Phishing is a common form of social engineering used to trick and deceive unsuspecting victims for fraudulent purposes. The goal of any phishing scam is always to steal personal information. A criminal’s success depends on establishing trust with a victim, so in these attacks, the criminal poses as a trustworthy source and attempts to trick the potential victim by playing on human emotions such as fear, anxiety etc. They convince the victim to click on malicious links or download attachments, which causes them to unwittingly disclose personal and/or confidential information and leads to them or their businesses/organisations being defrauded. 

Don’t be a victim – understand and be aware of the following types of phishing: 

Email phishing 

One of the most common types of phishing attacks takes place via email where the cyber attacker impersonates a legitimate entity or business. Often these emails convey a sense of urgency, informing the victim, for example, that their personal account has been compromised and they must respond immediately. The objective is to elicit a response from the victim, such as clicking a malicious link that leads to a fake login page and which requires them to enter login credentials. The unwitting victim is actually being duped to provide and disclose personal information straight to the scammer. 

Smishing and vishing 

Smishing (SMS phishing) and vishing (voice phishing) operate much the same as email-type phishing attacks, but instead use text messages (SMS) and voice communications to carry out a phishing attack. The objective of both these attacks remains the same – to gain access to sensitive or confidential information. 

Social media phishing 

This occurs when attackers use social networking sites such as Facebook, Twitter, LinkedIn and Instagram to obtain victims’ sensitive data or lure them into clicking on malicious links. Criminals may create fake accounts and/or impersonate someone the victim knows, or a well-known brand, in order to obtain the victim’s personal information or defraud them. 

Spear phishing 

Spear phishing is directed at a specific target(s) and involves sending malicious emails to specific individuals within an organisation. These types of emails are often more personalised, since the criminal is armed with specialised knowledge of the organisation, including personal information about a potential target. 

Whaling 

Whaling is similar to spear phishing, but here, criminals specifically target senior and high-level executives within organisations, who are casually referred to as the “big fish”,  hence the term whaling. These attacks are often more sophisticated and meticulous, given the level of the victim and type of access or information to which the victim may have access. 

Business email compromise 

In this form of phishing the cybercriminal obtains access to the business email accounts of high-ranking executives. Once accessed, they send emails to employees from the compromised email accounts, in which they impersonate the executive and issue instructions/requests – often relating to transferring funds or related actions. 

Pharming 

Pharming involves cybercriminals exploiting internet browsing in order to redirect users to malicious websites, often by targeting Domain Name System (DNS) servers. Through such orchestrated attacks, victims are redirected to fraudulent websites with fake IP addresses where scammers can harvest (or pharm) compromised personal and confidential information. 

Search engine phishing 

This type of phishing is very similar to pharming; cybercriminals work to become the top hits on search engines with a view to enticing users to click on legitimate-looking links. Once the victim clicks, they’re unwittingly redirected to malicious/cloned sites where compromised personal and confidential information is harvested. 

Red flags! 

Red flags are the tell-tale signs, traits or warnings that often accompany danger or dangerous situations. In the case of phishing attacks, listen to your inner voice or gut feeling and learn to be vigilant and aware so you can spot these attacks and avoid becoming a victim. Take note of: 

• Unsolicited communications from unknown parties (or email addresses) with which you have no association. 

• Communications or requests received at odd or unusual times, i.e. outside of business/working hours. 

• Requests for personal information ostensibly from service providers/businesses/ government organisations that should already have your details on record, for example, SARS. 

• Hyperlinks or attachments in communications (and/or instructions to access these) . 

• Website addresses provided in links or requests that don’t match the known or actual addresses from which they purport to be. 

• A communication regarding something you didn’t purchase or notification of winning a prize in a competition you didn’t enter. 

• Instances where communications contain spelling errors, e.g., with company names or email addresses, and irrelevant or strange subject lines. 

Vodacom is also constantly working to protect customers from criminals. If you suspect you’ve been the victim of phishing attack, fill out our Report Scam form to report the incident.