On the cybercrime timeline, phishing dates back to the mid-1990s when hackers exploited one of the earliest internet service providers to steal passwords and credit card data from unsuspecting users. Technology has evolved significantly since then, but phishing remains a popular attack method because it’s specifically designed to take advantage of human nature.
Phishing is the practice of using fake, fraudulent, or deceptive communication to lure or convince a targeted person (or group) to hand over sensitive information.
Cybercriminals pretend to be legitimate, trustworthy sources and contact their victims by email, phone, or SMS with the goal of acquiring anything from personal data and banking details to usernames and passwords.
The scammers then leverage the newly acquired information for their own illicit purposes, which may include identity theft, credit card fraud, or privileged account access, among other things.
Email phishing, spear phishing, whaling, smishing, and vishing are five common types of phishing attacks. Learn to recognise the warning signs so that you’re less likely to be fooled by a scam message.
Email phishing (also called deception phishing or deceptive phishing) is perhaps the most well-known type of phishing. In this kind of scam, attackers impersonate a real company, organisation, or group and send out mass emails to as many email addresses as they can find. This so-called “spray and pray” approach is a numbers game for the perpetrators, and even if they only hook a handful of victims, the attack may still prove worthwhile and lucrative.
How do they do it? The scam email message is intended to make you perform an action, like downloading an attachment or clicking on a link. Malware embedded inside the attachment is activated when you open the file, and the link destination is often a malicious website primed to steal your credentials or install nefarious code on your device.
Consider this example… You receive a legitimate-looking email from your streaming service, saying your account has been temporarily suspended because of unusual activity. You’re instructed to click on a link inside the email, to verify your account credentials. You expect to be directed to the streaming service’s login page, but the link actually takes you to a lookalike login page that harvests your username and password.
Spear phishing takes the concept of email phishing and applies it to a specific individual or group. Instead of the bulk, generic communication associated with regular email phishing, spear phishing involves customised messaging for a selected target. As the name implies, spear phishing is a pointed attack, not a wide-net manoeuvre, and scammers will often leverage publicly available corporate collateral to fine-tune the elements of their email trap.
How do they do it? Detailed, personalised messaging is key to the success of any spear-phishing campaign – because the attackers have to make you, the recipient, trust them enough to do what is asked in the email. They may spend days or even weeks on research and information-gathering (from your company’s website, social media pages, and published reports) as part of their efforts to trick you into action.
Consider this example… You’re the accounting clerk responsible for processing vendor invoices. You receive an email from an unknown vendor, with a PDF invoice attached. The message is well-written and friendly. The email sender knows your name and is knowledgeable about your company; they even send their best wishes to your colleague, John, whose motorcycle accident was addressed in your company newsletter last week. You believe that the vendor is legitimate and open the attachment, which then delivers malware to your laptop.
Whaling (also called whale phishing) is the term used to describe phishing attacks aimed at a company’s most senior, most connected, or most influential leaders – the whales. The chief executive officer, chief operating officer, chief financial officer, chief technology officer, and other senior managers are attractive targets because of their high-level access to company resources. With an executive’s login credentials in their possession, scammers may be able to transfer corporate funds, expose private data, or impersonate the target to disrupt or damage the business.
How do they do it? Like spear phishing, whaling requires a tailored approach. Cybercriminals may have to profile the chosen individual for months to gain sufficient insight into their personal and professional lives. But as soon as the phishers have enough information, they can create believable, persuasive messages to try to deceive their victims into downloading malicious files or visiting compromised websites.
Consider this example… A new email lands in your inbox – and it’s from a law firm. The subject line and the content of the message imply that your company is being sued for millions by a former employee. The preliminary paperwork is attached to the email. As the chief legal officer, it’s your responsibility to investigate – but you don’t realise that the attachment is tainted.
Smishing (also called SMS phishing) uses a text message rather than an email message to conduct a phishing attack, but the rationale is the same: scammers want to fool you into clicking on a risky link, downloading a malicious application, or surrendering your personal information.
How do they do it? Digital fraudsters take advantage of the fact that you keep your smartphone within reach and probably read your text messages soon after they arrive. And, as with other phishing methods, deception is their key tool. By masquerading as bona fide businesses (like your supermarket) or trusted sources (like your bank), they can deliver compelling texts directly to you – quickly, easily, and more than once.
