Written by: Natasha du Preez
Date: June 2024
Phishing and The Law In South Africa
Data digitisation has been swift and widespread across the globe. With data being captured and stored electronically, people can access their data, such as social media sites, bank accounts, email accounts, etc., from anywhere in the world with a simple click of a button.
This has made social engagement, social interactions, and banking/transacting incredibly easy and convenient for Internet users. However, it seems that almost overnight the internet became riddled with opportunists who created a variety of “scams”, which infiltrate and utilise these online platforms to gain unlawful access to the personal information and data of unsuspecting online users. In this article, we will explore one of the most notorious and widely used “scams” that are utilised on online platforms, namely “phishing.”
At Burger Huyser Attorneys, we understand the legal and financial repercussions phishing can have on victims. This article unpacks the intricacies of phishing attacks, the various methods used by cybercriminals, and practical steps to safeguard your digital footprint.
WHAT IS “PHISHING”?
In South Africa, phishing is explicitly criminalised under the Cybercrimes Act 19 of 2020, which penalises unlawful data access, distribution of malware, and identity theft. Phishing has evolved into a sophisticated and multifaceted cybercrime, with attackers employing various techniques to deceive and manipulate their targets. Each method is uniquely designed to exploit trust, urgency, or fear, making vigilance crucial for internet users. Below are the most common types of phishing attacks:
- Email Phishing: The most widespread method, where attackers send falsified emails resembling legitimate institutions to swindle victims into sharing sensitive information or clicking malicious links.
- Whaling: A targeted approach that focuses on senior executives, using personalised and subtle tactics to gain access to sensitive company information or financial assets.
- Spear Phishing: A highly targeted method that uses detailed personal information about a specific victim, such as job title, email address, or writing style, to craft convincing and deceptive messages.
- Smishing and Vishing:
- Smishing involves fraudulent text messages or direct messages on social media, often containing malicious links.
- Vishing uses phone calls, where attackers pose as representatives from trusted institutions to extract sensitive information.
- Angler Phishing: Attackers create falsified social media profiles of legitimate organisations, exploiting unsuspecting users by posing as customer service representatives to steal information or distribute malware.
The sections below explore each type of phishing attack in greater detail, their impact, and ways to safeguard against them.
WHAT IS EMAIL PHISHING?
Email phishing is the technique most widely employed whereby the attacker will create and register a fake domain name that will mimic or act as a legitimate institution, which in some instances is also linked to a “spoofing” website. For the attackers to register these fake domains without being flagged, they will add or substitute characters contained in the domain, such as, for example:
- (money-bank.co.za as opposed to co.za) adding additional characters to the fake domain name.
- (corn as opposed to moneybank.com), substituting the “m” in the fake domain name with a “rn.”
Some attackers will also use the legitimate institution’s name in the fake domain name, often presenting themselves as an employee or support staff of the institution to appear more legitimate to the user, such as, for example:
- (xxxxx@moneybanksupport.co.za)
WHAT IS THE GOAL AND EFFECT OF EMAIL PHISHING?
The goal of email phishing is to induce or convince the user to perform one or all of the following actions:
- To download attachments containing malware or viruses to their mobile or cellular device.
- To reply to the phishing email and provide the requested personal information.
- To follow the attached link to a “spoofing” website, where they must enter all their personal information.
- To follow the attached link, which will in turn install malware or viruses on their cellular or mobile device.
To induce the user to perform one of the above actions without question, the attackers will attach a sense of extreme urgency to the phishing email. They will either use threatening language in the email or induce a sense of panic by claiming that it must be attended to immediately or certain unwanted consequences will follow for the user.
This will cause the user to become panicked and hasty, which in turn causes them to disregard possible red flags and perform the requested action without properly authenticating the legitimacy of the email and domain name of the sender.
WHAT IS WHALING?
Whaling attacks are much more calculated and targeted than email phishing, with the target of the attack being senior executives of companies and their employees. This attack, although similar to other phishing techniques, is more specific and subtle. Simply put, whaling makes no use of URLs or malware, as the target is usually educated on such phishing techniques.
HOW DOES WHALING WORK?
The approach to whaling is as follows:
- The attacker will do extensive research on the company and the victim by utilising various social platforms, such as LinkedIn, for example, since many companies and high-profile business moguls have public domains containing information about the company, employees, and executives.
- The attackers will then utilise this information to attack unsuspecting employees in the company by mimicking/presenting themselves as one of the senior executives in the company to access information or to obtain money.
- Whaling emails will utilise real information about the senior executive, such as their name and work email address, as well as real information about the employee, such as their name and work email address, making the email seem legitimate.
- The whaling technique feeds on the employee/employer relationship and utilises it to induce the employee to comply.
For example, whaling emails will usually contain instructions to the employee, such as sharing private information of the company, personal information of the employee or senior executive, or even transferring money to the fake “senior.” The “instruction” is oftentimes disguised as a busy executive requesting an urgent favour from a specific employee.
This attack relies heavily on the employee’s willingness to comply with orders from their executives and plays on the employees’ fear of being reprimanded when not complying with a direct order.
