This article was first published in the second-quarter 2015 edition of Personal Finance magazine.
In Randfontein, a woman borrows R30 000 to pay for a car she’s seen advertised online. After a flurry of email exchanges with the seller, during which she is assured that the transaction is being managed by e-commerce giant eBay, the truth sinks in: she’s not getting the car, and, worse still, she’s committed to repaying the loan at R2 800 a month for the next four years.
A Cape Town journalist responds to an online advertisement for a camera package at a very attractive price. He promptly orders it, paying R5 595, plus a R200 delivery charge, via EFT (electronic funds transfer), rather than the more conventional credit card. After a long run-around, with emailed references to bogus couriers and “customs” hold-ups, the penny drops: he’s been scammed and will never see his camera or his money, for that matter.
An eager buyer from Durban answers an online advertisement offering a Samsung tablet for R3 500, a bargain by anyone’s measure. She pays up – again, via EFT – and that’s the end of it: her tablet never arrives and her money is gone. She’s hardly mollified by the fact that she didn’t pay the additional R2 050 demanded by the “couriers” to release her package.
In case you hadn’t noticed, we’re under siege. While we go about our everyday lives, using the unimaginably huge resource called the internet to do our banking, communicate with friends and family, explore new relationships, invest our hard-earned cash, book our holidays and buy all manner of stuff online, people on the other side of the world – or perhaps at the next table in our local coffee shop – are doing their best to ruin our day.
Bank account-related scams (which rely largely on so-called phishing strategies) are a breed on their own, and, fortunately, most people are sufficiently savvy to avoid them. However, cyberspace remains a happy hunting ground for criminals who change the rules of play all the time.
Take the example of Booking.com, a perfectly respectable and very successful international reservations portal that has suffered serious damage to its reputation as a result of a scam perpetrated on its users. A consumer programme on the BBC’s Radio 4 channel described how it works: victims who have made a hotel booking receive a call from someone claiming to represent the hotel, asking them to confirm that they are still planning to take up the booking on such-and-such a date, because the hotel is experiencing a flood of demand. (For the record, Booking.com does not ask for a deposit; that’s one of its attractions.)
Victims are told to expect an email confirming the booking, thereby softening them up for the email, which does confirm, but informs them the high demand requires that the hotel obtain payment in advance this time, so would they please send the full amount due for the booking immediately.
Closer to home, accommodation scams remain a headache for hospitality providers and guests alike. Heather Hunter, the vice-chairman (coastal) for the 800-member National Accommodation Association of South Africa, says owners of guesthouses and bed-and-breakfast establishments have to be relentlessly vigilant for new tricks.
“We are constantly sending out tips and warnings to our members, because the scams are constantly evolving. The accommodation industry is very vulnerable to fraud, and we have to stay ahead of the game, especially at special times of the year such as Christmas holidays and matric celebrations. I know of one parent who paid R12 000 upfront to book accommodation that didn’t exist.
“Many people are happy to book online and make no effort to verify the reservation, because they’re too busy to make a phone call. This can be an expensive mistake. What’s annoying is that this kind of fraud is not only costly for the victim; our members also have to deal with the fallout, even though it’s not their fault,” Hunter says.
Here’s the thing: although we should be wise to scamsters by now, and on our guard at all times, evidence suggests that many people are either unaware of increasingly sophisticated attacks from many directions or simply don’t care, assuming that it couldn’t happen to them or it is someone else’s problem. This way lies regret.
The fact is the cyberspace battlefield is just that – an ever-changing, distinctly dangerous place, characterised by clever traps, diabolical “hooking” strategies (it’s hard to resist a must-have gadget or “holiday special” at an unbelievably low price) and very real threats to your money, your privacy, your reputation and, in extreme cases, even the physical well-being of you and your family. Experts agree that the secret of protecting yourself is a healthy dose of scepticism, perhaps leaning to mild paranoia. Never forget the mantra: if it looks too good to be true, it probably is.
