Phishing is a social engineering attack whereby hackers attempt to steal an unsuspecting victim’s username, password, bank information, and other sensitive details. It is a growing worldwide concern …
By Michael Akuchie
As the world grappled with the unprecedented COVID-19 pandemic in 2020, scammers seized the moment and launched a variety of attacks on unaware victims. Contrary to popular opinion that scammers targeted only Europeans and foreigners in general, Africans, particularly those with little to no digital literacy, were considered fair game.
As I quarantined, too, like everyone else, my phone often buzzed with messages. In one text, the Nigerian government had selected me to receive a conditional cash transfer as part of efforts to survive the harsh economic reality that the pandemic had graciously nurtured. All I had to do was click a certain link, and N50,000 would be mine. In an email, I had been shortlisted for a job at the Central Bank of Nigeria, but to secure the job and catapult myself and my family into the uppermost area of prosperity, I had to click on a link.
I refused to click on those links, and for good reason. Both were sophisticated attempts by scammers to steal personal information from me. As we have seen over time, cyber scams have evolved into a greater menace. Aside from phone calling victims while disguised as bank employees to request sensitive account details, cybercriminals have also launched what is broadly known as phishing attacks. Phishing, identical in meaning to the word “fishing”, is a social engineering attack whereby hackers attempt to steal an unknowing victim’s username, passwords, bank information, and other sensitive details.
(Read also – The Increased Rate of Cybercrime in Nigeria and the Role Music Plays in It)
To put it in perspective, think about that email you thought came from Amazon regarding an order you never placed. Remember how it stated that for you to ensure the shipment gets delivered you had to verify your identity by inputting your debit card information? It is common to get emails from purported e-commerce sites, banks, and major companies asking you to click a link, supply personal information, or download a particular app. Some scammers display a new level of sophistication and go as far as to design websites that look and feel legitimate.
Ever come across a site that said you were close to winning an iPhone, but to claim the prize, you had to click a link? Clicking such links can cause untold damage ranging from stolen personal details used to commit crimes to malware making its way into the victim’s device. McAfee, a computer security software company, defines malware as “software that is installed on a computer without the user’s consent and that performs malicious actions, such as stealing passwords, or money.”
(Read also – New Technology in the Arts and Entertainment Scene: What Does this Mean for Africa?)
To shed light on phishing, I spoke with Funsho Richard, a seasoned information security expert. He acknowledged that phishing is a fast-growing issue in today’s world, and that the perpetrators were always upgrading their tactics to maintain a high chance of success. “Phishing emails are not the only method that cybercriminals use to socially engineer people into giving up sensitive information. They also use other techniques such as impersonation, smishing, vishing, deepfakes, and social media links to trick people into revealing their personal or financial data, installing malware, visiting malicious websites, or sending money to scammers,” he told me.
Phishing comes in different forms, and it is only proper to spotlight the most used techniques. Understanding how one, two, or even three of these methods work may save you or a close friend from becoming the next victim. Email phishing, Vishing, Spear phishing, Whaling, and HTTPS phishing are some of the most common strategies used to commit cyber crimes.
Techopedia considers email phishing to be the most common instance of phishing. This refers to deceitful emails made to look like they originated from a reliable source. Again, consider the Amazon email reference. Hackers typically send such emails in mass numbers, hoping that victims take the bait. Vishing, a term for voice phishing, refers to when a scammer calls a potential victim and pretends to be somebody they are not. The person the scammer disguises as is typically a relative, a bank employee, or a close friend. Essentially, someone who the victim shares a decent amount of connection with.
Similar to email phishing, spear phishing is a brand of phishing whereby the hacker concentrates on a specific individual. For this type of phishing, the hacker spends time gathering useful information about the target before launching the attack. For HTTPS phishing, the cybercriminal sends unsuspecting victims a website link that looks authentic. For instance, an individual may get an email from Facebookk.com — an attempt to mimic Facebook (notice the extra “k”) — saying that they are eligible for a prize. Upon opening the website, the victim may be asked to supply personal information.
It is important to note that phishing and other social engineering attacks rely on the emotions of unsuspecting people to gain personal information. For instance, the curiosity to check whether an email offering N1 million for clicking a link is real; the desire to win an iPhone 14, and so on. These human tendencies are exploited by scammers to steal sensitive data for nefarious reasons.
It is also worth mentioning that aside from individuals and businesses, government agencies are also possible targets for phishing attacks. On October 12, 2023, the African Union (AU) issued a statement that assessed reports of various foreign country capitals that were receiving emails disguised as official emails from the Deputy Chief of Staff on behalf of the Chairperson of the African Union Commission. This underscores the need for everyone, regardless of status, to be vigilant always.
Like all cyber attacks, there is no way to completely eradicate phishing. Fortunately, there are a couple of ways to fortify yourself and close friends against this menace. Firstly, scrutinise every email that comes from your bank, social media platforms, and the like. Phishing attacks usually come with informal greetings like “Hi Dear” or “Good day”.
“The first step is to realise that anyone can get phished. Therefore, it is important to be aware of the common signs of phishing, such as unfamiliar greetings, grammar errors, urgent requests, or strange links,” Richard adds.
The next step is being wary of links. If an email or text message looks suspicious, it makes little sense to click on any link or attachment. Doing so may cause untold consequences. Beyond emails, scammers can leverage pop-up ad notifications to try stealing your information. As such, ensure that you enable anti-phishing extensions.
(Read also – Blogging is Playing a Big Role in the Spread of Fake News in Africa)
You can also activate an ad-blocker to be on the safe side. It also pays to update your device regularly. Admittedly, the frequent update notifications can be boring, but installing the latest system update could give you an edge over the ever-changing techniques of hackers. An extra tip, according to Richard, is to “keep learning about the latest phishing methods and how to protect against them.”
To avoid vishing attacks, confirm the identity of the caller before giving away important information. Scammers typically get spooked when you start asking for them to verify their identities. For example, I have had many of them hang up after I asked them to tell me the bank they were calling from. Many cybersecurity enthusiasts are familiar with the “Never Trust, Always Verify” maxim. Now you are too. To reduce the chances of spear phishing, be cautious of suspicious emails, activate the spam filter to catch such emails, and enable multi-factor authentication.
The above are preventive measures, but what if you got sloppy and the scammers did get a hold of your data? In this case, enabling two-factor authentication will make it hard for scammers to hack into your accounts even after obtaining your details.
Michael Akuchie is a tech journalist with four years of experience covering cybersecurity, AI, automotive trends, and startups. He reads human-angle stories in his spare time. He’s on X (fka Twitter) as @Michael_Akuchie & michael_akuchie on Instagram.