagement,” he says.
Modern enterprises need to establish cybersecurity practices that include all web-enabled processes, not only traditional IT, advises BUI CISSP Neil du Plessis.
Business-to-consumer enterprises aren’t the only ones taking advantage of web-enabled technology. In the business-to-business space, bespoke trading platforms and vendor portals are being deployed to enable broader collaboration, integration, and co-operation. Greater functionality, however, demands greater security measures, reiterates Du Plessis. “Several high-profile cyberattacks have been linked to human error, or the misconfiguration of IT resources, or inadequate security controls. In B2C and B2B companies, cybersecurity strategy needs to be prioritised to help safeguard data, applications, infrastructure, and users,” he says.
BUI and First Digital have partnered on several projects to deliver secure solutions to local organisations. “I think customers understand the value of such engagements, especially given our complementary disciplines,” says Malherbe, citing a recent piece of work for Korbicom that drew on both teams’ expertise. “First Digital was brought in to provide Azure support, and BUI came on board later to perform penetration testing. The result was an intensive review of Korbicom’s web application, from architecture through to security,” explains Malherbe.
Korbicom’s application architect, Shaun Rust, was pleased with the results. “As a niche software development company, Korbicom creates custom solutions for clients in the legal sector, the insurance industry, and the financial services industry. Understandably, security and compliance are particular concerns. Our consultations with First Digital and BUI revolved around the functionality and security of a newly developed application, and their advice and assistance was very much appreciated.”
South African companies have to be prepared for sustained and increasingly sophisticated cyberattacks designed to compromise web-facing assets. “If you collect customer data through your website, or payment details through your e-commerce store, then you’re a potential target because sensitive information like that is valuable to somebody, somewhere,” cautions Du Plessis. “It doesn’t matter how big or small you are: data is a commodity. And I think we’ve all seen enough headlines to know that it is being bought and sold worldwide. The protection of your online business environment has never been more important than it is today,” he says.
Malherbe feels the same way. “If you don’t put adequate defences in place, then your enterprise is exposed, vulnerable, and at risk. You cannot afford to be in that position when the threat landscape changes by the minute. You have to make cybersecurity a priority – from day one, and every day after that,” he concludes.
A version of this article was published by First Digital, a fellow First Technology Group company specialising in application development, business process management, enterprise content management, integration, and managed services. Connect with First Digital on LinkedIn, Facebook, Twitter, and YouTube, or visit www.firsttech.digital to learn more.
Our state-of-the-art cybersecurity facility is backed by world-class Microsoft security technology, including Azure Sentinel – Microsoft’s cloud-native security information and event management software.
The BUI Cyber Security Operations Centre is the first of its kind in Africa. It is staffed 24 hours a day, seven days a week, by certified security specialists who can help you to safeguard your critical business assets.