Some scams rely on the uniquely human qualities of loneliness and compassion, while others exploit the less palatable frailty we call greed. You may not be proud of it, but greed lurks in the most unlikely people, and when you are confronted with an opportunity to score a bargain or, better still, get something for nothing, you are transformed into a “mark” (variously defined as non-streetwise or an easy target). As for loneliness and compassion, the cases of relationships that have flourished on social media and email and then turned out to be honey traps set to separate people from their money are legion.
Recently, the Weekend Argus newspaper reported on an international scam in which unsuspecting women across the globe were defrauded by men they had befriended on internet dating sites, including Match.com. Papers filed at the Western Cape High Court suggested more than R5 million was deposited into five Absa bank accounts that were subsequently frozen after the Asset Forfeiture Unit obtained a court preservation order. The paper said the suspected syndicate of scamsters, including a Nigerian man thought to be a key figure in the syndicate, was under investigation for fraud and money-laundering after an American woman raised the alarm. The man reportedly provided one victim with a South African cellphone number and mailing address.
The bad news (almost always painfully obvious after the event) is that you will not be receiving a huge windfall after your email address was selected in a Yahoo! lucky draw, Bill Gates has no intention of sharing his fortune with you, your cellphone was not chosen in a Rica competition, and, unless you took leave of your senses and responded to that tempting email, you should not expect to hear again from J Edgar Hoover (although why anyone would want to communicate with the ghost of the cross-dressing former FBI director remains unclear).
David Emm, a senior security researcher at Kaspersky Lab, a software security group headquartered in Moscow and operating in almost 200 countries and territories worldwide, told Personal Finance that online scammers often exploit people’s fallibility by using “hooks”, such as sporting events or topical issues, typically offering something for nothing.
“They can be very clever, even going to the trouble of setting up clone websites that collect information such as credit card and banking details – and that kind of information is gold for the scammer. If they can trick you into disclosing a password, they will steal your money, your identity, and more.”
A decade ago, Emm says, hackers would trick their victims into downloading malware (short for “malicious software”: software designed to go undetected while it accesses or damages other computers), but today they are paying more attention to “insecure” websites from which they can extract useful information. Because the rules of the game change very quickly, he says, it is imperative that computer users keep their security software up to date – and this includes patches (pieces of software issued to fix a bug in a software program after it has been released) for apps and software updates for Adobe Reader, Adobe Flash Player and Java.
Many people forget that their tablets and phones are also computers, Emm says, and this can have serious consequences, because these devices come with their own vulnerabilities.
Mobiles are often the repository of personal and professional information that could be extremely useful to criminals, including banking details, passwords, reminders, family photos and videos, yet many phone users give no thought to security and don’t have so much as a SIM card lock requiring a PIN every time you power the phone on.
“Hacking computers and other devices is remarkably easy. In fact, you can go online for free tutorials,” Emm says. “The internet is now woven into the fabric of our lives, and many of us routinely bank, shop and socialise online. This makes life more convenient, but unless we take steps to protect ourselves, every online transaction opens a window of opportunity for cybercriminals.”
Malware is only one of many methods used to capture personal information and steal other people’s money, Emm says. “Criminals also make widespread use of ‘social engineering’ to trick us into handing over money or disclosing personal information that allows them to steal our online identity.”
In the context of cybersecurity, “social engineers” are somewhat less respectable than they sound. In essence, they are so called because they employ psychological manipulation to persuade people to divulge information or perform certain actions with the intention of gathering information, accessing a system or committing fraud.
Should we be mildly paranoid for our own good? “Perhaps not paranoid, but suspicious is good,” Emm says. “Outside of cyberspace, you know not to accept sweets from strangers. In cyberspace, why would you be less vigilant?”
People’s casual attitude to passwords is particularly alarming, Emm says.
“Unfortunately, there’s a tendency to use the same password for everything. People do this for understandable reasons … after all, you don’t want to have to remember 30 passwords. But think about it: if you rely on just one password and a criminal gets hold of it, he gets access to everything.”
At the risk of stating the obvious, you should never, ever choose the word “password” for your password (you won’t believe how many people still do this). The same applies to “123456”, “qwerty”, “iloveyou”, pet names and birthdates.
