Search

Home > Awareness > Cybersecurity Month 2020 > Phishing 101: Back to the basics

Phishing 101: Back to the basics

We all know that cybercriminals are constantly out to get our personal information. They will do whatever they can to get their hands on this data. With the constant stream of new technologies being released, cybercriminals can put together more sophisticated attacks – making it hard to distinguish between something that is real and that which is a spoof.

Most phishing attacks are set up in the same way: you need to take action in order for the attack to take effect. So, you will get an email or an SMS with a message that triggers some kind of emotion. It could be an email from SARS demanding that you make immediate payment on outstanding taxes, or a request from your bank asking you for your PIN number in order to rectify an error on your account. Sometimes, the message could even be exciting news – like informing you that you’ve inherited millions of dollars from a long lost relative that recently passed on. To claim it, you need to provide some personal and financial information.

Sound familiar? There are many variants, which is why you need to be on constant guard to ensure that you don’t get caught in that phishing line.

Phishing menu

Just like fish, phishing attacks come in all shapes, sizes, and colours. You may be familiar with some, but there are always new additions:

Vishing

 

Cybercriminals call you on behalf of a well-known organisation and claim that you owe them money, or you have a virus on your computer that they can quickly fix, for a fee. In other instances, they claim that you’ve won something or are eligible for a loan, just when you desperately need money.

Vishing examples

Disclaimer: The names used in this scenario are fictitious. No association to real people is intended or inferred.

Spear phishing

 

Some academic staff have also received spear phishing emails from a malicious individual who pretends to be a person in authority. In most cases, the spoofed email looks like it’s coming from a Dean. Most of the time, the spoofed email address contains some aspects of the senior leader’s UCT email address, such as name.surname, but it ends with gmail.com or outlook.com. When you respond to these emails, the sender indicates that they urgently need the person to buy some form of voucher.

SmiShing

 

You receive an SMS or MMS asking you to click a link or watch the provided video. When you act, a cybercriminal can take control of your mobile device without you even knowing about it. You only realise what’s happened when you try doing something but all attempts are unsuccessful because the criminal has changed your passwords and is now control of your device and the apps on it.

Whaling aka CEO Fraud

 

Cybercriminals target those in executive management levels to get access to their login details. Senior management usually has access to privileged information, which is valuable to cybercriminals. Criminals do a lot of preparation for these so that the attacks look and sound legitimate. This includes getting to know the potential victim’s interests, finding out who they regularly communicate with, familiarising themselves with their writing style, and so on.

Watering hole phishing

 

The aim of this phishing attack is the waiting game. A cybercriminal selects their target and monitors their online activities to see which websites they frequently visit. They select one of these sites and infect it with malware. When the victim accesses the infected site, the malware infects their device – which gives the cybercriminal access to their details.

Pharming

 

Cybercriminals create a fake website, which resembles a legitimate one. Individuals do not even need to click anything to go to the site, as attackers either infect their computer or the organisation’s DNS server. 

Domain spoofing

 

A fake domain is created to impersonate an actual entity. When individuals see that the same domain is used in an email address, they automatically believe it to be a trusted company.

Clone phishing

 

A legitimate email address is cloned to make it seem that the communication is coming from an actual person.

Deceptive phishing

 

This is the most common phishing type. You’ll get an email claiming to be from your bank, and you’re asked to click a link to verify your banking details. It’s a classic trick, but still effective.

View an example of an attack that happened right here at UCT.
Disclaimer: The names used in this scenario are fictitious. No association to real people is intended or inferred.

Office 365 phishing

 

With many organisations using Microsoft Office 365, cybercriminals have created a range of attacks where they pretend to be from Microsoft. Targeted individuals are then asked to click the provided link to log in to their Office 365 account, change a password, resolve an issue with their account, or prevent their account from being deactivated.

Search engine phishing

 

Cybercriminals create website advertising for attractive online deals. They’re in cahoots with fake banks, so the websites seem legitimate. The criminals then capture individuals’ details and use them for fraudulent activities.

 

Don’t get caught in the phishing net

To protect yourself against becoming phishing bait, be sure to follow these recommendations:

  • Don't ever reply to emails, messages, or calls that request personal information – especially usernames and passwords.
  • NEVER share your password or PIN with anyone – not even an ICTS representative, or representatives of your bank, mobile network, or other service providers.
  • Ensure your passwords are complex by using a phrase, different languages or numbers, and symbols in place of letters.
  • Ensure your anti-virus, operating system, software, and apps are always up to date.
  • Do not open attachments unless you can verify the sender and the nature of the attachment.
  • Don't open emails of unknown origin.
  • Don't click on links in emails if you cannot recognise where the link directs you.
  • Re-check links before clicking Search.
  • Don't reply to spammers asking them to remove you from their mailing list.  Replying just confirms your email address as valid, which encourages them to send you more spam.
  • Please check the announcements on the ICTS and CSIRT websites for the latest alerts. If your suspicious email differs to the one in the announcement, please report it to the IT Helpdesk at icts-helpdesk@uct.ac.za. You can report any other cybersecurity issues to the CSIRT at csirt@uct.ac.za.
  • If something feels phishy, trust your gut and avoid the message or action.