Stealing enterprise: Cyber criminals master data theft
By evans.maritim, June 8, 2022For years, William Musyoka, a tech expert who’s currently working as the operations manager at Bizin Africa, has helped people solve tech-related problems such as hacking, backing up data, data recovery, and assisting to detect deep fakes, and many more.
This made him reckon that being a tech guru, he was invincible to any online fraud that would come his way. As he shares, his beliefs switched about a month ago when he got an email on what looked like one from his boss.
“I was in the office at around midday when I received an email. It was from my boss as per the names, so I didn’t bother to check the email address. The email was requesting my services urgently. I responded in the affirmative and the next mail came.
“He wanted me to go and deposit some Sh30,000 to a number given there and I would be refunded later that day when he checks in at the office. I was so convinced that it was him,” he starts.
Reality check
He adds: “When I was about to send the money, I recalled some urgent clarifications I wanted from him concerning the transaction. I reached out to him via a call to confirm and that is when the truth hit me. He wasn’t the one sending the emails. We had to call a meeting together to check the spam email and alert the rest of the team. I nearly fell victim to this common cyber attack act called phishing. As Information and Technology (IT) specialists, we had to block the spam email address. This is a type of phishing known as spear phishing because it is directed to a specific person,” he says.
Phishing is one of the most common cybercrime methods used today and according to the Chief Information Security Officer’s (CISO) 2021 Cybersecurity Threat Trends report, about 90 per cent of data breaches and attacks occur due to phishing. This is because human beings are the weakest link in cyber security, and attackers are making sure they utilise this concept in their attacks.
The vice is a type of social engineering attack where the attacker sends out crafted messages designed to trick a person into revealing sensitive information for example login credentials, credit card number or to deploy malware on the victim’s computer or network. Depending on the goal of the attacker, phishing can be focused on a specific individual or it can be general (for instance random application users or a group of financial administrators). Phishing can be delivered in different forms through email, telephone or text message.
Depending on the goal of the attacker, William mentions, there are other phishing techniques that cyber attackers have been using to entice users. “Email phishing is the most common technique where the criminal duplicates or creates a look-alike domain of an organisation and sends thousands of scam emails. It has been noted that these thieves sometimes create a domain with a legitimate brand’s name. We also have whaling. These are more intense than spear phishing. They target senior executives and the ever-busy CEOs. Spam emails can be sent to subordinates who might be afraid to confront their superiors.
“There is also smishing and vishing. In this case, people use phones to send text messages instead of emails. With vishing, the crooks make calls to the unsuspecting workers. Lastly, we have angler phishing. This is a relatively new attack vector, social media offers several ways for criminals to trick people. Fake Uniform Resource Locators (URLs); cloned websites, posts, and tweets; and instant messaging (which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware,” he divulges.
Potential targets
Christine Wambiru is a cyber security expert from Shehacks Kenya—a community of women in cybersecurity from various backgrounds and counties. She explains that phishing begins with a fraudulent text message, call or email, specifically designed to persuade one into opening an attached document or link. The message is crafted to make it look as though it is originating from a trusted sender like the bank, a client, human resource (HR), or the management. The criminal first starts with information gathering, which is the act of collecting information about a potential target. This information can be obtained from social media, websites, LinkedIn, GitHub, Google search or through friends and family.
“If the victim is not cautious, they could persuaded into sharing confidential information or downloading malware onto their computer or mobile phone. Attackers always works on identifying an organisation or a group of individuals they want to target and then create an email or text message that is specifically crafted for that group of people and only they are aware of the content in the email for example if it is a group of financial administrators in one organisation, they can send out an email pretending to be HR informing them that a certain client has been onboarded and they should begin the processing and attach a word document (embedded with Macros) with the format that they will use. For the attacker to make the email look as legitimate as possible, they first have to perform information gathering or reconnaissance,” she explains.
Know the difference
As Wambiru points out, it is possible to differentiate between the phishing mails and legitimate mails. “Characteristics of phishing mail include the use of emotions such as fear, curiosity, urgency to force the victim into opening the attachment or click on the link, for example an email from your bank or HR claiming that your account will be suspended if you do not update your personal information. They are designed to come from a legitimate company or individual. Phishing emails are designed to be eye-catching in order to capture the victim’s attention immediately,” she says.
Just as any other attack, phishing has its own dangers or risks. The impact of these dangers depends on the type of victim the attacker chooses. “To an individual, phishing can cause harm through fraudulent charges on credit cards. For example, the attacker visits major online shopping platforms and purchases items using their credit card. Another harm is impersonation as they can pretend to be you to friends and family requesting for money hence putting them at a huge risk of loss of money, files, or leaking some confidential photos and videos of an individual,” says Wambiru.
Phishing may lead to reputational damage, loss of corporate funds, loss of sensitive data, intellectual property theft and loss of customers’ trust. Financial penalties where clients may begin to sue your organisation can also be the other harm. However, she gives tips on how to avoid falling victim to phishing.
“To protect yourself against spam mails, spam filters should be used. One should also keep their browser and applications up to date. This applies to both your computer and mobile phone. Then ensure that there is a frequent change of passwords. It is recommended that you change your passwords after every 30-60 days. Also, apply two-factor authentication, including use of One-Time Passwords (OTPs). Do not open or click on email links from unknown sources.