Emm believes we should employ the best tech available to protect ourselves. “Keep all your passwords in a virtual vault (see “Passwords 101”, below) and access them via a master password. If necessary, you can even write this down, just so long as you keep it safe – your wallet is obviously a no-no. To create a password, think of a favourite song or even a nursery rhyme and use the first letters from each line to create something unique.”
Craig Rosewarne of Wolfpack Information Risk, a Johannesburg-based cybercrime consultancy, says some people are learning the hard way that they need to take responsibility for their own digital security – and social engineers represent only one of myriad threats. Intent on alerting the general public to the danger, his company has produced a “Cybercrime survival guide” explaining how they work and what to do about them.
Among the techniques used by social engineers (aka cybercriminals):
* Shoulder surfing: The social engineer peers over your shoulder while you are typing in your PIN or password. Defence: Always be aware of who is close, and cover the keypad or keyboard when typing in your PIN or password.
* Dumpster diving: The social engineer scavenges through dustbins for carelessly discarded information he can use online (for example, bank statements). Defence: Never throw confidential information in the dustbin. Instead, shred or burn it.
* Baiting (free USB): The social engineer leaves USB flash drives where you are likely to find them (for example, in your office parking lot) or hands them out free at your local coffee shop. These USBs are usually loaded with what seems to be interesting information, but contain viruses. Defence: Be cautious when using USBs (or better still, don’t use them at all).
* Pretexting: When someone lies to you in a bid to access privileged data – for example, he pretends to need personal or financial data in order to confirm your identity.
* Quid pro quo: When a hacker requests personal information from you in exchange for something desirable – perhaps a free gift or access to software.
Con artists can be extraordinarily devious, Rosewarne says, and it’s worth conducting a “what if” exercise with your family and colleagues to eliminate at least some of the risks. For example, as a prelude to a cyberattack, a criminal seeking personal information might call your office and play on your colleagues’ trust, saying he needs your address and/or date of birth for a birthday surprise.
Many people throw caution to the wind when they access the internet through free wi-fi at coffee shops, airport lounges and other places, Rosewarne says, and the result could be financially painful. The criminal sets up shop in a popular place and creates a wi-fi hot spot with a name very similar to that of a legitimate entity. If a nearby laptop user falls for the ruse – and has not recently updated his or her computer’s protective software – he’s in.
Even more alarming is our assumption that the ubiquitous mobile phone is somehow immune to criminal incursion. In fact, Rosewarne says, they require just as much protection as our notebooks and desktop computers. Phones running on the Android platform are especially vulnerable, he says.
Part of the explanation lies in the numbers: mobile phones running on the Android operating system represent by far the largest share of the global market. Also, the Android system is open source, which means hackers have access to the underlying code that makes it work. Human nature also plays a role: in 2014, an American cybersecurity firm estimated that 70 percent of Android smartphones still contained a bug that had been uncovered (and publicised) by security researchers more than two years earlier, making them vulnerable to cyberattacks.
Unfortunately, the vulnerability of mobile phones is obvious if you know, as I do, a mother and daughter who, between them, have had all of 14 phones stolen, only one insured and none secured with a password, let alone anti-malware protection. This is by no means a record.
As Rosewarne explains, the consequences of a successful raid on your digital privacy could be catastrophic. Among the dangers:
* Identity theft;
* Your personal information can be stolen;
* Your credit record can be damaged;
* Your bank accounts could be compromised and your money stolen;
* Your social media accounts can be compromised (hacked);
* You may suffer reputational damage if hackers post unsavoury content to hacked accounts;
* Email account could be compromised and used to send spam and/or scams to everyone in your address book;
* Criminals who have virtually invaded your device can take pictures of you with your webcam or front camera;
* They can also make audio and/or video recordings of you and your surroundings using your device and use these for extortion, blackmail or misrepresentation;
* Accounts can be opened in your name without your knowledge;
* Your email inbox could be flooded with unwanted emails (spam);
* Images of you or your family could be harvested without your permission and used on unsavoury websites.
* Dodgy people could track the movements of your family from geotags in certain pictures posted on the web.
* Even dodgier people (for example, paedophiles) could gather intelligence on your family from various online sources and attempt to contact your children;
* Criminals could implicate your device in cybercrime.
