Last year, 94% of South African businesses were the target of email phishing attempts. These attacks are becoming increasingly sophisticated, with cybercriminals using demographic data to create more realistic and accurate scams. You could, for example, receive a scam email from your child’s school, SARS, and even your bank that looks convincing enough to fool you.
To help you protect yourself and your business, we’ve put together a guide outlining everything you need to know about phishing, from identifying a phishing attempt to what you need to do if you or an employee has been exposed through a phishing attack.
What is phishing?
Phishing is a form of cyberattack that acts like a wolf in sheep’s clothing. Victims are sent a communication from what they think is a trusted source, like an email from their bank, that is actually a clever fake designed to steal sensitive information such as passwords, credit card numbers, pin codes or other personal information. These types of attacks usually come in the form of emails or social media messages that lead to fake websites. A phishing scam is not a data breach. Phishing attacks are most commonly perpetrated by cybercriminals out for financial gain.
Types of phishing attacks include:
- Email phishing: an email posing as a legitimate entity
- Spear phishing: a customised, researched attack that targets specific groups of individuals or businesses
- Whaling: targeting executives within an organisation (the big fish)
- SMS phishing (Smishing): scam attempt sent via a text message
- Voice phishing (Vishing): voice calls or recorded messages
- Website phishing: a fake website that looks just like a legitimate one
The goal of phishing is to collect sensitive information. Data stolen through a phishing attack can be used for a number of malicious purposes including identity theft, fraud, ransom, unauthorised financial transactions, sale on the dark web, and even espionage.
How to identify a phishing email
A phishing email will look like it is from a trusted source, and contain an instruction for you to provide certain sensitive information or click on a link or attachment. Caution and vigilance are key to prevent falling victim to a phishing attack. Always be wary of emails or messages that ask for personal information or urgent requests.
Giveaways of a potential phishing attack include:
- Spelling mistakes or bad grammar
- An unfamiliar or strange sender email address
- A strange url
- A sense of urgency
Below is an example of what a phishing email could look like, and what to look out for:
Here is another example of a phishing email disguised as an urgent letter of demand.
How to protect against phishing attacks in your business
As a business owner, you don’t have eyes on every single email that passes through your server, but there are steps you can take to prevent anyone in your business from being caught in a phishing net.
- Educate your team on how to identify a phishing email
- Implement multi-factor authentication for all accounts and systems that store sensitive information
- Put email spam filters in place to stop phishing emails before they enter your inbox
Speak to your hosting provider about what security measures are already in place – xneelo offers spam filtering on all email addresses associated with your web hosting account, for example. We also recommend using our Cloudbric WAF add-on that detects and blocks malicious traffic to your website. While Cloudbric doesn’t offer direct protection against phishing, it does prevent hackers from intercepting sensitive information or looking for vulnerabilities that could be exploited for phishing attacks.
A trend that’s becoming increasingly popular among businesses is to implement a Zero Trust policy, that requires verification and authentication for all devices and networks to reduce the risk of external and internal threats. This strict access control process protects sensitive information and makes it easier to respond when they occur.
What to do if you have been affected by phishing
If you have fallen victim to a phishing attack, here are some immediate steps you should take:
- Change any passwords that were affected: See our tips for creating a strong password here.
- Report the attack to the legitimate business the email pretended to be from and ask them to take action on their side.
- If your credit card details were compromised, cancel them immediately and call your bank’s fraud support line.
- Immediately enable two-factor authentication for any accounts that support it as an extra layer of security.
- Contact the authorities. Cybercrime.org.za is South Africa’s national fraud and internet crime reporting centre.
- Review your credit card and bank account statements to check for suspicious or unauthorised charges.
By taking these steps, you can help to minimise the damage caused by a phishing attack and protect your personal and financial information.
Remember, at xneelo, we will never ask for your personal information via email. If you receive a strange email, contact us, and never ever click on a suspicious link. If you’re unsure, you can verify our banking details on our website by searching for ‘xneelo bank details’ within our Help Centre.