Written By: George Manyaya
There is an increased risk of Cybercrimes and cyber-attacks especially in the past year. The rapid digital revolution brought about rapid digital transformation, which has come to be known as the Fourth Industrial Revolution (4IR), which has enabled convergence of Information Communication Technology (ICT) services. Whilst this adoption of the converged ecosystem has furthered the interests of consumers as they can access multiple internet- based services on a single device, it has inadvertently ushered the increase of online crime. Cybercrime which is also called digital crime is the use of digital technology in the commission or facilitation of crime such as phishing, cyberbullying, child pornography, online fraud, violation of privacy and cyber grooming among others. This article will focus on Phishing which has been on the rise globally.
The COVID-19 pandemic has validated the significance that ICTs play in ensuring that businesses, governments, and societies remain interconnected and functional. The social distancing and lockdown restrictions led to an exponential rise in the use of technology. Business is now being conducted online, students especially children are using the internet more than ever before owing to e-learning. According to the POTRAZ annual sector performance report for 2020 “A total of 48,781 Terabytes (TB) of mobile Internet and data were consumed in 2020. This represents a growth of 36.5% from 35,733 TB recorded in 2019. Used international incoming bandwidth capacity also increased by 36.6% to record 159,665 in 2020 from 116,927 recorded in 2019”. These online trends have provided cyber criminals with a plethora of new tactics of committing crimes like Phishing.
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as an authentic institution to lure individuals into providing sensitive personal information or data, such as usernames, passwords, credit card numbers, PIN Codes or other sensitive details. Several phishing attacks have evolved over the years to become more complex, enticing, and tougher to identify and some of them include the following:
Email phishing (Bulk) Most phishing messages are delivered by email and are not personalized or targeted to a specific individual or company. The contents of a bulk phishing message vary widely depending on the intention of the attacker and common targets for impersonation include banks and financial services, email and cloud productivity providers, and streaming services. Attackers may use the credentials obtained to directly steal money from a victim, although compromised accounts also often become a jumping-off point from which the perpetrators perform other secondary attacks as well. The emails usually come with attachments that contain a virus and once you open the attachments the virus becomes active and infects the victim’s device.Some scammers have reviewed their usual online phishing schemes by deploying COVID-19 themed phishing emails, often imitating government and health authorities and further lure victims into providing their personal data and downloading malicious content.
The country has experienced several reports of phishing where scammers being aware that during the lockdown period, consumers were receiving parcels through the postal and courier services operators like Zimpost, DHL and Fedex; would send emails notifying individuals that they have received a parcel and would direct the individual to a link to view the parcel details. Once the innocent person clicked the link, they would have already subscribed to the malware. Earlier this year, the globally distinguished computer giant Acer suffered a ransomware attack resulting in a payment on a ransom USD50 million. It is believed that a cyber-criminal group called REvil was responsible for the attack and leaked some images of the stolen data.
SMS phishing (SMISHING)
SMS phishing is conceptually similar to email phishing, except attackers use cell phone text messages to deliver the ‘bait’. Smishing attacks characteristically invite the user to click a link, call a phone number, or contact an email address provided by the attacker via a SMS message. The victim is then invited to provide their private data and credentials to other websites or services. As the mobile phone market is now saturated with smartphones which all have fast internet connectivity, a malicious link sent via SMS can yield the same result as it would if sent via email. Smishing messages may come from telephone numbers that are in a strange or unexpected format. Over the past two months, police have received several complaints totalling the equivalent of US$100 million. In these cases criminals have been hacking Mobile money wallets (Ecocash, OneMoney or Telecash) and WhatsApp accounts, using stolen identities of persons trusted by others in WhatsApp groups and they have offered US dollars at good rates. Innocent consumers then send the local currency to the scammers using their mobile wallet basing on trust and as soon as the funds are released the scammers disappear. Moreover if ones mobile phone is stolen and the criminals can access email, then they can access the private pin and register all they want
This occurs when a caller leaves a strongly worded voicemail that urges the recipient to respond immediately and to call another phone number. These voicemails are urgent and convince the victim for example, that their bank account will be suspended if they don’t respond. Attackers can dial a large quantity of telephone numbers and play automated recordings which are originated using text to speech synthesizers that make false claims of fraudulent activity on the victim’s bank accounts or credit cards. The victim is then directed to call a number controlled by the attackers, which will either automatically prompt them to enter sensitive information in order to “resolve” the supposed fraud, or connect them to a live person who will attempt to use social engineering to obtain private information.
Link Manipulation and Fake Websites
These types of attacks entice victims to visit a popular link but this link directs victims to a spoofed version of the popular website, which is designed to look like the real one, and asks them to confirm or update their account credentials. Likewise, cybercriminals send phishing emails that include links to fake websites, such as the mobile account login page for a known mail provider, asking the victim to enter their credentials or other information into the fake site’s interface. The deceptive website will often leverage a subtle change to a known URL to trick users, such as mail.update.yahoo.com instead of mail.yahoo.com. According to INTERPOL “In one four-month period (January to April 2020) some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs were reported globally”.
Phishing attacks have spiked exponentially and are inflicting havoc globally. Accordingly, it has become extremely essential to take all the crucial safeguards to insulate yourself through the following mechanisms:
All stakeholders including regulators and law enforcement agencies must create a cyber-security awareness culture by empowering consumers through education and awareness initiatives.
Consumers are urged not to open but ignore attachments from suspicious looking emails or emails coming from people they are not expecting to receive emails from. Furthermore, they are urged to avoid forwarding as received messages without proper authentication as they might risk others. They should have their antivirus regularly updated and not open anything that has been flagged by the antivirus.
Consumers must pay attention to detail for example they must be aware of the difference between http and https. As http stands for Hyper Text Transfer Protocol and the missing S stands for “Secure”. Engaging an http website or providing personal information like credit card pin number entails you are giving an untrusted source your personal details and risk being scammed. Moreover, when you conduct e-banking logins, make sure that the name just before “.com” is the name of your bank.
Consumers must not give anyone their One Time PIN (OTP) under any circumstances, even if they purport to be from their Bank or Mobile Network Provider.
They must change their passwords regularly and as a general rule of thumb, they should not willingly give out card information or any private information. There is need for verification, if they really have to provide personal information so as to check if the website is genuine, that the company/representative is real and that the site itself is secure.
Organisations must empower employees with education and awareness information as a cyber-aware workforce is the best defence against all kinds of phishing attacks. They must also be taught to cautiously double-check the sender’s email address and look out for any unfamiliar issues like dates and language.
In a nutshell, digital transformation is good and we must all embrace it in line with our National Development Strategy which fosters ICT development by recognising the digital economy as one of the fourteen key pillars to attain our vision. However, we need to be mindful of the vices that come with this digital revolution to enable us to be consistent cyber threat shields. The country needs to avoid being a hub for Cybercrime and protect its citizens by expeditiously enacting the long overdue Cybersecurity Bill, continually update the legal and regulatory framework and empower the relevant institutions with enforceable frameworks. Cross sectoral collaboration must be sustained, whilst consumers must be empowered with consumer education and awareness content on emerging online issues so as to eliminate the knowledge gap that exists between consumers and service providers on rights and obligations that arise from electronic interactions.
Dr George Manyaya writes in his own capacity. He recently graduated with a Doctorate in Business Management and his thesis was “Evaluating Consumer Protection in A Converged ICT Environment”, with Zimbabwe as a case study. He has over 17 years’ experience at both executive and board levels in public and private institutions in Information communication technology, media, mining, aviation, tourism and the United Nations (IOM)