Ninety-four percent of South African companies have been the target of an email-related phishing attempt. Photo: Getty Images
Following years of pandemic-induced economic pressure, the South African economy is slowly showing signs of recovery. As the country heads into the festive season, and the traditional peak shopping period, many consumers are returning to normal, pre-pandemic behaviour, with an expected boom in retail sales.
Retailers are also eyeing a welcome return to growth. In fact, the latest retail sales data indicate a predicted 3% growth in retail sales in real terms for 2022. With Black Friday and the festive period ahead, retailers are hoping for a bumper shopping season.
However, cybercriminals are preparing to spoil the party. Attacks are almost certain to become more prolific in the weeks ahead as cybercriminals attempt to dupe shoppers into taking unsafe actions that could compromise their personal and even financial data.
In Mimecast’s latest State of Ransomware Readiness 2 report, 70% of South African organisations believed the risk of cyberattacks would increase over the next two years. The State of Email Security 2022 report found that 94% of South African companies have been the target of an email-related phishing attempt, with nearly two-thirds reporting an increase in such attacks.
Cybercriminals refine and enhance attack methods
The increase in cyberthreats is in part being driven by greater digitisation of various aspects of our personal and professional lives, creating valuable sources of information for threat actors as well as potential areas of weakness to exploit.
When the first lockdowns were implemented in early 2020, many office workers were forced to work remotely, a situation that has continued despite lockdown restrictions lifting. While this has undeniable benefits for workers, it has created a security nightmare for many organisations.
With employees working outside the confines of corporate security structures, and often under immense pressure, cybercriminals have capitalised by aggressively exploiting the vulnerabilities that come with remote work.
Cybercriminals are also becoming increasingly adept at social engineering at scale. To illustrate, instead of targeting a person with a phishing attack, they seek to understand what their target’s persona represents — for example, a young male who enjoys outdoor sports and activities — and then purchase a mailing list with those interests. This allows them to craft more attractive phishing emails that have a far higher chance of success.
The amount of publicly available personal information on social media is also giving threat actors valuable data to use in the crafting of their attacks. An attacker could type the name of a potential target on Google, which may bring up their Facebook profile and, in the case of outdoor enthusiasts, their Strava profile. From this they can see the types of activities they engage in, where they train, how often, and more.
From here it’s a simple matter of constructing a mailer with the right offer. For example, if the target is an avid mountain biker, the attacker could develop a mailer that offers a substantial discount on a mountain bike of the same brand that the person has put on their Facebook profile. This can increase the hit rate of their attacks from around 2% (for untargeted attacks) to as much as 20%.
In another example, a cybercriminal could infiltrate the mail server of a private school and send parents personalised emails asking for a meeting regarding their child. In a cruel twist, the cybercriminal may attach a malicious file and tell parents that it relates to the discussion they’d like to have about their child’s performance at the school.
Such an attack would likely seem so legitimate and convincing that most parents would open the attachment without a second’s hesitation. This may leave them exposed to further infiltration and potential financial losses as the cybercriminal uses their newfound access to infiltrate the victim’s banking profiles.
Knowledge and awareness are the greatest weapons against cyberattacks
In light of such high levels of danger, what can be done to safeguard South Africans from cybercrime?
The first step is to build greater cyber-resilience at a national, provincial and local level by investing in appropriate cybersecurity and continuity solutions. A multi-layered cyber-resilience strategy that protects people from cyberthreats is vital in the fight against cybercrime.
Secondly, it is critical that information about probable attack methods and cyber-risks reach the most vulnerable. Everyone needs to join forces, from big business to government departments and even celebrities, to help raise the general level of cyberawareness among the broader population.
Businesses can sponsor programmes and internships for cybercrime skills development, which has the dual benefit of improving our defences against cyberattacks as well as alleviating the high unemployment rate, especially among the youth.
Universities can host regular guest lectures and information sessions by cybersecurity specialists to teach students about cybersafety and prepare them for the risks they’ll face.
Organisations in the private and public sectors should continuously train employees to become more cyberaware. Government departments can apply some of the learnings from the pandemic and roll out a national cyberawareness campaign that teaches citizens about basic cybersafety.
South Africans are by nature not fond of showing vulnerability. When we fall victim to a scam, there is a natural tendency to keep it to ourselves. However, by reporting any instances of falling victim to a cyberattack, we can help others become more aware of new threats and equip the authorities with valuable information that might help them find, arrest and prosecute the perpetrators.
How to spot a scam
Check the discount: If you receive an email offer for 70% off a must-have item, proceed with caution. Such a significant discount is likely to feature prominently on the seller’s website, so check there first to see if the offer is legitimate. If you can’t see a 70% off offer on a mountain bike, the mail you received probably is a scam.
Phone to verify: No retailer or bank will laugh at you if you phone to confirm details before making a purchase or payment. If you’re unsure if the payment you’re making is to a legitimate business, give them a ring to confirm the amount, the bank details and any other details before you make payment.
Pay attention (especially at home): Most businesses now have some form of cybersecurity in place. This means employees may not be receiving potentially dangerous emails as the company’s cybersecurity products filter those out. But this can create a false sense of security — when employees are home, they may see more such emails land in their inbox, increasing the chances of them clicking on an unsafe link or opening a malicious attachment.
Report threats (always): If you do receive an email that is obviously a phishing attempt, don’t just ignore or delete it. Report it to your security team and, if it warrants it, to the authorities. When email threats go unreported it raises the risk level for everyone else. Conversely, the more we share about email threats, the easier it is for everyone to become aware of the threat and take action to avoid any risks.
The views expressed are those of the author and do not necessarily reflect the official policy or position of the Mail & Guardian.