WHAT IS SPEAR PHISHING?
Spear phishing is inherently similar to whaling but much more sophisticated. These attacks are targeted towards a specific person, as the attackers have already obtained some or all personal information about the specific target.
All the personal information the attackers can obtain is as follows:
- Name and Surname;
- Place of employment;
- Work email address;
- Job title/job description;
- Information about their colleagues;
- Information about their family;
- Samples of their writing/language usage;
- Specific information about their job title.
WHO IS TARGETED FOR SPEAR PHISHING ATTACKS?
Spear phishing targets are well-researched by the attackers to seem legitimate and appeal to the target on a much more personal and informed level.
In these instances, auditors or accountants of the company will usually be targeted by spear phishing emails where they will be addressed by name in their official capacity (job title) and induced and manipulated to transfer money to the bank account of the attacker, under the guise of a legitimate instruction from a colleague or manager (whose names and information are utilised to make the email seem more legitimate).
WHAT IS THE DIFFERENCE BETWEEN SMISHING AND VISHING?
Smishing is where phishing attacks are launched via SMS, telephone messages, or direct messages on social media, while vishing is where phishing attacks are launched via telephonic calls.
Popular smishing attacks include an SMS to the target that their bank account was hacked along with a link to the banking institution’s website that the user must follow to prevent fraudulent activities on their account. These links usually take the user to a “spoofing” (fake) website that captures their bank details.
Vishing attacks include telephonic calls from a banking institution, where the attacker mimics the fraud department/credit card department, claiming that the user’s account was breached and requesting the user to provide their personal information (ID number) or bank card information (PIN number, password, CVV) to “verify” their account and their identity.
WHAT IS ANGLER PHISHING?
In this variation of phishing, the attacker will create a fake social media account of a legitimate institution or company and “clone” their page by using their biography, details, and profile picture to appear legitimate.
Angler phishing relies heavily on the newest tendency of online users to complain to public forums. When a user complains about an institution on a social media site, the attacker will infiltrate these posts posing as the legitimate institution and request personal information from the user to “compensate” or “refund” them; thereafter, the attackers will hack their accounts, steal their identity, or redirect them to a fake website filled with malware and viruses.
HOW CAN I SAFEGUARD AGAINST “PHISHING”?
- Verify email and website authenticity:
- Always authenticate any email address when receiving an email from an unknown
- Always authenticate that a website is secure before entering any information on the website. Secure websites will always display a lock before the URL, or it will indicate (https://) that the “/s” means that the website is
- When an email address redirects you to a website, always ensure that the domain name of the email address corresponds with the domain name of the
- Enable two-factor authentication (2FA):
- Use 2FA for online banking and social media accounts to add an additional layer of security, as it significantly reduces the risk of unauthorised access.
- Be wary of urgency and threatening language:
- Always use caution when responding to emails, SMSs, or direct messages on social media that create sudden urgency, use threatening language, or indicate negative consequences if immediate compliance is not given.
- Use caution with unknown links and attachments:
- Always verify emails received from your colleagues or employers, especially emails regarding transactions with those individuals, before
- Always use caution when you receive an email, SMS, or direct message on social media from an institution that contains many spelling errors, as legitimate institutions usually have spelling and grammar checkers installed on their email
- Install security software:
- Always install firewall and virus protection programs on your mobile and cellular devices.
- Always use caution when clicking on unknown links from unknown/unverified
- Always use caution when downloading attachments from unknown/unverified
- Always use caution when receiving emails, telephone calls, SMSs, or direct messages on social media from unverified senders that contain unusual requests (such as installation of software).
- Avoid sharing personal information:
- Never give out personal information (PIN numbers, passwords, identity numbers, or bank card details) to unverified persons via email, telephone, SMS, or social
- Never transfer money from your bank account without receiving an invoice from a verified institution with verified banking details.
- Remember: Legitimate banking institutions will NEVER request a user to provide or verify personal information or banking details via telephone call, email, or SMS.
If you suspect fraudulent activity on your bank account, report it on the official banking app or go to the bank in person at the nearest branch and request assistance from an employee.
Many unsuspecting online users can quite easily fall victim to phishing scams if caution is not used online. It is important to safeguard your personal information from cyber attackers and to not take everything you see online at face value. Many criminals prey on the uninformed and often trusting nature of online users for their twisted financial gain.
At Burger Huyser Attorneys, we emphasise the importance of protecting your digital identity. If you have been a victim of phishing or suspect fraudulent activity, contact us for expert legal advice to safeguard your rights and pursue justice.
Stay informed and stay cautious; if something appears too good to be true, then it likely is. Always verify before you trust.
Contact Burger Huyser Attorneys, and book a consultation.
To speak to one of our experienced attorneys in South Africa for immediate assistance, contact us on the numbers below:
Randburg call 061 516 6878; Roodepoort call 061 516 0091; Sandton call 064 555 3358; Pretoria call 064 548 4838;
Centurion call 061 516 7117; Alberton call 061 515 4699; Bedfordview call 061 536 3223
DISCLAIMER: Information provided in this article does not, and is not intended to constitute legal advice. READ MORE