Many South Africans who have lost money through online banking fraud and related scams have been victims of spear phishing attacks – and these attacks are becoming more sophisticated.
With spear phishing, criminals use information gathered from social media – including Facebook, LinkedIn, and Twitter – to send targeted emails to their victims.
These emails are personal as the criminals know your name and other details.
The communication is personalised – “Hi William” rather than “Dear Sir” – and often refers to one of your friends.
These emails may even look like official company emails, and use work colleagues as a reference to build trust.
Because the email appears to come from a friend or work colleague, the criminals hope you will be less vigilant and give them the information they ask for.
In some cases the criminals will phone their victims instead of using email. They usually pretend to be from a bank, and try to convince the victim to share sensitive information like passwords.
Using the information you share online against you
Norton detailed an example of a spear phishing attack, where your information is gathered from social media.
- A criminal uses your Facebook and LinkedIn pages to find your email address, your friends list, and that you recently purchased an item online (through Facebook sharing notifications enabled on an online store).
- The criminal poses as a friend, and then, for example, will ask for the password to your private photo page on a blog.
- If you send them the password, they’ll use that password (and variations of the password) to try and access your account on the online retail site you bought the aforementioned item from.
- If the password works for the online store, they may purchase products for themselves on your account.
- The criminal can also use the information to pose as somebody from the online retailer, and ask you to reset your password, or re-verify your credit card number. If you do, this information will be used to steal your money.
A similar process is followed to steal a person’s banking details, and may include using malware or phishing websites.
The images below show some of the phishing scam emails which have been used in South Africa.
Protecting yourself against spear phishing
Securing The Human and Impact Business Technology have provided the following guidelines to help people protect themselves against spear phishing:
- Limit the information you post about yourself on platforms like Facebook or LinkedIn. The more personal details you share, the easier it is for cyber attackers to craft a spear phishing email.
- If an email that asks you to open an attachment or click a link appears suspicious or requests sensitive information, verify the message.
- Be sceptical of all emails. Even if they reference personal information, or indicate that they recently met you at a meeting or convention. If it is an unsolicited email, be cautious.
- Know the sender before you open any links. Reputable online vendors and financial institutions will not send an email notifying you of any actions to personal information.
- Investigate where any links in emails might go, and why you need to access them. Hover the mouse over the link or right click and go to the link properties.
- If the email appears to come from a company or a person you know, use the contact details you already have on file to contact the sender and verify that they sent you the message.
- Ignore odd commands and unlikely urgent actions, even if the email is from a company representative. If it is too good to be true, or very far-fetched and unlikely, then scrutinize the request.
- Call on unknowns. Call the person direct if an email or request is suspicious. Whether an internal company email or from a non-solicited “friendly” contact, a phone call can validate the request quickly.
- Support your organisation’s security efforts by following the appropriate security policies and making use of the security tools that are available to you.
- Technology cannot filter and stop all email attacks, especially spear phishing emails.
The Guardian added that only 12% of phishing attacks happened through emails. They can also come from fake websites, instant messaging software, and phone calls.
You should always be careful when sharing sensitive information online or over the phone.