With the cost of phishing in South Africa amounting to approximately US$320 million in 2013 alone, and with South Africa accounting for 5% of the total volume of all phishing attacks globally, it's not a matter of "if" you or your company are going to be a target, but "when". If you are not worried about phishing attacks, you should be!
Phishing is a form of email deception in which a cyber-criminal attempts to obtain sensitive information or cause disruption to an organisation's business operations. Phishing can be defined as an act of sending an email to the user in order to steal his personal information, such as bank account details, credit card information etc. The email falsely claims to be from an established organisation and makes the user surrender his private information that will be used for identity theft.
Such emails may direct the user to click on a link which is a website where they are said to update their personal information like passwords, credit card details, social security number or bank account number. This type of bogus website is specifically designed for information theft.
The most common form of phishing is, "spear phishing", a more targeted version of phishing in which an email is sent that appears to be of significant interest to the targeted individual. Spear phishing often has a high success rate as it bypasses traditional security defences and exploits vulnerable software.
Most companies choose to downplay the inevitable threat that phishing attacks pose, despite the many publicised cases that have resulted in personal, corporate, financial and reputational damage.
Most, if not all businesses, spend money on external safeguards and security. They may invest in security personnel, closed circuit television cameras, alarms and perhaps on a more rudimentary level, a visitor sign-in book. What they neglect to consider, is that threats also lurk online. Such risks can be dangerous and often devastating.
The targeted nature of spear phishing can unleash a major attack on corporate wellbeing and an attacker may gain access to email systems, social media, banking details and corporate log-in details. Another impact of successful phishing attacks is reputational, with the impact of the attack being almost immeasurable. Additionally, high-profile individual victims can also take hits to their reputation, which, in turn, harms the company's brand.
The most effective defence against phishing attacks is prevention. To prevent, or at least cut down, on phishing attacks, businesses need to start a continual education programme that implements security awareness amongst its staff. Ignoring the pitfalls of phishing can put a company at risk. Organisations should be educated on behavioural practices that prevent successful phishing.
Implementing and adopting a security-awareness capability will foster an environment that will empower organisations' users with the ability to separate the wheat from the chaff, so to say. With South Africa having such a diverse economic landscape and many of the financial services being delivered in the mid-tier market, valuable personal information on individuals is handled daily by these companies.
These organisations are the ones that are targeted most regularly by nefarious groups, intent on ensuring the inadvertent sharing of that valuable information so that they can benefit profitably from selling that information on or using it to perform fraudulent activities.
