Have you ever received an unsolicited email asking you to click on a link for information that seems too good to ignore? How about text, Whatsapp or Telegram messages announcing rewards for customers of businesses?
If you have, you’re not alone. If you haven’t, it is better to be prepared to deal with it once you continue to use messaging apps and receive emails.
Some of these unsought or unexpected messages are traps known as phishing in cyber language.
Phishing is a fraud technique in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking, credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.
The commonest way that a phisher sets the wheels in motion in a phishing attack is by sending out countless spoof emails, texts, WhatsApp or Telegram messages. These messages are carefully crafted to look nearly identical to the types of correspondence that were sent out by actual banks or sources. Skilled phishers can replicate the logos, layouts and general tone of such emails to uncanny degrees.
Cyber experts have identified at least eight types of phishing:
- Email phishing: The fraudsters fake domain names and use them to impersonate organisations and send thousands of requests to their targets. Watch out for character substitution, such as such as using “r” and “n” side-by-side to make “rn” instead of “m.” For example seth[@]rnfwa.org. This is an attempt at faking seth[@]mfwa.org
- Spear phishing: This type of scam targets individuals rather than sending the same message to hundreds of people with the hope that some people will fall prey. Popular targets include human resource staff and information technology managers because they have higher access levels within the wider organisation. Experts say if the target for spear phishing is up the organisation ladder, it is known as whaling, which targets high-value individuals such as chief executives, managing directors, and board chairmen. The attackers often can impersonate other senior executives or representatives of other companies to convince the target to disclose sensitive and high-value information.
- Vishing and Smishing: Mobile phones replace email in smishing (SMS phishing) and vishing (voice phishing). With smishing, the attackers send text messages with similar deceptive content to a phishing email. Vishing involves phone conversations, with the scammer directly speaking to the target. A typical example is mobile money fraud. In the banking sector, the fraudster informs the victims of an account breach, prompting them to verify their identity by providing bank details. Many Ghanaians fell prey to this scam when customers were required to link their Ghana cards to bank accounts.
- Pharming: It is a highly technical form of phishing, making it harder to detect. It involves a hacker hijacking the DNS (Domain Name Server), which converts URLs from plain language to IP addresses. When users enter the target website’s URL, the DNS redirects them to another IP address, usually of a malicious website that appears legitimate.
- Pop-up phishing: Most users install pop-up blockers, but pop-up phishing is still dangerous. Malicious actors may place malicious code in small notifications (pop-ups), which people see when they visit a website. An example of a relatively new pop-up phishing technique is to use the “notification” feature of the victim’s web browser. When the user tries to visit a website, the browser displays a message saying the website wants to display notifications. Clicking on “Allow” triggers the pop-up to install malware.
- Evil Twin phishing: This type of phishing often uses fake WiFi hotspots that appear legitimate but can intercept sensitive data in transit. Malicious actors can eavesdrop or perform man-in-the-middle (MitM) attacks when someone uses a fake hotspot. Attackers can steal data sent over the connection, such as confidential information and login credentials.
Fact-Check Ghana advises the public to take the following actions when they receive suspicious messages.
Verify the Source: Check if the message is coming from an official and verified channel of the institution. Scammers often create fake profiles that resemble legitimate companies to trick people.
Check the URL: Before clicking on any links, hover your cursor over them to see the actual URL. If the URL looks suspicious or doesn’t match the official website of the company, avoid clicking on it.
Avoid providing personal information: Legitimate companies usually don’t ask for sensitive information through unsolicited messages. Be wary of any requests for personal or financial information.
Look for typos and grammar mistakes: Many scams contain spelling errors and poor grammar. If the message seems poorly written, it’s a red flag.
Search for news or alerts: If the company is indeed celebrating its anniversary, there might be official announcements or news articles about the promotion. Search online to confirm the authenticity of the promotion.
Use official channels: If you’re interested in the promotion, visit the official website of the company directly rather than clicking on links from unsolicited messages.
Install security software: Make sure your device has up-to-date security software that can help detect and prevent malicious activities.
Report suspicious messages: If you believe you’ve received a suspicious message, report it to the Cyber Security Authority or the platform through which you received the message.
Don’t leave personal information on social media: Putting personal information on social media platforms leaves you and others vulnerable to scams and other forms of cybercrime.