Phishing, smishing and vishing

Phishing, smishing and vishing are all attempts to defraud you through email, mobile, and telephone scams respectively. Letting your guard down just once can lead to a cascade of serious losses.

Phishing is a scam that takes place by email. A typical phishing attack occurs when a legitimate-looking email, appearing to come from a bank or other financial institution, is sent to you requesting you to click on a link to update or verify your personal or account information.

The fraudsters often try to scare you into opening a phishing email by saying 'Your account has been accessed' or 'Your account will be blocked', or they entice you to click on links by saying 'You have had a large deposit made into your account' or 'You need to install new software to protect yourself'. When you click on the link in the email, it directs you to a legitimate-looking website. After you enter your personal details, account details, PIN and password on the fake website, the information is forwarded to the fraudsters, who are then able to access your bank account allowing them to transfer funds from your account into specially opened bank accounts. These accounts are then cleared of the transferred funds within minutes.

Smishing is much like phishing, except that text messages sent to cell phones are used rather than emails. In a smishing message you could be requested to click on a link in the text and be redirected to a legitimate-looking website where you are requested to supply your personal and/or account information, just as you would in a phishing scam. You could also be requested to contact a toll free number where a fake automated voice-response system requests you to provide personal information, such as passwords and PINs.

Vishing entails social engineering over the telephone where you are called and lured into divulging personal information to an automated system. Fraudsters also use a technique called ‘caller identity spoofing’, where calls appear to be made from a legitimate or known number, allowing the fraudster to obtain your personal details.
 

Phishing involving email accounts

This phishing scam involves the collection of usernames and passwords for email accounts by cybercriminals. Once they have this information, they hijack the email account and if the account is used for banking or business purposes, they impersonate the account holder and order goods or services, request that banks make transactions on their behalf or notify business clients of a change of banking details.
 

How does a cybercriminal gain access to your email account?

You receive an email that purports to be from Hotmail, Google, Yahoo, etc (email addresses ending with Gmail, Yahoo, etc) stating one of the following:

• Your email inbox is full and you must use the link provided to delete messages or increase your mailbox size;
• Important and for immediate attention: Please log in using the link provided.
• We are experiencing congestion due to anonymous registration of accounts and are closing some email accounts. Please confirm that you would like to retain the email account by logging on through the link provided.

Other tactics include posing as a company s and requesting you to log on to your email account through the provided links to access your online information.

You could also unknowingly download malware on your computer when you open an unsolicited email or click on a link in an email. You will be taken to a fake site that looks similar to your service provider’s site or provided with a fake form to complete. Once you insert your login details, the details are collected by the cybercriminals and used to hijack your email account.

Apart from being able to send mails using your email address, the cybercriminals also have the ability to create a rule in your mailbox to move any mails from a specific sender to folders on their own personal computers. You will be totally unaware that your email credentials and confidentiality have been compromised. 

What could the cybercriminals do once they have access to your email account?

• If the email account is used for banking or business purposes, the cybercriminals could impersonate you as the accountholder and order goods or services, request that banks make transactions on their behalf or notify business clients of a change of banking details. The bank and other businesses may accept these emails as if they came from you without knowing that an unauthorised third party has gained access to your email account.
• Some email accounts have your credit card details on file for future purchases. By accessing your account, a fraudster could access your credit card information.
• Cybercriminals can trawl through your mailbox and any other folders in your email box. They would then be able to use sensitive documents (such as copies of identity documents, passports, mails from suppliers and family) to make their scam seem legitimate and convince others that they are in fact the person they are claiming to be.
   

Signs that your email address has been compromised

• You receive complaints about spam being sent from your email address (to contacts in your address book or to strangers);
• You do not receive any emails or some emails appear to be missing;
• You receive large numbers of undeliverable or bounce messages for emails you did not send;
• You are not able to log in to your email account; and
• Unknown emails appear in the sent-items folder.
   

Telephonic technical-support scams

This is where someone posing as a representative of an IT Company (e.g. Microsoft) contacts people and offers to assist them with solving a computer problem, or offers to remove viruses, or tries to sell them a software licence.

These so called representatives then request you to access a website or click on a link that will allow them to access your computer so that they can do the repairs, remove viruses or download the software you purchased. Once they have accessed your computer, they will be able to do any or all of the following:

• Trick you into installing malicious software that captures sensitive data, such as online banking user names and passwords. And afterwards, they may charge you to remove this software;
• Take control of your computer remotely and adjust your security settings to leave your computer vulnerable;
• Request credit card information so they can bill you for repairs or software ordered; and
• Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there. 
   

Tips to protect you from phishing, smishing and vishing

• Control your computer. Never hand over remote control of your machine, or offer your credit card details, unless you are absolutely certain it is legitimate.
• Maintain a healthy scepticism. Be suspicious of any email or sms that asks for your personal information or banking details. If you want to access a site type in full name of the site from your browser bar and navigate from there. Never click on a 'quick link' in an email.
• Make sure your computer is secure. Keep the antivirus and operating-system software up to date. Do damage control when necessary. If you have compromised your personal information in a phishing or smishing scam, it is imperative that you immediately change your PIN and password. Keep in mind that you should also immediately report the incident to the Nedbank Contact Centre on +264 81 959 2222 or via our toll free number on 0800 000 115.
• Look at your URL bar. Secure sites always start with 'https' (rather than 'http') and have a little gold lock next to them. If you see the little gold lock next to a ‘'http' (rather than an ‘https’) you know it's a fraudulent site.
• Hover over hyperlinks. Hover your mouse over any hyperlinks to reveal the actual URL and check that it is, in fact, the address stated in the email.
• Report it. If you receive a phishing email, do not respond to it. Simply delete it from your inbox and trash folder as well.