Cybercriminal activity is intensifying. You can stay safe with this comprehensive guide, which features expert tips and proactive measures.
31 July 2024 · Fiona Zerbst
According to research published by cybersecurity company Surfshark in 2023, South Africa is among the top five countries in the world affected by cybercrime.
With internet-based crimes such as banking fraud, phishing attempts, and malware attacks on the rise, it’s vital to be savvy to avoid becoming a victim.
We ask the experts for their advice and tips for staying safe online.
Tip: Checking your credit score regularly will allow you to quickly identify any potential instances of credit account fraud.
Among the various forms of cybercrime, South Africans are most likely to be targeted by scammers and fraudsters, says Wicus Ross, a senior security researcher at Orange Cyberdefense.
Cyber-extortion attempts, such as digital kidnapping, often make the headlines, but the average South African is unlikely to encounter this form of attack, he notes.
The most common attacks are:
In South Africa, says Ross, “you’re likely to be the victim of social engineering or manipulation, which can be conducted with nothing more than an internet connection and a mobile phone”. Typical victims include older people, those who are less internet-savvy, or those who seem vulnerable in some other way.
“Criminals often befriend people on social media and, over time, try to extract money from them, or manipulate them into doing things for them,” Ross points out.
Craig Rosewarne, managing director of Wolfpack Information Risk, and author of Cybercrime Self-Defence: A Practical Guide to Protecting Yourself in the Digital Age, says the most concerning cybercrimes involve family and social relationships.
These include romance scams, “sextortion” (being coerced into providing sexually explicit images or videos of yourself, which are used to blackmail you), cyberbullying, “doxing” (publicly revealing private information about a person or organisation on the internet), and “revenge porn”.
We examine some common cyberattacks in more detail.
Phishing involves an attempt to trick you into revealing sensitive information, such as your personal data, login credentials, credit card details, and more. When you provide access to your information, your digital security is compromised.
Rather than preying on technological vulnerability, phishing is a type of social engineering that exploits human psychology.
Examples include emails, messages, websites, etc., that claim to be from a legitimate source, such as a bank, online retailer, or social media platform, in an attempt to get you to reveal personal, financial, or security data.
“Cybercriminals often create a sense of urgency or fear, prompting you to act immediately without thinking,” warns Rosewarne. A typical example is a phone call or message informing you that your account has been hacked or your credit card details compromised.
Rosewarne says phishing via email is most common, as it’s an easy way to access a large audience. However, other types of phishing include voice phishing (“vishing”), SMS phishing (“smishing”), and QR code phishing (“qishing”).
WhatsApp scams are also rife, as anyone can send you a WhatsApp message and invite you to join a group.
“Attacks that work with email can also work with instant messaging and social media platforms,” Ross points out. “The limited user interface on mobile phones, compared to PCs, makes it difficult to inspect elements in browsers. Attackers take advantage of this when designing their attacks.”
Bait-and-switch happens when you’re lured by a seemingly appealing advertisement, but the actual product for sale either doesn’t exist or differs substantially in terms of quality or specifications. Often, you’ll then be offered a more expensive alternative.
This practice is considered unethical – and at times, illegal – but proving a bait-and-switch scam can be challenging.
Warning signs include deals that seem too good to be true, claims of limited stock, and overly complicated fine print or disclaimers.
“Spoofing” occurs when fraudsters pretend to be from a trusted, reputable organisation. Cybercriminals typically use false email addresses or websites, purporting to represent, for example, a well-known online retailer.
Email spoofing aims to get you to reveal sensitive information or click on malicious links.
Website spoofing involves the creation of fake websites that mimic legitimate sites with a slightly modified URL. They’re used to steal login credentials or credit card information, or to distribute malware.
Other forms of this crime involve SMS, caller ID, and IP address spoofing.
This type of cybercrime typically uses social engineering to install malware on your device via downloaded content.
Be wary of websites or digital advertisements offering free downloads of popular software, games, and applications, and social media posts claiming you have won a prize, gift card, or similar but need to provide personal information or download something to “claim” it.
Websites may also promise free access to movies, TV series, music, or copyrighted content, for example, if you download a “media player” that is actually malicious software. Another scam uses pop-ups or websites prompting you to update your computer software.
Ransomware, a form of malware that hijacks your computer system and “kidnaps” your data, is more likely to affect organisations than individuals, but small businesses are not exempt.
A cybercriminal typically takes your data or systems hostage and demands a ransom payment, usually in cryptocurrency, to release or decrypt the data.
Ransomware attacks can devastate businesses, causing data losses, disruptions to business operations, financial losses, and reputational damage.
Fortunately, there are several precautions you can take to avoid becoming a victim of a cybercrime or scam.
Some further tips are outlined below.
Be wary of emails from unknown or untrustworthy sources, especially those that request personal information or contain links or attachments, Rosewarne cautions. Emails may not appear suspicious at first glance, but they could contain malware.
Any message requiring “urgent attention” or presenting an offer that sounds too good to be true is a red flag. Poor spelling and grammar can indicate a scam, but be aware that scammers often use artificial intelligence tools such as ChatGPT to improve their communications, so be alert to the tone of the message.