* Your device could become infected with malware; and
* You could lose some or all of your valuable data.
Cybercrime clearly pays. Figures compiled by Kaspersky Lab’s gurus show that crooks commonly rake in profits 20 times greater than the cost of their attacks. For example, creating a phishing page to mimic a popular social network and setting up a spam mass mailing that links to the fake site costs about R1 700. If the users catch 100 people, they can net R100 000 or more by selling sensitive data.
A mobile Trojan blocker is much more expensive, costing nearly R12 000 on average to buy and distribute the malware. However, the pay-off for this so-called “ransomware” is also much higher: the prices set by the attackers for unblocking a smartphone could vary from R120 to R2 000-plus, which means they can potentially earn over R200 000 from 100 victims.
Here’s how it works. You pick up the infection (perhaps the infamous Cyber Police virus) by visiting a dodgy website, downloading a fake Adobe Flash Player update, or accepting a shared file without taking precautions. The virus locks your phone and displays a fake warning message to the effect that you have been watching pornography, downloading pirated music or videos, or generally behaving badly. To unlock your phone and avoid prosecution, you are required to pay a “fine” via Ukash or similar. (Ukash is a United Kingdom-based electronic money system that allows users to exchange their cash for a secure code to make payments online.)
Although the Cyber Police virus mainly attacks phones in the UK and Europe, similar nasties appear under different names – including Police Central e-crime Unit, FBI Moneypak virus, Australian Federal Police – all over the world.
Alexander Gostev, the chief security expert at Kaspersky Lab, points out that buying malware is difficult: “It’s easy to find them on various hacker forums and they are relatively cheap. Cybercriminals following this illegal path don’t even need any skills; for a fixed price, they can get an off-the-peg package to launch their attacks at will.”
PASSWORDS 101
To create a strong password, Wolfpack Risk advises using spaces and/or combinations of upper-case and lower-case letters, numbers and special characters (for example, @ # $ % ! ?), with a minimum of seven characters.
Alternatively, create a passphrase and add special characters and numbers to it, as in this example: “Online banking saves me so much time and effort every day”. Create a coded version of the phrase (with letters and numbers) by using the first letter of each word: hence “Obsmsmt&eed!2014”. (Please don’t use this example!)
Alternatively, Wolfpack suggests you try one of the following “password managers” to generate secure passwords automatically for each service you use. These typically require you to set one master password that must be entered to unlock the “vault” where you store all your other passwords.
* 1Password: https://agilebits.com/onepassword
* F-Secure Key: http://www.f-secure.com/en/web/home_global/key
* Password Manager: http://www.kaspersky.com/password-manager
* Identity Safe: https://identitysafe.norton.com
* Last Pass: https://lastpass.com/
* KeePass: http://keepass.info/download.html
I’M AN APPLE USER, SO I’M SAFE, RIGHT?
The short answer: no. On its United States website, digital security firm Kaspersky Lab says it was once generally believed that Macs were far more secure than Windows PCs and that Mac users were much less likely to suffer from the negative effects of malware and cyber-attacks. “However, the events of recent years have led many users to question just how secure Macs really are.”
In early 2012, Kaspersky says, Mac users saw the “harsh truth behind the myths” when the Flashfake/Flashback botnet – which affected 700 000 computers running the Mac operating system OS X – was discovered. It was distributed via infected websites as a Java applet (very small application) that pretended to be an update for the Adobe Flash Player. (A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks. The word botnet is a combination of the words robot and network.)
Kaspersky notes that the popularity of Apple products among prominent businessmen and influential politicians makes them “particularly interesting to a specific category of cybercriminal”.
YOUR DIGITAL DEFENCE ARSENAL
Here are links to some useful internet security options for your computers and mobile devices, plus links to cybercrime resources. Be aware that, although some of the free products (such as the widely used AVG) do a good job, they don’t offer the same degree of protection as the paid-for versions.