Consider this example… You receive an SMS offering 20% off your next clothing purchase. The offer appears to come from your favourite fashion outlet, and uses the same language and style (right down to the abbreviations and emojis) that you’ve seen from the store in the past. To receive the discount, which is only available to the first 100 customers, you need to click the link and claim your coupon code online. You don’t know that the link, when clicked, installs malware on your phone.
Vishing (also called voice phishing or phone phishing) is when scammers call you directly – on your home landline, your work phone, or your cell – and try to make you give out personal or corporate information. Often, they will exploit annual trends and public concerns, or create a sense of panic that makes you feel compelled to comply with their requests.
How do they do it? The person making the fraudulent phone call may pretend to be a tax official who needs your company registration number for verification before refunding money to you. They may claim to be a health official calling to put you on the list for a COVID-19 vaccination. They may even claim to be a customer service agent from your bank, alerting you to suspicious withdrawals from your account. In every scenario, the phisher on the other end of the line will do their utmost to extract sensitive information from you.
Consider this example… You’re called by someone who claims to be from an insurance firm. They say that you’ve been named as a beneficiary in the estate of their deceased client, and you stand to receive a substantial sum of money if you can verify your identity in line with the facts in their possession. You may be asked for your full name, your ID number, your physical address, and your other phone numbers as the impersonator tricks you into providing confidential, high-value information over the phone.
These five types of phishing attacks are among the most prevalent, but they’re not the only ones used by cybercriminals. You need to be able to spot the tactics (and teach your teams to spot them, too) so that would-be phishers do not succeed when they target you and your staff.
Prepare your business teams for the dangers of cyberspace with comprehensive security training from BUI and Cyber Risk Aware.
Check out the on-demand webinar featuring our own Wayne Nel and Cyber Risk Aware CEO Stephen Burke to learn more.
South Africa’s Protection of Personal Information Act gives individuals more control over how their personal information is collected, processed, and used by private and public bodies. The Act requires such bodies (AKA responsible parties) to meet several minimum requirements for the lawful processing of data – and the grace period is almost over. From 1 July 2021, SA organisations must be compliant. Are you ready? Ask your leadership team these five questions to check that key areas of accountability have been addressed…
As a responsible party, you are required to register your Information Officer with the Information Regulator by 1 July 2021.
You can do this online via the Information Officer Registration Portal on the Information Regulator’s website, where electronic and PDF versions of the registration form are available. The portal also contains relevant documentation, including guidance notes, official notices, and policies.
Remember, your Information Officer (IO) is the person responsible for making sure your organisation adheres to POPIA. They need to encourage and ensure your organisation’s compliance with POPIA, deal with any information access requests pursuant to the legislation, and work with the Information Regulator in relation to any investigations conducted in terms of POPIA.
They also need to see to it that an organisational compliance framework is developed, implemented, monitored and maintained, and that internal awareness sessions are conducted regarding the provisions of the Act, among other duties. The IO’s responsibilities are listed in Section 55 of POPIA and in the POPIA Regulations.
As a responsible party, you are required to secure the integrity and confidentiality of personal information in your possession or under your control.
According to Section 19 of POPIA, this includes the implementation of “appropriate, reasonable technical and organisational measures” to prevent loss of, damage to, or unauthorised destruction of personal information.
Whether you manage personal data on paper or online, POPIA calls for you to identify all reasonably foreseeable internal and external risks to the data; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented; and ensure that the safeguards are continually updated in response to new risks.
In addition, POPIA decrees that you must have “due regard to generally accepted information security practices and procedures” which may apply to you generally, or which may be required in terms of specific industry or professional regulations (e.g., hospitals are expected to have strict security measures in place to protect the detailed, sensitive medical records of their patients).
As a responsible party, you are required to report security compromises to the Information Regulator and the data subject(s) involved as soon as reasonably possible.
Section 22 of POPIA describes the obligations of the responsible party when there are “reasonable grounds” to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person.
You should have a comprehensive incident response plan on hand to guide your actions in the event of a data breach, data leak, or cybersecurity incident. Make sure that your IO and key members of your leadership team follow a systematic process to identify the incident, respond appropriately, escalate where necessary, and communicate clearly in line with POPIA’s stipulations.
If you fail to notify data subjects in such circumstances, you could face imprisonment, fines, or both. Remember, you must notify affected parties in writing as soon as reasonably possible after the discovery of a security compromise.
As a responsible party, you should ensure that your employees are educated about basic information security protocols and procedures.