Unusual sender addresses (for example, when the sender purports to be from your bank but has a suspicious email address) and mismatched URLs are also red flags. Inform yourself by hovering over the link to see the full destination address.
Ross advises that you use strong, unique passwords for different accounts, and change them regularly. Do not reuse passwords, he adds - however tempting this may be.
He also recommends using two-factor authentication (2FA), which adds an extra layer of security beyond just using your username and password for authentication. 2FA requires two different types of verification before granting access to an account or system.
“When enrolling in 2FA, don’t use SMS-based methods to obtain your code as criminals can execute SIM swap attacks,” warns Ross. “Instead, use an app like Google Authenticator.”
Multifactor authentication can involve two or three verification factors, or even more, for additional security.
Passkeys such as Microsoft’s FIDO2 – which do not rely on passwords – are a new, modern approach to authentication, says Ross. “Authentication can be performed using your mobile device. The latest Android and Apple iOS versions support this feature if the mobile device’s hardware meets the technical requirements.”
Also consider using a reliable, recommended password manager to keep all of your passwords secure and encrypted. You’ll only need to remember one password, but ensure it’s at least 30 characters long – and it’s vital that you don’t forget it, because if you do, you’ll be locked out of all your accounts. Ross recommends using a rhyme or extract from a lyric, then adding numbers and special characters.
It's crucial to ensure the password manager you choose is legitimate and trustworthy, Ross cautions.
Modern browsers will always attempt to take you to websites secured by SSL technology, which establishes an encrypted connection between your computer and a server or website. When a site is secured by SSL, “https” appears in the URL. The browser will warn you if it cannot establish a secure connection. In this case, close the tab, and don’t continue.
It's important to note that not all websites with an SSL certificate are legitimate, Ross warns. “Anyone with enough technical knowledge can get an SSL certificate for free. This means criminals can now create sites that will satisfy the SSL certificate requirement.”
Browsers no longer show the traditional “padlock” to validate a site’s legitimacy, making it more difficult for the average person to identify a fake website.
For online shopping, Ross recommends using a mobile shopping app rather than a website. However, he notes that credit card issuers such as Mastercard and Visa have implemented extra features to ensure online purchases can be verified through a channel other than the web browser.
Visa Secure (which has replaced Verified by Visa) and Mastercard SecureCode offer extra layers of security in the 3D Secure process when you shop online. Confirm with your card issuer that this anti-fraud technology is activated.
Another tip is to consider using a credit card, rather than a debit card. “When criminals compromise your debit card, your money is stolen,” notes Ross. “Credit cards, although more expensive, offer a buffer of protection for fraud detection and repudiation.”
If you receive an email offer that takes you to a website, don’t click on the link. Instead, visit the company’s website directly, or check its social media pages, to see if the offer is valid.
If you haven’t entered a contest or sweepstake, don’t respond to emails, SMSs, or WhatsApp messages claiming you’ve won a prize or large amount of money.
Although such phishing scams are commonly distributed by email, they’re now infiltrating mobile phones as well, says Ross.
“Smishing” text message scams may request that you reply with a five-digit code that could lead to unwanted SMS fees and subscription costs. Criminals may also use a raft of other smishing tactics. “Simply delete the text message,” advises Ross.
Beware of credit scams, where fake credit providers offer you great loan terms without assessing affordability. These great “deals” from unregistered credit providers can cause you long-term financial harm.
Make sure your browser is updated to the latest version. This helps prevent cybercriminals from taking advantage of vulnerabilities in older versions, for example, during the holiday shopping season.
Microsoft still supports Windows 10, but support for earlier versions of Windows 10 is ending, says Ross. You should not use older versions of Windows.
Keep your cell phone operating system up to date, even if this means replacing the handset due to vendor support limitations. Apple is good with supporting a wide range of older handsets, but Android-based devices may have a limited support life cycle, notes Ross.
Rosewarne advises installing email verification tools and QR code scanners that can check the legitimacy of emails and URLs. Use antivirus and anti-malware software to protect yourself, and renew annual subscriptions before they expire.
Some phishing attempts are sophisticated and difficult to spot.
Attachments are a common way to inject malware into PCs. This typically occurs when you download the attachment and open or execute the file.
“As a general rule, never open emails from people or businesses you don’t know,” warns Ross. “If an email comes from someone in your address book but seems suspicious – for example, asking for money or containing an attachment – go directly to the person and ask them if they know about the email.”
Mobile devices are less likely to expose you to risky attachments – an attacker will try to get you to open a link instead. However, be aware that Android and Apple operating systems enable “sideloading”, which occurs when you install applications from a source other than your official mobile app store. This allows malicious mobile applications, such as fake (“trojan”) mobile apps, to get onto your device.
“You may receive a WhatsApp message or an email with an enticing message about a hot new app, for example. You follow the prompts and download the app onto your device, which then steals information or facilitates surveillance,” says Ross.
Get into the habit of never opening suspicious links or attachments, however interesting or appealing they may seem.
