How to Protect Passwords as Phishing Scams Increase by 80%?

Attacks via fraudulent email scams have increased sharply in recent years. Some experts claim they have gone up by a staggering 80%. IT specialists have sent out warnings to major companies and internet providers in light of the increased phishing campaigns. Just recently Durban city manager Sipho Nzuza became the victim of a brazen hacker attack which illustrates how bold cybercriminals have become.

Durban city officials have confirmed that the phishing scam is being investigated by its Integrity and Investigations Unit after the DA councilor Marlaine Nair brought up the matter to the unit.

According to the story, a construction director, who has opted to remain anonymous for safety reasons, sent a copy of an email to Nair which was supposedly received from Sipho Nzuza in which reference was made to a construction bidding proposal. In the supposed email, the construction director was told to contact Nzuza by 10 am but once he contacted the person masquerading as Nzuza, the director was informed he would have to deposit 100000 rand into an account. The construction director told his lawyer about the scam and the investigation began.

What are Phishing Attacks?

Phishing scams are done with one of two goals. Either to acquire specific information from the victims or to steal money. Phishing emails are usually the first contact between the cybercriminals and their victims.

"Targeted malware, heavily socially-engineered impersonation attacks, and phishing threats are still reaching employee inboxes. This leaves organizations at risk of a data breach and financial loss," said Matthew Gardiner, cybersecurity strategist at Mimecast. "Our latest quarterly analysis saw a continued attacker focus on impersonation attacks quarter-on-quarter. These are difficult attacks to identify without specialized security capabilities, and this testing shows that commonly used systems aren’t doing a good job catching them," he added.

The Ponemon Institute conducted a study in 2018 with aimed to deduce the costs of data breaches. They discovered that the average cost in South Africa is 36.5 million rand up from 32 million rand in 2017. That's over 25 million dollars. For example, when the insurance company Liberty Life fell victim to cybercriminals earlier in 2018 they lost 1.68 billion rand was lost. Now, they have a huge market value that's nearly 20 times that but it's still a massive score for the hackers and a massive loss for the company.

Over 90% of all cybercrime starts with a simple, innocent-looking email, according to experts and the damage isn't just monetary.
"It is the most pervasive corporate information service. The increase in supply chain fraud targeting payment workflow processes is huge an attack can involve important data being encrypted and then having to pay a lot to get data back" Mimecast's KwaZulu-Natal general manager Paul Stafford said.

"There is also the cost of brand damage when news of a cyber attack is released," Stafford added.

Phishing scams have evolved

Hackers are adopting newer and newer tactics to get their hands on the victims' information. They're not just targeting big corporations either. Don't think that the fact that you make chump change compared to global corporations fool you into thinking your immune to phishing scams.

Alto Africa chief technology officer Oliver Potgieter commented that cybercrime technology has moved past the victim having to click on links for a hacker to get their password. He talked about an email that was currently making the rounds which tried to blackmail its victims by accusing them of downloading pornography.

The email starts with "I am aware that (actual password) is one of your passwords".

"Phishing has always been about trying to get your password. Now they are leading the email message with your password straight off the bat to establish credibility. The password used is actually correct (or was). We believe this password information in these recent instances has been from hacks such as the Ashley Maddison hack of 2015," said Potgieter.

"There is also nothing in this email that causes it to be blocked by normal spam protection - no links, no malware, no attachments," Potgieter added.

The ransom demanded is usually in a cryptocurrency like Bitcoin. Why? Because hackers know that the Bitcoins are virtually impossible to trace by the authorities

Mobile devices make hacking even easier for attackers

"We have moved away from the workstations and the consequence of a mobile access point is that we are on the servers permanently. You don't even have to get hacked," Dr. Colin Thakur, Director of Nemisa KZN e-Skills Colab in Durban said.

Thakur and Stafford also warned that cybercrime can be carried out through USB devices, which can be strategically dropped close to the target who would then presume it was their own USB device.

"You put it in (to a laptop) and every keystroke you do is picked up, whether it's your password or other critical information," said Thakur.

"When it comes to creating a fraudulent account, the hacker simply has to transpose two letters. Your eyes will auto-correct the error and every hacker knows that's what you'll do. It's such a basic level of fraud, people don't believe it can happen, but it does," he added.