Tag: phishing

Virtual Banking Fraud Surge – Phishing Scams

Online Scams Surge in 2025 as Cybersecurity Becomes Everyone’s Concern

As we pass the midway mark of the year, a new wave of online scams is making it harder for internet users to safeguard their data and finances.

Impersonation scams, especially those pretending to be from SARS, are costing victims thousands of rand as cybercriminals perfect the art of fraudulent communication. 

For individuals, this means greater vigilance, while for businesses and technology resellers, it signals a growing market for solutions that can help protect customers from the latest threats.

Let’s take a look at the most recent scams doing the rounds online, and how you can stay safe.

Virtual banking fraud is surging

According to the National Financial Ombud, South Africa has seen a 73% year-on-year increase in virtual banking fraud. 

  • Criminals are gaining unauthorised access to banking apps, creating virtual cards, and draining accounts before victims even realise what’s happening. 
  • In one case, a consumer lost R500 000 after being tricked into approving fraudulent transactions: a stark reminder that technically authorising a payment, even under false pretences, can leave you without recourse.

Tax season brings fresh opportunities for scammer

Fraudsters are taking full advantage of tax season, sending SMSes, emails, and WhatsApp messages claiming that their victims owe SARS money or are due a refund. 

  • Many of these messages contain links, QR codes, or attachments that lead to phishing sites designed to steal banking or eFiling credentials. 
  • Some use intimidation, threatening so-called penalties or legal action to pressure a quick payment. 
  • Others mimic SARS or a major bank’s branding so closely that even savvy users can be caught off guard.

Cybersecurity is no longer optional

In an environment where scams are growing more convincing, secure cloud storage and advanced cybersecurity tools are becoming essential. 

Platforms with built-in encryption, ransomware protection, and phishing-resistant authentication can stop criminals from accessing sensitive data, even if a scam email slips through the company’s detection system. 

Five practical safeguards to prevent losses due to scams

These tips should form the foundation of any company’s basic cybersecurity awareness strategy, and they work very well for individuals too. 

  • Never click on links or scan QR codes from unsolicited messages
  • Confirm tax or payment requests directly with SARS or your bank
  • Use secure cloud storage with encryption and access controls to safeguard your data
  • Enable multi-factor authentication on all accounts
  • Educate your staff and family members regularly on scam tactics

A growing opportunity for resellers

For cybersecurity and cloud storage resellers, this surge in online fraud is more than just a warning. It’s a growing business opportunity. 

Businesses and individuals are actively seeking tools that protect data, block phishing, and secure remote access, and we’re proud to offer an extensive range of solitons that do just that. 

Through Soteria’s affiliate programme, resellers can offer customers solutions such as encrypted cloud storage, secure file sharing, automated backups, and phishing-resistant authentication, all designed to prevent the kind of breaches making headlines. 

By positioning yourself as a trusted partner in data security, you can meet a growing need, build recurring income, and help clients sleep easier at night. 

Become a reseller today 

Alarming Surge of Phishing Scams – Online Security

Phishing Scams on the Increase – with Discovery Bank Raising the Alarm

Phishing scams are nothing new to South African internet users, with this common form of cybercrime first surfacing in the early 2000s. Recently, however, both the sophistication and volume of these attacks have surged, catching out even seasoned tech users.

In this article, we’ll take a closer look at the evolution of phishing scams in our local context, unpack what characterises the latest wave of scam emails, and share a few practical tips for keeping your network secure.

A new generation of phishing scams 

Phishing attacks are evolving from simple deceptive emails to sophisticated, remote-access scams, using platforms like social media ads to trick users into granting fraudsters control of their banking apps.

Every successful act of fraud requires a clever deception, and cybercriminals always seem to have new strategies at hand to fool unsuspecting internet users. Here are some of the latest phishing scams doing the rounds.

Fake travel deals

Discovery Bank warned customers about fraudulent airline ads on social media that promise enticing flight deals. When a user clicks on the link in the ad they’re directed to fake “travel agent” sites prompting them to install a bogus airline app. Once installed, this software grants scammers remote access to the device to intercept banking session activity. 

