Sharenting ‒ a cybercrime bullseye

Experts warn of “friendly” spear phishing networks mining personal data to build trust with targets.

Experts warn of “friendly” spear phishing networks mining personal data to build trust with targets.

Published Jul 22, 2022

Share

By the time they are five, children can have a digital footprint of nearly 1 500 pictures, and cyber villains are using this personal information to strike at individuals or organisations.

“Sharenting” ‒ loving relatives posting about children ‒ often includes personal information that can be used by spear phishing scammers to fake personal connections.

Digital expert Dr Colin Thakur, based at the Durban University of Technology, said spear phishing was a targeted attack in which criminals mined the internet for any information they could find on an individual, such as their birthdays, friends, hobbies and names of loved ones, which they used to strike up a relationship or pretend to know you.

KnowBe4 Africa cyber expert Anna Collard said even experts could be ensnared.

“If well researched and executed, even well-trained people are more likely to fall for a cleverly crafted spear phishing email, making it a dangerous attack vector.”

Stephen Osler, co-founder and business development director at Nclose, warned South Africans that spear phishing could compromise the target’s employer or impersonation of the target for fraud-based activity.

Thakur said “born befores” ‒ people born before the advent of social media ‒ were “digitally deficient” and would celebrate birthdays of children and grandchildren with their nicknames and details of where they lived or schooled on the internet.

The Cyber Crimes and Cyber Securities Bill aims to bring the country’s legislation in line with other countries’ cyber laws and tackle cybercrime. Photo: EPA

Spear phishers would harvest that information and build up a profile that would make them “acceptable” to the victim because they knew what kind of person you were likely to befriend.

“Someone can see that you posted information about your workplace and a conference you attended and pretend they met you there. You end up feeling embarrassed that you can’t remember them, and so you keep on talking to them,” he said.

He said there was no manual for what could be dangerous to post, Google or Facebook and suggested a “dream team” to protect a family or organisation’s digital security: the combination of the emotional maturity of a “born before” with the digital skill of a youngster who was likely to post more explicit things.

By tasking young people with the responsibility of protecting the digital image, they would feel empowered and learn what not to post.

Media Monitoring Africa head of programmes Thandi Smith said everyone was at risk of believing disinformation, whether it was in the form of a scam, targeted at an individual, or a broader malicious message circulated with the intention of causing public harm.

“The issue is about increasing digital literacy initiatives and online safety campaigns, whether we are referring to elderly people or children. Parents need to be far more aware of the risks of sharing information about children online, as well as being aware of issues of consent when it comes to sharing photos and videos online.”

She said the MMA had a platform called Real411 where anybody could report online content which they thought could be categorised as mis/disinformation, harassment online, incitement to violence or hate speech.

“Always be cautious of online content. Check the source. Be aware if the content evokes emotions such as anger or fear. Then, check the source again,“ said Smith.

Collard said South Africa’s relatively high dependency on digitisation, internet access and mobile banking and relatively low level of user awareness attracted cybercriminals.

“When it comes to cyber extortion, attacks are spread across all industries. According to a KnowBe4 survey in 2021, 32% of South African organisations fell victim to ransomware and 4% paid the ransom.”

Collard urged people to limit the amount of personal information about themselves in the public domain by applying privacy settings on social media and using different sets of email addresses online.

Osler also warned South Africans to proceed with caution.

“Spear phishing can lead to widespread compromise of the company the target is working for or impersonation of the target to perform a fraud-based activity. So spear phishing attacks can cause devastation for the targeted individual or the company they are working for.”

He added that email users needed to be cautious and suspicious of any emails in their mailboxes.

“If it looks out of the ordinary or too good to be true, then make sure you check to make sure the sender’s email address is from the correct sender.”

Jelle Waringa, a security advocate at KnowBe4, said spear phishing was a global issue and any person or organisation with valuable information or resources was a valid target.

“And since around 91% of all successful attacks leverage spear phishing as their primary attack vector, the likelihood of falling victim to a spear phishing attack is huge.”

She said often spear phishing attacks were designed to instil a high level of trust in their targets and were hard to detect.

Deepfake technology was used in a phishing email to build rapport with the target, and then “a deepfake-generated voicemail message, with an extreme likeness to the voice of the manager of the target, was sent to add a layer of trustworthiness and urgency”.

“It is this level of sophistication and success that presents the biggest danger of a spear phishing attack.”

According to Waringa, Knowbe4's latest African Cyber Awareness Report showed that 53% of Africans surveyed think that trusting emails from people they know is good enough even though 28% of those surveyed had already fallen victim to a phishing attack.

A global Oxford University Press study revealed that social media users believed information they read and shared on platforms like Twitter, Instagram and Facebook was factually correct.

Oxford University Press CEO Nigel Portwood said: “Differentiating between fact and fiction is harder than ever, with the unprecedented events of the last two years bringing the debate around misinformation and false claims into sharp focus. With an ever-increasing number of sources to turn to for information, from books to academic texts to digital channels, and so many answers available at the touch of a button, it’s no surprise that our research presents a global picture of confusion.”

The study revealed that 43% of South Africans were likely to turn to the internet when looking for factual information; the worldwide figure is 67%.

The study, The Matter of Fact, found that social media was central to shaping South Africans’ understanding and that more than half (52%) of those surveyed said when it came to distinguishing fact from fiction, sites like Facebook, YouTube and Instagram played an important role.

Almost half (46%) of those surveyed used WhatsApp as a common source for sharing, considering information from the platform as fact.

The Independent on Saturday

Related Topics:

Cyber attackFraud