Commercial
Bitdefender: www.bitdefender.com/solutions/internet-security.html
Bitdefender: www.bitdefender.com/toolbox/ freeapps/desktop/
ESET: http://www.eset.co.za/za/home/
Kaspersky: www.kaspersky.com/internet-security
Symantec: www.symantec.com
McAfee Labs: www.mcafee.com
Free
Avast: www.avast.com
Avira: www.avira.com/en/avira-free-antivirus
AVG: www.avg.com
Cybercrime resources
Southern African Fraud Prevention Service: www.safps.org.za
Wolfpack Risk: www.wolfpackrisk.com
Alert Africa: www.alertafrica.com
Scam Buster: www.scambuster.co.za
Cybercrime portal: cybercrime.org.za
Classified advertising scams: help.gumtree.co.za and http://www.olx.co.za/help
Accommodation scams: http://blog.gumtree.co.za/avoid-holiday-rental-scams/
Solutions offered by banks
Absa (Titanium Maximum Security Antivirus)
http://absa.co.za/Absacoza/Security-Centre/Antivirus-Software/Antivirus-software
FNB (Webroot SecureAnywhere)
https://www.fnb.co.za/security-centre/webroot-secureanywhere.html
Nedbank (Rapport)
http://www.nedbank.co.za/website/content/rapport
Standard Bank (Trusteer)
http://www.securitycentre.standardbank.co.za/Trusteer/Overview.aspx
Free online scanning
www.virustotal.com
SELF-DEFENCE IN CYBERSPACE
Now that everyone is appropriately nervous, here’s a checklist of things you can do to reduce the risk of falling victim to an online scam, courtesy of the experts at Kaspersky Lab:
1. Secure your devices using internet security software.
2. Make sure you apply security updates to your operating system and applications as soon as they are available.
3. Only use secure sites. Look for a URL beginning with “https://: – that’s “S” for secure. (URL stands for “uniform resource locator”, which identifies the location of a file on the web; in other words, the web address.) Also look for a closed padlock on the web browser’s address bar. When you click or double-click on it, you will be able to see details of the site’s security.
4. Use a unique password for every site. Use a mixture of letters, numbers and special characters, and make sure they’re at least seven characters long.
5. Don’t click on random links in emails. It’s better to type in a URL yourself and avoid the risk of ending up on a phishing site.
6. Stick to familiar brands that you know or have heard of. But even then, you need to take care – fraudsters will go to extreme lengths to make a site look authentic and feature their own website ahead of the legitimate retailer on popular search engines, and may go so far as to create a mirrored version of a popular website, with a slightly different URL. To protect yourself, don’t try to guess the URL; rather Google your desired retailer and click on the first link that appears. Look out for sloppy text, suspicious logos or strange English, and be especially cautious if a web address ends with .cn (it’s based in China) or .ru (Russia).
7. If you do buy from new vendors, research them carefully. A good test is to see if they can be contacted if the order goes wrong: look for an email address, phone number, physical address and a returns policy. A vendor’s feedback history (supplied by most of the bigger vendors, such as Amazon, eBay and Kalahari.com) is another good sign of their honesty and reliability.
8. Use extra caution when using your mobile device for online purchases. Shortened URLs, often used because they are phone-friendly, can hide the fact that they lead to a risky site.
9. Avoid using public wi-fi hot spots for confidential transactions such as online shopping. Public wi-fi networks are common places for hackers to sneakily intercept your information.
10. Ensure that your children do not have access to your online accounts, and make sure they can’t access your credit card and bank information.
IF YOUR SOCIAL MEDIA IS HACKED
The website Alert Africa has some practical advice on what to do if the bad guys hack your Facebook, Twitter or Gmail account (www.alertafrica.com). It also provides useful links to financial institutions, network service providers and stakeholder institutions (including the police, SARS and the Southern African Fraud Prevention Service) for reporting cybercrime.
Here’s an extract for victims of Facebook hacking:
* Eliminate malicious software from your computer before changing your password;
* Make sure your antivirus protection is up to date;
* Remove any third party (that is, non-Facebook-endorsed) applications you’ve installed; and
* Report a compromised account by visiting www.facebook.com/hacked. Once you have regained control, notify all your friends that your account was hacked and that any dodgy posts are a result of the hack.
Craig Rosewarne, of Wolfpack Information Risk, cautions that even LinkedIn accounts may not be what they seem. It’s quite possible for someone to copy-and-paste personal and professional information to create a near-duplicate profile and use it to extort money, embarrass enemies and create reputational mayhem.