Remote-access vishing 

Vishing, a term that describes voice-delivered acts of fraud, is also on the rise. The latest variant involves remote-desktop scams, where fraudsters pose as bank fraud reps or travel agents, contacting unsuspecting targets online, setting up calls, and guiding their victims to install software that allows the hackers to control their PCs and approve transactions.

Bank fraud department impersonators

A number of banks have highlighted a sharp increase in vishing attackers sending their victims SMS messages about FICA issues. 

These communications are then followed up with calls, with criminals posing as bank staff and pressuring victims to approve app authorisations and load new beneficiaries on their accounts. 

This is a breeding ground for unauthorised transactions and can cost a fortune in damages before the bank shuts the scam down. 

What’s behind the current trend 

The current uptick in phishing and vishing scams points to 3 weak points in internet users’ vigilance – both on an individual and institutional level – that hackers are only too happy to exploit.

  • Exploitation of human trust. A study by SABRIC in 2024 emphasises that criminals are targeting emotional triggers like urgency and trust, not only tech vulnerabilities.
  • Unexpected vectors. The latest scams use social media, phone, SMS, and fake apps to deliver fraudulent messages, going beyond traditional phishing emails which automatically arouse suspicion.
  • Big Payoffs for Breaches. By gaining remote access, attackers can control devices live and bypass OTP safeguards before victims have a chance to suspend their banking and other services. 

Tips to stay safe online

With the wave of phishing attacks rising rapidly, businesses and their teams will need to be extra vigilant in the face of any unexpected communications. This advice also applies to individuals and families, and provides an opportunity for people of all ages to learn the skills that will help them stay safe online. 

Here are some tactics that will help keep phishing scams at bay. 

  • Book via official sites. Tread carefully when responding to social media promos and verify airline/travel sites directly.
  • Decline remote support. Never install screen-sharing or remote-control apps at someone else’s request.
  • Verify calls and SMSs. Banks won’t ever send you a FICA SMS and call you to approve payments. Always confirm bank communications via official channels .
  • Check URLs. You can use tools like SABRIC’s YIMA to validate website authenticity.

Taking precautionary measures against phishing attacks may help you to prevent a data loss incident, but it’s no guarantee. To be certain that your sensitive data is safe, you’ll need a cutting edge secure backup solution. 

Recover your data in 15 minutes or less 

When you find yourself in the crosshairs of a cyberattack or phishing attempt, mitigation and recovery become your top priorities.

Our Disaster Recovery service, which takes just three clicks to install, will help you restore your critical files and systems and be up and running within fifteen minutes. Click the button below to learn more.

Get Disaster Recovery

Facebook Business – Phishing

How safe is your Facebook Business account?

Facebook business accounts provide companies with a great way to reach potential customers and stay in touch with their network of followers. But recently this platform has become a major target for cybercriminals.

An onslaught of phishing attempts against Facebook business users has prompted Meta to release a new framework of safety guidelines to prevent further attacks. 

Let’s take a look at the cybersecurity situation around Facebook commercial accounts and what you can do to keep yours safe.

Cybercriminals target Facebook business users

Recently, headlines about compromised Facebook business accounts have been causing concern in the commercial sector, both  internationally and in South Africa.

The potential risks involved in a compromised Facebook business account include financial and reputational losses arising from impersonation and takeover attempts. In this scenario, cybercriminals could gain access to your account and use it to defraud your customers.

  • Cybercriminals gain access to your account, change the associated bank account, and request payment from customers which would be channelled into their account and may never be recovered. 
  • In addition, the damage to your company’s reputation in the wake of an incident like this could be massive, with disgruntled and aggrieved customers taking to Facebook itself to spread the news, about fraudulent activity carried out in your company’s name.

How to spot the signs of a Facebook Business phishing attempt

Like many cybersecurity breaches, Facebook Business account takeovers begin with innocent seeming emails and Facebook messages, particularly in the form of business partner requests.

Emails purporting to be from Facebook are another popular method that hackers used to carry out phishing attacks. 

According to Meta, it’s essential for users to be on the lookout for email addresses with domains which are almost the same as the official ones used by Facebook but vary in terms of a single letter or word. The following domains are the only official ones used by Facebook:

  • fb.com
  • facebook.com
  • facebookmail.com
  • instagram.com
  • meta.com
  • metamail.com
  • support.facebook.com

In general, any email or electronic message that asks you to click on a link or enter account details should be treated with a high degree of suspicion. 

This is especially true if the message refers to an account action that Facebook supposedly wants you to take but doesn’t come up as a request on the Facebook app or website itself.

If you find yourself unable to access your account, receive complaints from customers who have received strange messages from your Facebook Business account, or suddenly notice that your account is following strange accounts, it’s highly likely that you’re a victim of phishing. 

It’s essential to report your account as compromised immediately to avoid serious losses. 

Protect your online business with secure cloud storage 

Considering that Facebook business accounts are used to process payments and interact with valuable customers, the last thing you want is for yours to be compromised and used to carry out criminal acts. 

Securing your Facebook business account is an essential step if you’re doing business online today – and it’s just one part of an effective cybersecurity strategy.

Secure cloud storage is an excellent way to keep your confidential files safe in the cloud and out of the wrong hands. To learn more about our range of cloud storage solutions for businesses of all sizes, visit our product page today.

LinkedIn Phishing Scam | Malware

New LinkedIn Phishing scam

Receiving a LinkedIn message from a recruiter offering you the job of a lifetime may sound like a dream, but for victims of the new Ducktail malware, it can quickly turn into a nightmare.

Cybercriminals are ramping up their impersonation game, posing as HR talent scouts on LinkedIn to trick professionals into downloading dangerous software. To avoid losing control of your valuable data, you’ll need to be on the lookout for this new scam.

Are you dealing with a recruiter or a cybercriminal?

LinkedIn  has become the go-to social network  for professionals around the world, with 9 million registered profiles in South Africa. Naturally, recruiters have been keen to use this platform to reach out to suitable job candidates – and some of their overseas offerings can be very attractive.

Receiving a message asking you to consider a lucrative  job offer is always exciting. Unfortunately, online bad actors are jumping on the opportunity to defraud and steal data from prospective jobseekers.

A new scam on LinkedIn has seen professionals in several countries in Africa and the Middle East targeted by fake recruiters, losing control of their Facebook business accounts in the process.

  • The first step in the scan is always a LinkedIn message from someone posing as an HR specialist. The contents of the email will usually refer to a great job opportunity – most recently with a fashion brand in a desirable international city.
  • Once a job candidate shows interest by replying to the phishing message, the cybercriminal will usually reply and include a link which looks like it leads to an online application form. In reality, clicking on this link will download the Ducktail malware onto their device.

Victims of Ducktail soon discover that their Facebook business accounts have been hijacked, with customer data including credit card and banking details being prime targets.

Always verify before you share your details

If you receive a recruiting message on a platform like LinkedIn, it’s essential to make sure that the person who sent it is legitimate.

  • Cross-checking the recruiter’s identity on their company website is one way of verifying their identity.
  • For local recruiters, calling them on the number provided on the website – and not the number in the email – is a sure way to find out whether you are speaking to the genuine person or an imposter.

Malware, ransomware, and other types of cybercrime are a major risk for every business and professional.

Keeping your data safe with our range of secure cloud storage packages. It’s your virtual insurance policy against cybercriminals.

 

Combat over confidence | Phishing Simulations

Protecting your business from phishing is non-negotiable in 2022

One of the best ways to check whether your organisation is prepared for an attack is by simulating one, and like every emergency drill it’s essential that your phishing simulations are realistic and truly test your organisation’s readiness.

In this article we take a look at the components of an effective phishing simulation. Here’s how you can stress test your cybersecurity system and prevent your team from having a false sense of security.

this is not a drill:  the importance of a realistic phishing simulation

Picture this: your most honest, well-meaning employee receives an email from a manager in your business – it could even be you – asking them to update details or respond to an urgent matter.

About half-way through the email, there’s a link, along with a request for them to click on it. Even though they’ve never been asked to do this before, there’s no sense questioning the manager in an urgent situation – or is there?

Just like that, a potential phishing attack could’ve taken place.

  • Sophisticated phishing scams coupled with hacking attempts that give cybercriminals control of your company’s email service could easily create a scenario just like this one.
  • When you create a phishing simulation, you’ll want to make it seem as legitimate as possible while including a few giveaways that your staff should be on alert for.

what to include in a phishing simulation

Here are a few signs that an email contains a phishing attempt. By including these in your cybersecurity drill, you’ll be able to put your team to the test realistically.

  • Unusual subject line or request for urgent action. An email that seems to be from a colleague or manager but contains instructions that are not typical of that person’s usual behaviour should be treated as highly suspicious.
  • Requests to click on links. Internal emails in your company might ask employees to click on Google Drive or other workplace management links, but any external link should immediately arouse suspicion.

Encouraging workers to read the link before clicking on it and to always check the full address of the sender. Confirming any out of the ordinary requests of this kind with the sender might take up some valuable time but can save your organisation greatly in the event of a real phishing attack.

keeping it believable

A simulated phishing email that seems ridiculous or reads like a clichéd Nigerian prince scam is likely to be deleted or ignored by the recipient.

On the other hand, sophisticated phishing tactics usually rely on something believable.

  • To strike a balance between believability and suspiciousness make sure your email is worded in a tone similar to your normal business correspondence.
  • Be sure to include a request for unusual action or embed a suspicious link to test your team’s cybersecurity awareness.

keeping your data safe with secure cloud storage

With phishing attacks and other cybercrimes increasing by the day, every business in South Africa needs secure data storage.

Our range of cloud storage solutions could be an integral component in your cybersecurity strategy.

Your Guide to the Best Email Security Practices

Every time you send and receive an email, you’re taking a risk. There’s ransomware, phishing, viruses, and compliance violations to be wary of. From CEOs of big corporations to secretaries who manage client emails all day every day, everyone needs to be aware of the best email security practices to follow to ensure that your emailing behaviour doesn’t become the very thing that brings your company to its knees.

To take the guesswork out of the process of drawing up an email security strategy, we’ve included some tips and advice for the correct and most effective security practices for your business. Before we investigate these practices, let’s learn more about the risks involved in using email.

the common threats

Regardless of its size, every company must have a cybersecurity strategy in place, and email security forms part of that.

Many people believe that as they aren’t sending or receiving particularly sensitive information, it doesn’t matter whose hands their email falls into. However, this is a risky mindset as hackers aren’t only interested in your email content. They want access to an even bigger network and the front door for them is through your email.  Once a hacker has access to your emails, the online world (your online world) is their proverbial oyster.

Cyber hacks and attacks are ever-changing. Over the years, they have progressed from simple phishing links to complex social engineering tactics and email security should form a critical part of your overall cybersecurity.

what to be aware of

Knowing what to watch out for is important. Here’s what to keep an eye out for.

These are emails that request money and sensitive information from a user. Spear phishing is when ‘someone else’ impersonates ‘someone you trust’ to get information out of you. You might receive an email stating, “Your online banking profile number and pin is going to expire in three days. Click on this link to register your new profile and pin.” Everything might look legitimate, but it’s not!

  • social engineering

Ever received an email or a pop up that says, “OMG, it looks like you in the video!” – well, that’s social engineering at play. This is when cybercriminals rely on you to click on a malicious link or attachment.

  • business email compromise

This is a form of spear phishing where a cybercriminal impersonates the CEO of a company or a manager. This type of scam relies on employees sharing sensitive information, which can be used to steal business data and even money.

  • spam

You know those emails that say, “You’ve just one a R1 000 Woolworths voucher!”? Well, this is known as spam, and most often, we fob them off as an annoyance when we click on it, and it takes us seemingly nowhere. What you’re not expecting is that a bot, instructed by the cybercriminal, sends you that link and when you clicked on it, spyware, malware or even ransomware is installed on your computer.

  • malware

Malicious software, called “malware,” often presents in the form of a Trojan, ransomware or some other program that attacks your computer system. In most instances, the files on the computer are encrypted, and you are requested to pay a ransom to get the key to unlock the encrypted files. Some types of malwares can get access to your computer camera or your entire device, which means they see what you see and do! Obviously, that’s a big risk.

  • botnet and ddos

Largescale spam and phishing campaigns are often managed by botnets which are groups of devices that are under the control of a cybercriminal. Often, these devices are used to overload a system or network in hopes of making it crash. This type of attack can cause absolute mayhem.

tips to the best email security practices

Email security is all about building as many walls as possible between your data and the cybercriminal. Cyber security should be no different to virtual security with multiple barriers making entry virtually impossible.

  • Educate employees on best email security practices such as never clicking on unexpected attachments and links;
    • Put rules and guidelines in place for all work email security.
    • Make sure that your employees understand what kind of sensitive data they are likely to be handling.
  • Encrypt sensitive email attachments through a secure hosting service.
  • Activate 2 factor authentication – this will tighten up access points from end-to-end, which includes email.
  • Add legal disclaimers to your emails so recipients are aware they cannot send that email on to anyone.
  • Regularly change email passwords (and ensure they are difficult passwords)
  • Do regular encrypted data backups just in case you ever fall victim to malware
  • Update your operating system to avoid software vulnerability which is often corrected with updates.

How do you ensure that your company uses email safely? Share your tips and advice with us today!

Your A-Z List of Cybersecurity Threats

In today’s modern world of IT and the pace at which it develops you could be forgiven for thinking that you are forced to face a new cybersecurity risk or threat almost daily. Sadly, this isn’t far from the reality.

Cybercriminals are developing new cyber strategies just as quickly (or even quicker) than the pros are shutting them down. A consequence of these relentless cyberattacks is the need to ensure that you’re always fully aware of new and developing cybersecurity threat types.

Here’s a brief list of the most common cybersecurity threat types to be aware of this year.

  • apts – advanced persistent threats

This is a very sneaky type of attack, whereby the cybercriminal quietly infiltrates the network and remains there, undetected, for an extended period while slowly syphoning data from the network.

  • ddos – distributed denial of service

This type of attack involves hackers flooding a server, website or similar with a multitude of connection requests, packets, and messages. The outcome is a very slow system or a crashed system that legitimate traffic is unable to access.

  • insider threats

The term “insider threats” implies that the threat or risk is malicious, but this type of threat can also be through unintentional human error and negligence. These threats are human-caused data losses and breaches that typically come from customers, employees, and contractors.

  • malware

Malware is malicious software that is either purposefully or inadvertently (by clicking on an email link or attachment or visiting a risky site) downloaded to a computer. Once the malware is on the computer in the form of spyware, a Trojan, a virus, or worm, it starts to cause harm to the computer and the files saved on it.

  • mitm – man in the middle attacks

An MitM is a type of attack that involves eavesdropping. A hacker intercepts messages between two parties and relays them to a third party so that the information can be used for malicious intent.

  • phishing attacks

Even though phishing attacks are one of the most prominent ways of hackers getting inside computers and networks, many people still don’t really understand that phishing is a form of social engineering. Hackers create messages (emails, content) that appear to be from a legitimate source and send them out to people. When the recipient opens the message or email, they assume it is legitimate and follow the instructions in the message. This can lead to them inadvertently sharing their personal particulars, log in details, and even credit card details with a cybercriminal.

  • ransomware

Ransomware is a type of malware that is particularly malicious and damaging. When a hacker manages to get ransomware on a device (usually through an email link or visiting a risky website), they lock the user out of their own files by encrypting them.  When the user tries to access the files, a message pops up demanding a payment to decrypt the files on the device.

  • spear phishing

Phishing attacks are usually random, whereas spear phishing attacks target a specific person, business, or organisation. This type of attack is very strategic and includes advanced skills from the attackers. They aren’t just taking a chance on anyone – they’re after something specific.

  • social engineering

Social engineering takes advantage of human gullibility and error. This type of attack uses human interaction to lure people into breaking regular security processes to gain access to sensitive data. An example of social engineering is when someone phones you and says they are from the bank. They have some of your information but require you to answer a few security questions before they can proceed with the very official sounding call. You proceed to give them your full physical address, ID number, and banking details. You may even give them your card details if they request it. This is just one example of social engineering.

the importance of knowing what risks are out there

The value of the list above lies in the fact that you can only create a cybersecurity system and protocol for your business if you know what you are protecting it from. Threats are changing consistently, and as such, you will need to change, update, and enhance your security protocols consistently.

last word on cybersecurity threats

Protecting your data and devices is so much more than simply avoiding the hassle of encrypted files and crashing computers. It’s about protecting your clients, defending your company’s good image, and avoiding the risk of paying legal fees if you happen to mishandle someone else’s sensitive data. Familiarise yourself with the threats out there and get to work sprucing up your cybersecurity system today.

Do you know of any cybersecurity threats that don’t appear on our list? Let us know!

Operation Falcon Cracks Major Phishing Ring – How Phishers Phish

A year-long investigation dubbed, Operation Falcon, jointly run by INTERPOL and Group-IB working closely with the Nigeria Police Force, was tasked with identifying and locating cybercrime threats. The task force spent a considerable amount of time trying to deactivate a massive phishing ring that has targeted over 50 000 victims in a major global scam. The scam unleashed a whopping 26 different malwares, wreaking havoc and bringing people and corporations to their knees.

The ‘ring’ includes a group of Nigerian nationals who have been working hard to infiltrate the systems of individuals and organisations. They would then launch scams to siphon funds out of the victims’ accounts.

Among the victims were private-sector companies as well as government departments in over 150 countries. The group, which is aptly being called a “gang” has been operating this phishing scam since as early as 2017.

how phishers phish

Much was learned from observing and monitoring this latest phishing bust as to exactly how cyber-criminals bo about the process. Phishing isn’t a new concept, but many people still don’t understand how they end up falling for a phishing scam.

The reality is that phishing scams have become far more professionally managed in recent years.

The key to dealing with phishing scams is in understanding how they work.

First and foremost, these gangs don’t simply attempt to impersonate a company executive or a person that someone within the company will trust…they fully immerse themselves into the process. They learn everything they can about the company’s communication styles, the vendors they use, the billing system practices that they follow and a great deal of other information that you would only expect a trusted individual to know.

And then they use that information to make a very believable impersonation. Everything about the communication a targeted victim receives seems legitimate and that’s why they fall for it. They end up providing sensitive information or clicking on a malicious link or attachment without ever questioning the authenticity of the mail.

don’t get caught out by a phishing scam

Be alert, always. It’s all too easy to accept a mail from a manager or colleague and click on the links provided or share sensitive information because you “know” them. Keep in mind that sensitive information should never be shared online and unless you are expecting a specific document or information from someone, never trust a link or attachment without first verifying the sender.

With the New Year approaching, now is the time to take a look at your current security measures to see where you can improve on them. Be alert and aware – phishing scams are undoubtedly on the rise.

A ‘Security Incident’ or hack attack? What the Twit, Twitter!

Already facing a potential Federal Trade Commission fine of $250 million after admitting to improper usage of users’ personal information in 2019, Twitter is in privacy hell! Whether or not you are an avid Twitter user, you will probably have heard that the company also suffered a recent hack attack which they classified as a security incident. According to inside reports, the attack included some high profile users such as Bill Gates and Elon Musk. What the twit, right!

Okay, hold on, let’s start at the beginning. What happened?

On the 15th of July 2020, a social attack was engineered and carried out on Twitter. According to the company, 130 Twitter accounts were attacked. The hackers used 45 of those accounts to spread Tweet posts and gained access to the inboxes of 36 others. Data was downloaded by the attackers from 7 accounts successfully.

More About the Attack

So how did the hackers ever gain access to the accounts of 130 unsuspecting users in the first place.? The answer is actually rather ambiguous as it’s both simple and complex at the same time.

Twitter has gone to great lengths to investigate what they initially referred to as “a security incident” and have found that it is the result of a small group of their employees being targeted through a phone spear-phishing attack.

What is a phone spear-phishing attack?

Quite simply, fraudsters send emails from a known or trusted sender in order to get the target to reveal confidential information. This method works more often than not as the target believes they are talking to their trusted contact, when in fact, they are not.

In order for the attackers to be successful, they needed to obtain access to the internal network where they could gather the credentials of specific employees with access to internal support permissions. To some degree, they succeeded.

Their hack, however, required a two-step approach as none of the targeted employees had all the necessary permissions that were needed by the hackers. Using the credentials of some of the employees with the right access, they were able to target 130 Twitter accounts; tweeting from 45, downloading the Twitter data of 7 and direct messaging of 36 users.

What is the Risk to You?

For the most part, the hackers were unable to access the private info in the majority of the hacked accounts (save 7 that is). Twitter confirmed the following:

  • The hackers could view user’s email addresses and cell phone numbers.
  • Hackers were unable to view previous account passwords.
  • The company is still investigating how much information the hackers gained access to from accounts that they were able to take over.

The investigation is still underway and Twitter says it will do everything it can to ensure that a similar attack doesn’t happen in the future.

Steps You Can Take

Just to be safe, you should change your Twitter password and take the time to suss out your profile for any unusual activity. Make sure that you never click on email links or attachments, even if it seems to come from a trusted source. Check with the source first as to whether or not they messaged you and why.

At Soteria Cloud, we have a tendency to repeat ourselves – with good reason. We can’t tell you often enough how important it is to change your passwords regularly and that you should be storing sensitive information in an encrypted format in the cloud.

If the Twitter hack gave you a bit of a scare (or wakeup call), perhaps now is the time to start looking into ramping up your cloud backups and device security.

Hackers don’t break in; they log in

When we think of hackers, we tend to visualise clever online criminals who use sophisticated software to decode or crack passwords and gain access to accounts. In most instances this just isn’t the case, as many people unwittingly hand their password over to a hacker without even realising it.

Cybersecurity officials are faced with the same reality: passwords are being stolen and advanced hacking tools are not always needed.

How it happens

So, how does a hacker get access to an employee’s user name and passwords?  We take a look at the most usual hacking methods below:

  • Phishing emails

One of the most common ways for a hacker to get a password without using technology is to ask for it. Yep, it sounds awfully easy, but one thing you need to realise is that for an experienced hacker, it is as simple as that.

Phishing scams are the most prominently used form of password acquisition. It requires no software, but rather involves a hacker pretending to be someone trustworthy or an official person. They usually make contact by email or telephone and make a very convincing story.

The email signature may include the company’s correct telephone numbers and website address, tempting people into trusting the communication.

During a one-on-one conversation about the specific account, the “official” (who is actually an opportunistic hacker) will request bits and pieces of information from you such as your username, your card number, your account number, your ID number and so on.

At some point in the communication, you may receive a link to a website where you are required to input your user name and password. Of course, the hacker now has the user name and password and can then use the employee’s account to send out seemingly trustworthy communications, authorise transactions, and carry out various functions on business systems while flying under the radar.

  • Typosquatting

Typosquatting is a form of phishing that was “big” a few years ago. For quite sometime it fell away, but trends show that cybercriminals are revisiting this type of phishing.

The cybercriminal will hijack a company’s domain by registering website URLs that are very similar to the original website address. If you are attentive to detail you might notice spelling errors in the website address before you click on it! However, if you don’t pick this up and visit the website, it will look almost identical to the official website. At this point you will be asked to log into your account by inputting your username and password, which is how your password is received by the hacker.

  • Spear Phishing

Spear phishing is another type of phishing where the hacker creates fake social media pages or online blogs in the name of their persona. The cybercriminal will put in a considerable amount of effort adding mutual friends and populating the pages in order to make the page look more trustworthy and reliable.

This type of phishing is used to give a persona credibility which then makes it easier for the criminal to communicate with victims and deceive them into sharing personal information.

The Reality

The reality is that sophisticated hackers don’t actually need sophisticated software to get your user name and password. Most often, they rely on clever trickery to get you to unwittingly hand over your password.

In essence, a hacker merely needs to have basic web design skills (to create website log in pages), social media skills (to create credible SM pages), and an educated and well-spoken approach to communicating either online or telephonically.

What Can You Do?

Doing regular data backups to a cloud based service that offers data encryption will keep your sensitive information safe, especially if your device or system is hacked and your data is breached. You should also be aware of:

  • Any emails requesting that you change your user name and password by clicking on a link. In this instance close the email, look up the official contact details of the company (do not use the details listed in the email) and make a personal enquiry into the legitimacy of the email.
  • Link attachments in emails, even if the source seems legitimate. Unsolicited emails might not raise a red flag in your mind, but they should.

Ensure that:

  • You have up to date anti-virus software and firewalls in place to flag suspicious behaviour on the device.
  • You update your software and systems regularly to ensure that any bugs and vulnerabilities are consistently updated and eliminated.

Take responsibility for the safety of your data and take action

Educate your staff members on the risks of cyberattachs, phishing and hackers, and always have an alert and aware approach.

Need more advice and solutions to data safety concerns? Contact Soteria Cloud today.