The country currently records an estimated 3, 000 successful or failed attacks every month as per ICT governance organization ISACA, formerly known as (Information Systems Audit and Control Association).
Social engineering, which is the psychological manipulation of someone to inadvertently divulge confidential information is one of the main feeder tactics that cyber-criminals rely on to target both individuals and organizations.
One tool in social engineering is phishing. This is a form of identity theft where cybercriminals try to obtain private details such as usernames, passwords, and credit card details by masquerading as a trustworthy entity. Often delivered via emails, it is an improved version over the old methods that relied on phone calls and physical letter scams.
Phishing attacks are typically deployed post-breach, where criminals may send out warnings to users advising them to change their passwords (but directing them to a fake website to harvest their details). Often, phishing attacks act as easy gateways into an enterprise’s network for the cybercriminals to launch more sophisticated attacks.
People abreast with cyber insecurity say that phishing attacks are a big problem because users by nature are gullible hence a soft target for cyber-criminals. According to Internet security solutions company, ESET East Africa, one can still stay safe and better protected through some basic proactive measures.
Be sensible and smart
Plenty of phishing emails are obvious, often phrased in an impersonal greeting or featuring implausible and generally surprising content. You are likely to come across numerous typos, mismatched words and mixed caps. Some of these mistakes are intentional to try and hoodwink spam filters, while weeding out ‘smart’ recipients who may not fall for the con.
If an email looks suspicious you are better off reading and re-reading and even confirming with the source. A reputable company will very rarely require you to do something urgently, for example on the pretext of avoiding fines or other punitive effects. However, this is an exception to the rule; usually, threats and urgency – especially if coming from a legitimate company source – are a sign of phishing.
When using social media, be wary of shortened links as provided by the various shortening services, so as not to inadvertently land on a fake website. A simple technique to confirm a legitimate or fake web link is to mouse over the link to see if it points to the one that appears in the email text. You can open a new browser window if in doubt, and type the URL that you know and are familiar with into the address bar. Cybercriminals may use these “fake” sites to steal your entered personal details. Or, may carry out a drive-by-download attack, thus infesting your device with malware.
One great innovation is the possibility to browse via a secure website (indicated by https:// and a security “lock” icon in the browser’s address bar). This is particularly important when submitting sensitive information online, such as credit card details.
For activities such online banking or shopping, you should never use public (unsecured) Wi-Fi. A better alternative would be to rely on your mobile phone service provider’s 3/4G or LTE connection.