How not to fall victim to phishing

An illustration of how personal information is obtained by phishers. [iStockPhoto]

Have you received an email or a message with a clickbait and the kind of information it requires is personal or sensitive?

Well, you might be experiencing what is called phishing. Phishing is an attempt to fraudulently obtain sensitive information.

Those trying to obtain your information will pose as legitimate individuals or even organisations, especially finance organisations like your bank.

Phishers use social engineering tactics, including guilt-tripping and creating a sense of urgency to convince their targets.

According to SGA Group IT Manager Allan Lwanyaga, phishers’ tools of trade include fake or hijacked email addresses that seem similar to legitimate email addresses, phone numbers, logos, and other false business credentials, all helping trick the target into divulging sensitive data or clicking on a link

“While most people instantly think of email when it comes to phishing, attacks can also be carried out using social media, phone calls, voice messages, text messages and more,” says Mr Lwanyaga.

Today, these fraudsters have become increasingly sophisticated in their approach. Cisco’s 2021 Cybersecurity Threat Trends Report found that phishing was responsible for a staggering 90 per cent of data breaches.

Those responsible for phishing have a range of goals, including stealing information or money, sabotaging a company’s systems, installing malware or sometimes luring the target to a website as part of the ruse.

“Phishing scams often put pressure on recipients to act immediately, by sending a response, clicking a link, or both. Common methods of pushing recipients include stating that there has been a security breach or claiming that an urgent complaint has been received,” says Mr Lwanyaga.

“The cybercriminal reaches out in the hope that someone will “bite” and engage in conversation with them. When someone does, it allows the criminal to get a foot in the door and take further steps to try to fool the individual into taking additional actions. These actions are carried out with the intention of persuading the victim to divulge information (such as passwords or account numbers) or download something they should not.”

How Can Businesses Prevent Phishing?

Some businesses are more appealing to fraudsters than others when it comes to the target of phishing attacks. Financial service providers such as banks and credit card companies spring to mind.

Thankfully, Mr Lwanyaga says, there are steps that such businesses can take to help protect their customers.

Implementing multi-factor authentication, is one such step, as it is harder for criminals to bypass these processes – though not impossible

Configuring email security technologies – email services can also implement email authentication technologies that verify where messages originated and can reject messages that are spoofed. Check with your provider to see what security options are available.

It is also important to remember that an organization’s defences are as strong as its “weakest” employee: A staff member who falls for phishing scams is enough to unwittingly bring down a business. Educate both customers and employees about what phishing is and what they should look out for. Ensure your customers know which bits of information you will never ask them for.

Always check email and message sources and IDs, from email headers to URLs.

Deploy and maintain anti-virus software – if the phishing attack aims to install malware on your computer, up-to-date anti-virus software may help prevent the malware from installing. 

How Can Individuals Defend Against Phishing?

As an individual, you can defend against phishing by educating yourself about what it is and how it works. Knowing which warning signs to look out for could make a huge difference.

It is also important to trust your instincts. If something does not feel right, stop and check. Phishing scams can be very sophisticated but sometimes all it needs to avoid falling victim is for you to step back from the situation and think twice before clicking a link or sharing a piece of information.

Remember: If something is too good to be true, or if an urgent request is unusual in that context, it is probably linked to fraud. If unsure, contact the purported sender yourself using a number or email address from their official website, which you ought to get from a search engine, not an email link.