“One motivation is to get hold of your money, and as much of it as possible, but the criminals also want access to your email address and other valuable resources.
“Criminals are creating perfect clones of commercial sites in which the only difference is the payment details.
“My advice is to remain vigilant and check everything before you commit your banking or other details – if necessary, with a telephone call. Use the grey matter between your ears.”
Even users of WhatsApp, the popular instant messaging app for smartphones, are vulnerable. It works like this: you receive a text message stating that the application needs to be updated. When you click on the link within the SMS notification (for the record, a bad move), you are taken to a website where you assume the upgrade will proceed. Instead, you are fooled into signing up for an expensive subscription service. Lesson: update your apps only via the official app store.
Mobile phone users (that’s just about everyone on the planet, barring infants and fundamentalists) should be aware that unscrupulous WASPs (wireless application service providers) can debit any South African cellphone number and – here’s where it gets scary – are able to detect and record your number if you visit their websites using your phone. Bottom line: be very cautious, and check your cellphone bill regularly.
If you have allowed yourself to be caught by one of these devious operators, the networks can help you escape their clutches by typing USSD codes into your phone. (USSD stands for “unstructured supplementary service data, a protocol used by GSM cellular telephones to communicate with the service provider’s computers.)
* Cell C: Dial *133*1# to block existing and future content billing.
* MTN: Dial *141*5# and select the services from which you want to unsubscribe.
* Vodacom: To unsubscribe from all WASP services, send a text message with the words “STOP ALL” to 30333.
Then there’s the moral dilemma associated with “free” downloads of music and movies. Frankly, there should be no such dilemma: if it’s free, it’s almost certainly illegal, so rather go the iTunes (or similar) route and buy the DVD. But as Rosewarne tells it, the risk of prosecution, however small for most people, is only one of the problems with pirated entertainment: “Free music downloads come with huge risks of Trojans (malicious software hidden in an application) and other malware.”
2015 THREAT LANDSCAPE
If it were possible to make a firm prediction about this year’s cybercrime battlefield (it’s not), we would say you should expect more of the same, only sneakier and through unexpected conduits. Example: if you’ve invested in one of those clever fridges that connects to the internet and orders milk without being told, be aware that it knows all about you.
Okay, that’s an exaggeration, but security firm McAfee reckons we shouldn’t dismiss potential threats from the “internet of things” (IoT), defined by Wikipedia as “the network of physical objects or ‘things’ embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected devices”. This year will see IoT attacks increasing in frequency, profitability and severity, warns McAfee in a recent report: “Unless security controls are built into their architectures from the beginning, the rush to deploy IoT devices will outpace the priorities of security and privacy.”
Although we are unlikely to experience a virtual mugging by our fridge, home automation system or wearable fitness tracker, it’s a fact that more and more appliances are being equipped to communicate, and not only via the internet.
McAfee says NFC (near field communications) digital payment technology is ripe for exploitation, unless users can be educated to take control of these features when they have them. ScapScan, launched by Standard Bank, is an example: it is a mobile phone app that reads the retailer’s QR (or square barcode) and links it to your bank account/ Mastercard/Visa card and allows you to tap in the amount you want to pay, then approve payment by inputting a PIN.
Mobile attacks will continue to grow rapidly as new mobile technologies provide new opportunities, says McAfee, as the ready availability of malware for mobile phones will make it easier for cybercriminals to target these devices. Untrusted app stores will be a major source of mobile malware in 2015, according to McAfee, which says traffic to these stores will be driven by “malvertising” (malicious advertising), which has grown quickly on mobile platforms such as cellphones and tablets.
Late last year, Kaspersky Lab organised a conference in Warsaw, Poland, to explore the latest cybercrime trends and survival strategies. Although it focused on Europe, some of its findings have relevance everywhere. One example is the revelation that small-business owners think they are too insignificant to attract the interest of cybercriminals, assuming the bad guys would rather target bigger and wealthier organisations. Not true, Kaspersky says. It seems this complacent attitude offers cybercriminals “a great opportunity for easy money”.