From your Human Resources Department, which handles sensitive staff info, to your employees themselves, who may manage personal data from customers, suppliers, and service providers, your teams have to deal with personal information on a regular basis.
Make sure everyone in your organisation is familiar with POPIA’s requirements – and that individual staff members, line managers, and department heads understand their duties and responsibilities when it comes to data processing, data management, and data security.
Educate your personnel about the collection, use, and storage of personal information under POPIA, and remember that they may need specialised training for new systems and new productivity tools deployed now, or in the future.
As a responsible party, you could face hefty fines or imprisonment if you’re found to be in contravention of the law.
There are civil and criminal consequences for non-compliance with POPIA. Section 99 of the Act describes how a data subject (or the Information Regulator, at the request of a data subject) may institute civil action against a responsible party for breach of POPIA.
Offences, penalties, and administrative fines are outlined in Chapter 11 of the legislation. If you are convicted of an offence in terms of POPIA, you could be fined up to R10-million, or imprisoned for up to 10 years.
Non-compliance also poses a risk to your reputation: public trust in your organisation could be eroded overnight if you suffer a data breach, and serious brand damage could cripple your business irrevocably.
The BUI Cyber Security Operations Center is the first of its kind in Africa. Take a look inside to see how our security experts protect and defend critical data 365 days a year.
Or contact our team directly to learn more about next-generation security solutions to safeguard your personal information, customer files, and business resources.
We are pleased to announce that we have joined the Microsoft Intelligent Security Association (MISA), a global ecosystem of independent software vendors and managed security service providers that have integrated their solutions to help customers better defend against a world of evolving cybersecurity threats.
MISA was launched in 2018 with 26 members. Today, just over 160 industry leaders from across the international cybersecurity spectrum work together to share threat intelligence, extend solution capabilities, and increase customer protection.
MISA membership is by invitation only. Organisations must be nominated by Microsoft, and must demonstrate integrations that support the goal of improving enterprise security. We were selected to join the association as a managed security service provider, for our NettProtect vulnerability scanning solution and turnkey add-ons to our Cyber SoC packages, as well as our Microsoft Defender for Endpoint managed service, which is geared to reinforce network security through next-generation detection, investigation, and threat-hunting.
“We are very proud to be part of the Microsoft Intelligent Security Association,” says Managing Director Ryan Roseveare. “Our MISA membership not only deepens our longstanding relationship with Microsoft, but also opens the door for our specialists to collaborate with some of the top security professionals in the world. We are excited to share our expertise with our new peers. And we look forward to delivering even more value to our customers, through innovative security offerings that meet their business needs.”
The BUI Cyber Security Operations Center (Cyber SoC) integrates with Microsoft Azure Sentinel, a cloud-native, AI-based security information and event management solution, to make threat detection and response smarter and faster. The state-of-the-art facility is the first of its kind in Africa, and harnesses Microsoft security resources to monitor enterprise networks, servers, endpoints, databases, and applications.
“The success of our Cyber SoC lies in the combination of cutting-edge technology and industry-leading skills,” declares Roseveare. “We have created a compelling solution by reducing the cost and complexity of managed security services, and by giving our customers value-driven add-ons, like our Cyber SoC Panic Button for emergency assistance,” he notes.
“The Microsoft Intelligent Security Association has grown into a vibrant ecosystem comprised of the most reliable and trusted security software vendors across the globe. Our members, like BUI, share Microsoft’s commitment to collaboration within the cybersecurity community to improve our customers’ ability to predict, detect, and respond to security threats faster,” says Rani Lofstrom, Senior Product Marketing Manager, Microsoft Security.
BUI’s MISA membership follows several company milestones in 2020. Since the beginning of the year, we have achieved Microsoft Azure Expert Managed Service Provider status and attained advanced specializations in Adoption and Change Management and Windows Virtual Desktop. We have also been named Microsoft Country Partner of the Year, Microsoft Modern Workplace Partner of the Year, Microsoft Azure Infrastructure Partner of the Year, and Microsoft Security Partner of the Year.
“We are determined to help our customers strengthen their cyber defences in the face of increasingly sophisticated threats,” says Roseveare. “As part of MISA, we are now even better positioned to empower organisations to protect their assets – from identity to infrastructure, and from the edge to the cloud,” he concludes.
We can help you create the best possible defences against cybercrime.
Check out our security offers in the MISA partner catalogue to learn more.