Phishing is the term used when a cybercriminal sends some sort of electronic message to trick one into doing something doubtful.
The “fishing” metaphor refers to the impression of getting one on the hook and then reeling one in, writes Harrish Chib, vice-president: Middle East and Africa at Sophos.
The criminals behind this kind of crime, who are commonly known as phishers, usually use email – because it is amazingly easy to fake up messages to look realistic. In Africa, where countries are developing and going through many changes, phishing through emails can be very popular- maybe because phishers now target many geographies.
However, phishing attacks may also arrive via social media, SMS or other instant messaging platforms.
Here are some examples of the type of deceit used by phishers:
* One receives an invoice specifying a modest purchase from a well-known online site, complete with ripped-off logos and text copied from a genuine invoice.Belowis a legitimate-looking link or button to [Contest this charge] or [Query this purchase]. One knows oneu didn’t make the purchase, so one’s feeling is to click through and log in. But if onedoes, one ends up on a phony login page, and one’s password ends up in the hands of the crooks.
* Receive an email from someone apparently applying for a job that’s currently advertised on your company website. Attached to the email is a file that looks like a document containing a CV (résumé). Your feeling is to open it, but if you do, you inadvertently run a booby-trapped file that allows the crooks to implant malware on your computer.
* One receives a marketing email inviting one to take a realistic-looking survey in return for a chance to win a shopping voucher, or an iPhone, or a holiday. One’s gut feeling is to fill it in, but along the way one is asked to provide personal data that you would normally keep to oneself, such as birthdays, home address or credit card details.
What to do?
Phishing can be hard to spot, because phishers don’t always make telltale spelling errors or grammatical mistakes.
The phishers may know your name and address, so they don’t always start with indications like Dear Sir/Madam, or use a vague address such as Arizona.
Here are some tips to avoid getting sucked in:
* Don’t enter passwords into login pages that show up after you click on a link in an email. Bookmark the official login pages of your favourite sites, or type the URLs into your browser from memory.
* Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job.
* Set up an “ask the experts” email address inside your organisation, for example security@example.com. That gives your users a quick way to ask for advice about unforeseen emails and unsolicited attachments.
If in doubt, don’t give it out. Your personal data simply isn’t worth the vanishingly small chance of winning an iPad from a marketing company you’ve never heard of.
