Yesterday (5 May) was World Password Day, a global date recognising the importance of strong passwords to ensure users remain safe while using online services.

However, cybersecurity experts are warning that consumer habits of sharing personal information online – for example on social media – combined with the mass troves of personal data that were stolen during recent data breaches have put consumers at risk of increasingly sophisticated social engineering attacks. This means individuals will need more than just a strong password to stay protected.

“Even a cursory online search can reveal huge amounts about a person, including their age, gender, which city or town they live in, what school they attended and more,” says Brian Pinnock, cybersecurity expert at Mimecast. “When combined with the highly sensitive information contained in recent data breaches over the last couple of years, specifically at credit bureaus Experian and TransUnion, cybercriminals could target consumers with extremely convincing attacks that could compromise their security and lead to financial and other losses.”

TransUnion made headlines in March after a hacker group from Brazil claimed to have stolen the credit records of 28-million South Africans, although an official TransUnion comment stated that ‘at least three million consumers were affected by the hack’.

TransUnion subsequently revealed that the stolen data could include a person’s name, ID number, gender, contact details, marital status, the identity of their employer and duration of employment, vehicle finance contract numbers and vehicle identity numbers. In isolated circumstances, a spouse’s information, passport numbers, and credit and/or insurance scores may have been stolen.

At the time the group claimed to have accessed TransUnion’s systems by using an authorised client’s login credentials, which used “password” as the password.

“There’s a common saying in cybersecurity that threat actors don’t hack in anymore, they just log in,” says Pinnock. “Once they have access to personal records, they use the information in a broad range of techniques ranging from brand impersonation to phishing, with the purpose of harvesting victims’ login credentials. The more personal data they have access to, the more convincing the attacks, and the more likely consumers will be tricked into divulging the information threat actors need to access their accounts.”

Mimecast’s latest State of Email Security 2022 report found that 94% of South African companies have been the target of an email-related phishing attempt in the past year, with nearly two-thirds saying they’ve seen an increase in such attacks.

“Overall, more than three out of four companies reported an increase in the number of email-based threats they receive, with 55% citing concern over the growing sophistication of such attacks. Encouragingly, there is growing recognition of the responsibility of companies to protect customers from attacks, with nearly all South African companies surveyed either using or planning to use a brand protection service this year to combat threat actors imitating their brands and tricking customers. Eighty-six percent of companies also stated they are using or plan to use DMARC, a technology that prevents email spoofing of their own domains.”

Pinnock advises that consumers take extra care when speaking to supposed service providers or bank representatives over the phone or via email. “It’s highly unlikely that threat actors can access consumers’ bank accounts using the data that was stolen during the recent breaches, but they can use this information in phishing, vishing and smishing attacks” says Pinnock.

“Consumers are urged to be suspicious of anyone calling with personal information about them and then requesting PIN numbers or login credentials. Banks and service providers typically have strict policies against sharing such information with outside parties. Consumers who run afoul of this could be liable for any losses they incur as a result.”