Phishy, phishy, phishy
Advances in the world of cyberfraud are the stuff of investment nightmares
Mike Tyson once said, “Everybody has a plan until they get punched in the mouth.” Ronnie and Dawn Lawson from Durban were like everybody – they thought they had a plan.
The couple is in their late fifties and both are just a few years from retirement. With many years of service in their respective work places and slow and conservative saving, they have accumulated a modest pension.
Then came the punch in the mouth. Ronnie’s bank details were hacked (who knows when). The attackers struck earlier this year and in a little less than a week R350 000 was removed from the couple’s access bond, R18 000 out of the credit card account (which had a positive balance) and a further R7 000 from the current account. These accounts were all linked. At this point the bank became suspicious and put the brakes on the withdrawals.
That was all well and good. But a fair amount of money was stolen. The question now is who is responsible and what recourse do the Lawson’s have? The bank is adamant it is not responsible. It is laying the blame squarely at the feet of the Lawsons as to access Ronnie’s accounts someone must have had the correct bank details and pin numbers. Ronnie is adamant he did not divulge his bank details over email, telephone or in any other way that could be construed as irresponsible. He believes the fault lies within the bank and that they should be reimbursed. At the time of writing, the two were in a stand-off.
It seems, when it comes to cybersecurity, Tyson was right. A plan is only as good as its weakest link. While it is likely that the family will survive financially, this is their worst investment nightmare.
Phishing is an attempt to gain private information, such as usernames and passwords illegaly.
It is likely that the Lawson’s home computer was the subject of a phishing attack, says Marcus Swanepoel, CEO and
co-founder of bitcoin exchange Luno. “The cryptocurrency world is new, which makes it susceptible to fraud and scams. However in our efforts to protect our clients and ourselves we have come to realise how big cyberfraud is, not just in the crypto world but in the fiat world too. It is a massive problem and the average consumer is woefully unprotected. In todays online world this puts their entire financial stability at risk.”
Of all the scams in a fraudster’s toolbox, phishing is the most common, he says.
This is the attempt to obtain sensitive information, such as usernames, passwords, credit card details or even money, often by sending an email that looks as if it is from a legitimate company but with a link that takes the unsuspecting victim to a fake website that is disguised as a real one.
It used to be that phishing emails were conspicuous through spelling mistakes, bad grammar and obvious trickery (remember the infamous 401 emails?). Today attacks via email are sophisticated and difficult to detect as cybercriminals now take great care to camouflage their bait: many fraudulent emails contain privacy warnings, the company name and email address, original logos and other content to make them appear authentic. This is why about one in four people click on them, according to Dashlane.com, a company that helps you securely manage your passwords.
Cyber criminals are well organised (and funded it seems) and their workhorses are constantly trawling the cyber sphere for personal information that could add that believable element to a ‘friendly’ email. Last month, Facebook acknowledged that personal information about millions of users wrongly ended up in the hands of Cambridge Analytica, which was an accredited third-party software developer on the platform. This week both Twitter and popular health and fitness site Myfitnesspal admitted to a data breach and near-breach.
Hackers acquired user names, email addresses and passwords from popular fitness site Myfitnesspal.com.
Twitter identified unauthorised activity on its site, but did not report a breach.
The Scattergun phishing scams described above, which are intended to dupe all and sundry, are not all one needs to worry about. Highly individualised phishing, called spear phishing is on the rise too, says Swanepoel. Attackers target your email inbox and watch until an invoice arrives. They then change the payment details on the invoice itself. You then unwittingly pay the invoice – but into a fraudulent bank account. Who is at fault? Ultimately the person who unwittingly paid the money into the incorrect account will lose out.
There is another form of spear phishing, known as Business Email Compromise (BEC) that targets senior executives in a company, usually the CEO or CFO. This scam begins with the attackers phishing an executive and gaining access to that individual’s inbox in order to learn as much about them and the workings of the company. Armed with useful information they email employees from a look-alike domain name that is one or two letters off from the target company’s true domain name and instruct them to make certain payments.
