Guides / 3 November 2018, 07:00am / Stergios Saltas
JOHANNESBURG - The days of crude phishing attacks, which anyone with a little common sense could avoid falling victim to, are a thing of the past. Today’s cybercriminals are more savvy than their predecessors, capable of producing spoof emails and websites convincing enough to fool even the most educated eye.
While it’s easy to feel helpless in the wake of these advances, there are still steps that ordinary internet and email users can take to avoid falling prey to phishing attacks.
Although cybercriminals have an array of tactics at their disposal, phishing remains a firm favourite. Unlike other forms of cyberattack, most of the work is done by the victim. With a little bit of code and some design savvy, a cyber-criminal can gain instant access to a victim’s bank account.
Most people also aren’t aware that they’ve fallen victim to a phishing attack until it’s too late, with some companies taking up to five months to realise they’ve been phished.
Small wonder then that some estimates suggest 91% of all cyberattacks begin with a phishing attack.
These attacks also come at a massive cost. In South Africa, the total organisational cost of a data breach last year was about R32.4million. In the US, FBI statistics show that phishing attacks cost American businesses at least $500m (R7.2billion) a year.
Given the cost, it’s critical that businesses and ordinary users keep abreast of the latest phishing techniques.
Cybercriminals can spoof the look and feel of emails and websites more convincingly than ever.
Just days after a major South African bank underwent a rebrand this year, people were receiving spoof emails with the refreshed branding.
On opening the email, there would’ve been little to suggest that it didn’t come from the bank.
Nothing looked out of place or distinguished it from any other communication sent out by the bank.
If you happen to be a customer of the bank, you’d be easily forgiven for falling victim to the scam.
The same is true for almost all financial institutions, which are often the primary targets of phishing attacks.
While email service providers, digital security companies and corporate security teams are all working on combating phishing, they’re in an arms race with the cybercriminals. No matter what technological solutions they come up with, human beings remain the greatest point of vulnerability.
Knowing this, what chance do ordinary email users have of staying safe? Crucially, what can financial institutions and other companies do to help keep their customers safe?
From a user perspective, there are still oddities to look out for, especially once you go beyond the branding. Does the email include an attachment? If the attachment has a certain file extension (.html, .exe or .bat, for example) you shouldn’t open it under any circumstances.
Businesses sending emails to their customers should focus on education.
Not only do they need to keep their customers up to date with the latest messaging used in phishing attacks, they also need to remind customers what they will never ask them to do in an email.
Importantly, this kind of education needs to be ongoing and communicated across multiple channels.
Remember, occasional messaging is soon forgotten and people can quickly slip back into old habits. Your messaging should also be simple and easy to digest, ensuring it sticks in your customer’s memory.
Stergios Saltas is the managing director of Striata SA.