Demystifying Phishing

By Sanelisiwe Jaffar, Senior Cybersecurity Engineer at NEC XON

---

October is Cybersecurity Awareness Month, a good time to discuss the new ways scammers are finding to trick people into divulging their sensitive information (social engineering). Social engineering uses people’s emotions to trick them into revealing sensitive information. Today, we focus on four common social engineering attacks: phishing, vishing, smishing, and quishing.

Phishing
Phishing happens when scammers use fake emails to extract sensitive information, like your name, surname, ID number, home address, etc.), banking card information, and passwords. After successfully stealing this information, scammers use it to access the victim’s accounts, which can result in identity theft and financial losses.

How to spot a phishing email:

• Contains suspicious links or attachments: Look out for links and attachments, especially in unexpected emails. Links in phishing emails are used to steal login information by sending people to a fraudulent website, while attachments are often infected with malware. Opening such an attachment may install malware on your device.
• Sender email addresses look similar to legitimate ones: Phishing emails often use addresses that look similar to legitimate ones but contain slight variations or misspellings.
• Too good to be true: Scammers may trigger emotions of excitement, such as claiming the recipient has won a prize without entering a competition. Alternatively, they may trigger fear, for example, by sending an email from SARS claiming the victim owes a large sum of money. In both cases, the victim may be tricked into clicking on malicious links or opening unsafe attachments.
• Poor grammar and spelling: Phishing emails often contain spelling and grammatical errors.
• Sense of urgency: Victims are sometimes threatened or urged to act quickly.

Tips to avoid being a phishing victim:

• Examine the sender’s email address.
• Look out for generic greetings.
• Hover over links before clicking.
• Watch out for urgent or threatening language.

Vishing and Smishing
Many people have received a phone call about fraudulent activity involving their bank card. During the call, the scammer may trick the victim into sharing sensitive information, such as their banking app username and password, by causing panic. Similarly, an SMS may contain a link asking for delivery address confirmation for a package when no delivery is expected, or exciting news about winning a prize, with a phone number to claim it, even though the person hasn’t entered a competition.

These attacks are known as vishing (voice call) and smishing (SMS) attacks. In these cases, the scammer impersonates a reputable organisation, such as a financial institution, courier, or telecommunications provider, and manipulates the victim’s emotions to create a sense of panic, prompting them to divulge sensitive information.

How to prevent vishing and smishing attacks:

• Don’t go too fast: Before sharing any information, take a deep breath and think about the communication’s source. For example, are you expecting a delivery if you receive an SMS about one?
• Ask yourself, “What do they already know?” Banks and telecommunications companies you have contracts with should have your information. If asked to provide additional information, end the call.
• Quishing = QR code + Phishing.

Scammers are now using QR codes to launch phishing attacks, and these scams are becoming more common. In these attacks, people are tricked into sharing personal information, passwords, or even money. Scammers use QR codes because they provide a quick and easy way for people to access websites, applications, or services.

How quishing works:
When someone scans a malicious QR code, they are unknowingly directed to a fake website that looks legitimate. Once on this fake website, the victim may be asked to enter login credentials, banking details, or other personal information, which the scammer can use to steal identities or drain bank accounts.

How to avoid getting quished:

• Verify the source: Ensure the QR code comes from a trusted source.
• Look out for overlays: In public spaces, ensure that no fake QR codes have been placed over legitimate ones.
• Be cautious of emails with QR codes: If you receive an unexpected email with a QR code, it’s safer to manually enter the link rather than scan it.
• Look for “https”: After scanning the QR code, ensure the link starts with “https” to verify the site is secure.Stay vigilant. Verifying sources, and follow the  simple safety tips above to protect yourself. Remember: awareness is the first line of defense in a landscape full of cyber bandits.