Virtual cards are digital-only credit cards issued by banks or credit card companies for free or a small fee. They generally feature a regularly changing CVV (card verification value – the three-digit number at the back of the card), and they can be cancelled after a single transaction, to avoid incurring any risk.
“Some South African banks offer virtual cards separate from your accounts, requiring money to be deposited,” says Ross. “This is almost like a top-up to your prepaid mobile account.”
Ross adds that the latest mobile banking apps offer good protection against criminals trying to access your bank account by stealing your credentials.
Many retail sites require an email address to set up an account, log in, and make purchases.
Create and use a separate email account for your holiday shopping. Such “throwaway” logins can help reduce spam and phishing attacks on your personal, everyday email account and lower the risk of your personal information being stolen.
Microsoft Windows 10 and 11 offer decent protection, as long as you keep the integrated antivirus and firewall software, at the least, up to date.
The same applies to Apple Macs. The macOS has active protection features such as Gatekeeper, Notarisation, and XProtect. “These protections offer some form of barrier, but it would be wise to consider supplementing this with an additional layer of protection,” Ross says.
When possible, preferably use a paid antivirus package – although there are good free alternatives. “When selecting a free solution, ensure you’re not downloading an imitation that could create more problems,” Ross warns. “Research which vendors perform the best and read reviews of the products.”
Further, it’s important to note that if you use free solutions, vendors may use your personal information or monitor your browsing habits to sell to other platforms – an indirect form of “payment”.
At the very least, pick a solution that includes a firewall. Without minimum protection, you’re highly vulnerable to online attacks.
When travelling, it’s best to use mobile data. It may be inconvenient and expensive, but it’s more secure than using someone else’s “free” Wi-Fi, advises Ross.
Always ensure your firewall is enabled and, if you do disable it, keep track so you won’t forget to re-enable it, he says.
Reputable virtual private network (VPN) suppliers are a good option when using public Wi-Fi. However, selecting and trusting VPN vendors is also a minefield and could allow malware to find its way onto your device. Free services may record your activity and sell it to someone else, even if they claim not to log your information.
“Whenever you use a VPN, your network traffic flows through that service provider,” Ross explains. “VPNs aren’t perfect, and your device may still be infected with malware. Some VPNs may block known bad websites, but there’s potential for exposure to phishing websites.”
Keeping a close eye on your bank statements, debit orders, and credit card charges is vital, cautions Ross.
“Crafty criminals will siphon small amounts from several victims rather than one big charge, which would be immediately noticeable,” he says.
Mobile devices are increasingly used for contactless payments, and this creates additional vulnerability. “Pay attention to any such transactions as criminals may find ways to manipulate them,” Ross warns. “Never let strangers handle your phone or cards, and make sure no one is close to you when you make a payment.”
Card skimming has evolved, Ross notes, and he expects to see more people tricking others into using their cards or mobile devices to make unauthorised payments.
Some banks allow you to disable the “tap and go” function on your card. Criminals target people who use this function, so you may want to disable it and pay by inserting your card instead.
There are multiple ways to protect your devices, but ultimately, people are the weakest link, as they are vulnerable to social engineering, says Ross. “Criminals prey on vulnerable people, and they don’t care how they milk money from them.
“Some scam artists are patient and build trust over time, for example, in romance scams," he adds. "They can string you along for months, milking you for small amounts of money. Protecting yourself is difficult as criminals exploit trust and friendship. They use emotion to cloud your judgement.”
In general, be very sceptical when someone contacts you via email, instant messenger, SMS, or phone, Ross warns.
“Ensure people explain why they’re contacting you and establish the reason,” he cautions. “They often sell you something or want you to opt in for something. Respond by asking for your details to be removed from their database.”
Rosewarne says if you’ve clicked on a phishing link or provided information to a scammer you should immediately change your passwords for all related accounts. Contact your bank or service provider to alert them to potential online fraud if you’ve disclosed financial information. You can also report a crime to the police, or report an incident on the national Cybersecurity Hub to help prevent further attacks.
Keep an eye on your account statements and sign up for credit monitoring if your financial data is compromised, to swiftly detect any unusual activity. Credit bureaus such as TransUnion and Experian typically provide these services.
Read more here about protecting your information online.
South Africans are generally not complacent about crime, but we do tend to think we won’t become victims.
“Complacency, ignorance, being tech-averse, and believing it won’t happen to you prevent you from taking steps to keep yourself safe,” says Ross.
Ross and Rosewarne offer the following tips:
Rosewarne’s book, Cybercrime Self-Defence: A Practical Guide to Protecting Yourself in the Digital Age, contains many useful tips and can be downloaded for free on the Wolfpack Information Risk website.
Tip: Constrained by debt? Find out about debt consolidation.
Free tool
info@justmoney.co.za
4th Floor, Mutual Park, Jan Smuts Drive,
Pinelands, Cape Town, 7405
© Copyright 2009 - 2024
Terms & Conditions
·
Privacy Policy
·
PAIA Manual
View your total debt balance and accounts, get a free debt assessment, apply for a personal loan, and receive unlimited access to a coach – all for FREE with JustMoney.