printer friendly version

Phish me tender, phish me true

Phishing remains the most successful threat action when it comes to data breaches, successful hacks and social engineering. The Verizon 2021 Data Breach Investigations Report found that phishing was linked to 36% of breaches and that 85% of breaches connected to social engineering saw cybercriminals walk off with critical login credentials.

Anna Collard.

The past two years have seen cybercriminals not just gain traction and speed as they have ramped up their attacks, but smart ways of manipulating users. It is clever subject lines, personalised messages and emotive approaches that are currently dominating phishing attacks, explains Anna Collard, SVP content strategy and evangelist at KnowBe4 Africa.

“Many phishing attempts succeed because they rely on people to react on their emotions,” she adds. “People react to an official-looking banking email telling them that they have been hacked; or to give out important information over the phone because they think they are talking to a professional organisation; and to click on links and images because they think they have been sent by a trusted source, such as someone from inside their company or someone they know.”

There are multiple threat vectors being used by cybercriminals to get users to slip up so they can slip right on in. In South Africa, the most common phishing and social engineering tactics are:

1. Mobile phishing: These attacks can be anything from using a virus that has been preloaded onto a mobile app, to recreating a corporate login page and using a SMS or WhatsApp message (smishing) to direct the user to that page. Once the person enters their credentials, they are snapped up by the cybercriminals. As the KnowBe4 Phishing by Industry Benchmarking Report found, 67% of respondents use their mobile devices for financial transactions and mobile banking, making this a scary place to make a security mistake. Smishing has become very popular in South Africa and is also being used to disseminate fake news and dis-information.

2. Intelligent subject lines. This may not sound dangerous at first glance, but actually, the subject lines used by hackers in phishing emails are increasingly personalised so that users are encouraged to click on the content. These subject lines are curated to fit the person’s life and everyday tasks so they do not think twice before they open the attachment, enter their credentials, letting the hackers in. A form of this type of highly personalised and targeted attack is known as spear phishing, it is laser focused on one victim or company because the information they hold is of the most value to the attackers.

3. Clever content. There may still be phishing emails out there that are badly spelled, poorly worded and just plain daft, but most are very well written nowadays. In fact, many come across as being written by a trusted colleague or friend and include information that makes it look like the email is every bit as urgent and legitimate as it claims. Always check the URLs, always be wary of attachments and think before you click.

Perhaps the biggest security risk is people. The employees who click on the email or hand out information over the phone. The remote workers who enter their login credentials to a fake website. The person who opens an attachment from their friend Dave. Each of these moments can be prevented or minimised if people understand the risks and are given the tools they need to recognise them.

“It is really important for people to realise that cybercriminals are learning,” concludes Collard. “They are learning and evolving so that their attacks can bypass expensive and complicated security systems and catch people unaware. Check every email, text, SMS, message and phone call and stay alert to make sure that you are not another victim in 2022.”

Share this article:

Further reading: