In February 2010 The South African Banking Risk Information Centre (SABRIC) announced that the number of phishing web sites shut down by banks had more than trebled over the space of only three months. The announcement offers statistical validation that phishing attacks still keep on growing - in volume and sophistication.
While the Internet-literate may scoff at those who fall prey to phishing emails, the concern shown by South Africa's banks over the phenomenon is a clear indicator of how successful phishing actually is in extracting personal information from consumers who are simply trying to keep up with what has become a blizzard of daily Internet-based transactions.
The reason phishing emails work so well is that in today's economy even the techno-phobes are carrying out a vast amount of Internet-based information management transactions. Phishing emails tap into this system to extract vital information from people who aren't as aware as they should be. If we are going to counter the rise in phishing attacks, our consumers need to become far more aware of basic Internet privacy and security rules.
1. Never click on a link in an email supposedly from your bank
Banks (and other financial service providers such as SARS) will never ask you to click an email link to log in to their web site. If an email asks you to log in to your bank account by clicking on a link, it's definitely a phishing attack. So don't click the link!
2. Mouse-over links to reveal the real web address
Holding your mouse over a link in an email will reveal where that link is really going - if you know where to look. Keep your mouse over the link and then look at the bottom left of your email software, where an Internet address will appear. In the case of a phishing attack, the address will be very different to that of the organisation it's supposed to come from.
3. If it seems phishy, it is!
If the email you're receiving is badly written, contains obvious grammar errors, promises a large tax rebate or asks you to log into your online bank account... well, it's suspicious enough to ignore, and consumers should do just that. When it comes to clicking on email links, or, for that matter, following any sort of administration request contained in an email, the default decision from the consumer should be suspicion.
Phishers have had a lot of success by simply imitating the look and feel of big organisations. It's very easy to pull a logo of the Internet and insert it into an email, and consumers seeing the SARS logo or a banking logo in an email clearly put down their guard pretty quickly. At Web Africa our hope is that as education efforts increase, consumers will realise that a polished look and feel in no way means an email is genuine.
It's very unlikely that service providers will ever be able to block all the phishing emails coming through the system. Therefore we need to rely on better consumer education. Paying attention to, and generally promoting awareness of the big three phishing rules seems to be a pretty good place to start.