Phishing is a form of identity theft where cybercriminals try to obtain private details such as usernames, passwords, and credit card details, by masquerading as a trustworthy entity.
Kenya faces a potentially huge cyber insecurity problem. As argable as this may seem, the fact is cases of cyber-attacks are on the rise going by recent trends.
The country currently records an estimated 3,000 successful or failed attacks every month as per ICT governance organization ISACA, formerly known as (Information Systems Audit and Control Association).
Social engineering which is the psychological manipulation of someone to inadvertently divulge confidential information) is one of the main feeder tactics that cyber-criminals rely on to target both individuals and organizations.
One tool in social engineering is phishing. This is a form of identity theft where cybercriminals try to obtain private details such as usernames, passwords, and credit card details, by masquerading as a trustworthy entity. Often delivered via emails, it is an improved version over the old methods that relied on phone calls and physical letter scams.
Phishing attacks are typically deployed post-breach, where criminals may send out warnings to users advising them to change their passwords (but directing them to a fake website to harvest their details). Often, phishing attacks act as easy gateways into an enterprise’s network for the cybercriminals to launch more sophisticated attacks.
“This continues to be a problem because people by nature are gullible hence a soft target for cyber-criminals”, says Teddy Njoroge, Country Manager for internet security solutions company, ESET East Africa.
Even so, one can still stay safe and better protected against phishing attacks through some basic proactive measures.
Be sensible and smart
Plenty of phishing emails are obvious, often phrased in an impersonal greeting or featuring implausible and generally surprising content. You are likely to come across numerous typos, mismatched words and mixed caps. Some of these mistakes are intentional to try and hoodwink spam filters while weeding out ‘smart’ recipients who may not fall for the con.
If an email looks suspicious you are better off reading and re-reading it again and even confirming with the source. A reputable company will very rarely require you to do something urgently, for example on the pretext of avoiding fines or other punitive effects. However, this is an exception to the rule; usually, threats and urgency – especially if coming from a legitimate company source – are a sign of phishing.
“Never click on links, especially emails asking for confidential information such as personal or banking details unless you are absolutely sure that it is authentic. If in doubt, open a new browser window and type the URL that you know and are familiar with into the address bar instead”, says Njoroge.
When using social media, be wary of shortened links as provided by the various shortening services, so as not to inadvertently land on a fake website. A simple technique to confirm a legitimate or fake web link is to mouse over the link to see if it points to the one that appears in the email text.
“Cybercriminals may use these ‘fake’ sites to steal your entered personal details or to carry out a drive-by-download attack, thus infesting your device with malware. Always contact the company separately via a known and trusted channel.”, says Njoroge.
One great innovation is the possibility to browse the via a secure website (indicated by https:// and a security “lock” icon in the browser’s address bar). This is particularly important when submitting sensitive information online, such as credit card details.
For activities, such online banking or shopping, you should never use public (unsecured) Wi-Fi. A better alternative would be to rely on your mobile phone service provider’s 3/4G or LTE connection.