In Australia recently a PA emailed her boss who was CEO of the group, reminding him to authorise a $20 million payment that day and providing the banking details. The CEO was expecting the email and duly executed the instruction. The result is by now predictable…the attackers had watched very patiently, they knew the deal was on the table, they knew the CEO had requested a reminder, and they spoofed the PA’s account at precisely the right time.
According to the Anti-Phishing Working Group’s (APWG) Phishing Activity Trends Report Q3 2017, phishing attacks increased 65% between 2016 and 2017. Between July and September 2017 a total of 296 208 unique phishing reports were submitted, 23 000 more than the previous quarter and the most targeted industries were payments, email and finance. It also notes that fake invoice emails are the number one phishing lure (26%). Generic documents (13%) and mail delivery failure (10%) are also popular.
Source: Phishing Activity Trends Report Q3 2017, published February 2018
The World Economic Forum’s 2018 Global Risks Report adds further eye-opening stats on corporate cybercrime:
• Cyberattacks reported by businesses almost doubled in the five years to 2017; from 68 attacks per business to 130 per business
• A 2017 study of 254 companies put the annual cost of responding to cyberattacks at $16.5 million per company, a year-on-year increase of 27.4%
• The cost of cybercrime to businesses over the next five years is expected to be $8 trillion
The global risks landscape – 2018 – Cybersecurity falls into top right hand quartile
Source: WEF 2018 Global Risks Report
Data breaches are in the news every week. Our credit card information and personal data can be stolen more easily than we believe.
So what can we do about this?
Two new policies point to the fact that not only are the phishing attacks and spoofing that lead to data breaches increasing in frequency, but they are more difficult to detect.
In early October 2017 the US Department of Homeland Security directed all government agencies to implement Domain-based Message Authentication Reporting and Conformance by January 14 2018 – as well as secure federal website connections (HTTPS instead of HTTP) by the following month, and implement an enforcement policy within 12 months to protect citizens from phishing, email fraud and government agency impersonation.
On May 25 2018, the EU General Data Protection Regulation will go into effect for every company that deals with EU consumer data. This measure is intended to strengthen and unify data protection, giving control back to consumers and setting the standard for holding businesses accountable for data breaches. Companies will be fined €20 million or 4% of annual global revenue – whichever is greater – for any data breaches that occur after May 25. And there are also hefty fines for not being in compliance by the due date.
South Africans however, will need to look after themselves.
So, aside from the usual guidelines, which can be accessed here you can protect yourself against phishing scams and most other attacks, simply by enabling two-factor authentication, says Swanepoel.
With two-factor authentication (2FA) enabled, you will need two things to gain access to your account: your username and password (something you know) and a one-time PIN that gets generated on your mobile phone (something you have).
But again, your protection is only as strong as the weakest link. It doesn’t help enabling this on your bank account and then not doing the same for your personal email or social media accounts – you need to put 2FA on your Gmail and Facebook accounts too.
Email remains as one of the most popular targets of attacks by cybercriminals. Take steps to secure your gmail account.
Social networks, like Facebook, Twitter, YouTube and Google+ play a significant role in our lives, they are also a high risk for security threats.
While this is not a 100% guarantee that your identity or money will be safe, it will make a big difference in addressing the issue, says Swanepoel. The most important thing is still to have an overall security mentality and be overly paranoid about someone accessing your data or accounts. “Most people have a ‘it will never happen to me’ or ‘I don’t have anything to hide’ attitude about securing their personal information without realising that it is all intrinsically linked to one another and could eventually be used to compromise your money or investments one way or another,” he says.
Banks and bitcoin exchanges do remind customers about all of this, but the responsibility is ultimately still in the hands of the user.
Enabling 2FA is probably the best investment decision you can make in the next five minutes.■