Earlier this year at the Kaspersky Cyber Security Weekend, it was revealed (via ITWeb) that phishing saw a major increase in the Middle-east, Turkey, and Africa (META) region in Q1. Compared to the same period in 2022, phishing rose by 7% in South Africa, 53% in Nigeria, and 87% in Kenya.
While 7% might not seem significant, at the very least it shows that cyber scammers are upping their phishing efforts to fool South Africans into sharing information that they really shouldn’t. The problem is so bad that some, if not all, South African banks even send out fake phishing emails to their staff to test their vigilance, with anyone that fails being sent for more cybersecurity training. And fail, they do.
Because we love our readers, and because even people who work for banks sometimes fall victim to these scams, we’ve compiled this article to reiterate what you need to know to avoid falling for ever-more-sophisticated phishing attempts.
After all, your business accounts, personal bank accounts, and other important credentials used in your day-to-day work are at risk, and you really don’t want to lose them to scammers that will use them to clean you out.
On to the tips!
Be Sceptical
If you receive an unexpected email that asks for personal information, passwords, or financial information, treat it with maximum scepticism. Banks, in particular, will never ask for any such information over email, so if something like this arrives in your Inbox, ignore it or report it to your IT department for further investigation.
Check the Sender’s Email Address
A dead giveaway for emails that aren’t legitimate is the sender’s email address. Often, phishing emails will have a From address that appears legitimate at first glance, but upon closer inspection, will cause suspicion.
If an email arrives that looks suspicious, examine the sender’s email address closely. Phishers often use email addresses that mimic legitimate ones but have small variations or misspellings, or they appear to be from a legitimate address, but closer inspection reveals otherwise.
For example, you might have a life insurance policy through your bank, and you receive legitimate information about it via the email address banknamelife@life.bankname.co.za. A scam email attempting to finesse information about it from you could potentially send you emails from what appears to be the same email address, but if you expand the sender’s information, you might see that it’s actually from banknamelife@life.banknames.co.za, which is a small but significant change that can be easily overlooked.
When you detect something like this, you can ignore it or block the sender, but your best course of action is to flag the email with your IT department.
Verify Links Before Clicking
When clicking on links in emails, first hover your cursor over them to see the actual web address you’ll go to if you click. If the address doesn’t match the official website’s domain, it’s likely a phishing attempt that will open up a website similar to the one you’re expecting but which will capture any inputs you make and send them to the bad guys.
Don’t Rely on Appearance Alone
The biggest problem with phishing emails is that they can look highly professional and convincing. The best approach is not to trust an email just because it has the correct logos or familiar formatting – double-check everything before interacting with it.
Beware of Urgent Language
Phishers often put their emails together in such a way that they create a sense of urgency. This is done to rush recipients into taking action. If you ever receive an unexpected email that seems to be pressuring you to act immediately, be suspicious.
Avoid Sharing Sensitive Information
Banks and other financial institutions rarely ask for sensitive information via email, if ever. Your best bet here is to never share passwords, One-Time PINs, ID numbers, or credit card information in response to an email, SMS, or call centre request.
And since scammers will now phone you on your cell phone to phish for information, never, EVER give out what appear to be legitimate One-Time PIN numbers to callers. They likely stole your information elsewhere and are using it to try and access bank and cellular contract accounts, and they need the OTPs sent to your cell number to complete their theft.
Double-Check Requests for Money
If an email requests money transfers, payments, or donations, wait to do anything at all until you’ve verified the legitimacy of the request through other communication channels. The bottom line is that any request involving money, whether it arrives over email, SMS, or a phone call, should raise major red flags in your mind.
Set Up Multi-Factor Authentication (MFA) wherever possible
Enable MFA whenever it’s available. What makes MFA so worthwhile is that even if a phishing attacker obtains your other personal information, they won’t be able to easily access your account without the second authentication factor.
The general rule here is to never give out OTPs that arrive via SMS, codes generated by apps like Google Authenticator, and codes that arrive in your email. Those are For Your Eyes Only – do not share!
Install Security Software
We covered Windows Defender a while back and attempted to answer the question of whether it’s enough to keep your PC protected. And while it does a decent enough job, also having reputable antivirus and anti-malware software installed and regularly updated doesn’t hurt.
Educate Yourself on Phishing
You can look up cybersecurity awareness online and follow the latest trends to keep yourself educated about how cybercriminals operate. Plenty of online courses, YouTube videos, and websites can help you do this.
Don’t Trust Unsolicited Attachments
If you receive an email with an attachment you’re not expecting or one that has a strange-looking file extension, don’t open it until you’ve confirmed its legitimacy with the sender.
Watch Out for Generic Greetings
Phishing emails often use generic greetings like “Dear User” instead of addressing you by name. This is a major red flag.
Keep Personal and Work Accounts Separate
If you can, avoid using your work email address for personal accounts (and vice versa) to reduce the risk of cross-contamination. Having separate profiles can help you keep your business’s phishing and cybersecurity risks to a minimum.
Be Careful on Public WiFi
Public WiFi can be useful when you have no connectivity outside your home or business, but you should avoid accessing sensitive accounts or clicking on unfamiliar links when connected to public Wi-Fi networks.
You don’t know who else is connected, and someone could be “sniffing” the network for people entering sensitive information, which they will then capture and use for their own criminal purposes.
So when you’re connected to the Wi-Fi at a coffee shop, for example, it’s a really bad idea to do your online banking there.
Always Be Prepared
Follow these tips and you’re well on your way to being prepared for any and all future phishing attempts. But if you remember nothing else from this article, remember to be sceptical about emails that hit your Inbox that look even remotely suspicious, and call IT if you’re unsure about anything.
Keep doing that, and you’ll be good.
Header Image by Midjourney