You would be forgiven for thinking that terms like phishing, vishing, whaling and pharming all had something to do with either a water sport or a pharmaceutical company, but every one of these is a cybercrime attack.
These attacks leverage social engineering techniques to hack personal accounts, infect devices with ransomware, gain access to organisations or steal information to be sold on to the highest underground bidders.
As Anna Collard, senior vice-president of content and evangelist at KnowBe4 Africa, points out, it has become absolutely essential for people to be mindful of what they post on social media.
“The risk of identity theft has never been greater and according to a report by SAFPS, has increased by 337% in 2020,” she says. “When you share photographs of your children in front of their school, there is a lot of information right there, in the public eye, that includes your location, their location, and their relative age. It also gives them your children’s names and other personal information that can be used to potentially fool you into believing that you are handing over your information to a legitimate caller or company.”
The different types of social engineering have seen a rapid and worrying rise over the past 18 months. Spear phishing attacks have increased significantly, many using the pandemic and scare tactics to get people to share secret information. Spear phishing attacks are smart. The hackers use personal information, often pulled off social media, to pretend they are a friend, trusted entity or company employee to get information such as login credentials. All the things you posted online used against you, very successfully.
“The problem is not that people are making stupid mistakes, but that the hackers are using more sophisticated techniques,” says Collard. “If you have just posted a really well thought out message on LinkedIn, for example, and you get an email a few minutes later saying that people are engaging with your post and you should click a link to see, you will probably go to click it. Most people do click it. And that is usually going to take you to a fake site that harvests your information.”
While phishing and spear phishing tend to use email to catch their victim unaware, vishing scams use phone calls to trick people into handing over their personal details, and they do so by knowing just enough about you to make the call sound authentic. They will have trawled social media to find out information that they can use to sound professional and legitimate, and they then fool you into believing that they are from the bank or the company IT department.
This does not mean that you need to now cut all social media ties and end your life online, but rather that you need to closely monitor what kind of information you put online, and who can see it. Social media is still the fun world of connections and people it has always been, it just needs to be managed to ensure the safety and security of both individuals and the companies they work for.
“Your profile on social media reveals a lot about who your friends are, about who the important people in your life are,” concludes Collard. “These attacks pick up threads, target people and use smart techniques to fool you, and you often will not know if it is real or not. So, be mindful about how much information you share, what kind of information you share, and do not click on links unless you are 100% sure they are safe.”