By James Browning
The last year has seen continuing incidents of data leaks and ransom attacks and increased reporting of scamming attempts.
This includes two reports in the last month of data leaks from local online platform Averly and pharmacy chain Dis-Chem.
While these leaks may not reveal much individually, bad actors can buy and collect personal information from all kinds of sources such as illicit data leaks and legal data brokers who know pretty much everything you do online.
This leaves us vulnerable to scammers and spear-phishers, who use this information to convince you they are trustworthy or legitimate entities.
They try get you to do something or share details which give them access – the target is often your bank account.
This comes on top of the mountains of general spam and phishing attempts people have to wade through in the digital world.
The generic press release after data leaks urges people to be safe and gives advice like the following:
Not clicking on suspicious links;
Not sharing passwords or PINs via text, email, or phone call;
Changing passwords often;
Having regular anti-virus and malware scans on their devices; and
Providing personal information only when there is a legitimate reason.
While these are all correct and do cover most cases, they are quite general and leave people unsure when there is a “legitimate reason” to share information, or when a link is “suspicious”.
Step 1: Relax
Many social engineering strategies will make you feel like there’s a deadline, a time limit, or a need to respond urgently. Our high-paced digital lives will also contribute to this feeling, but I urge you to brush that off.
There is practically no issue you could have with a service that needs to be fixed right here and right now, even suspected bank fraud.
Scammers will try fluster you and make it seem like they need to get something done this second, but genuine consultants will never be so pushy, especially not bank staff.
We’ve become used to near-instant money transfers, which may make us inclined to panic, thinking of our bank accounts being drained in a minute.
Yet, despite the sense of immediacy that we get as customers, the actual banking system is far more sluggish. And slow financial logistics aside, if you are being called about fraud, the transaction has already been flagged and paused. Take a breath.
We can fool ourselves into giving away information because we’re trying to be helpful, or because we feel pressured. But the reality is that there are no negative consequences to just hanging up the phone, or not replying to the email.
As an example, my grandmother recently got an email, supposedly from her email service provider, asking to follow up about her request to cancel her account. She had made no such request, unsurprisingly. But in this case there’s simply no reason to reply, click, or engage at all.
As someone who has had to call their ISP over 10 times to try and cancel their subscription, I can tell you with confidence that pretty much no business anywhere is going to stop taking your money just because you didn’t respond to their email.
If you are seriously concerned, always just hang up the call and phone the company or service yourself.
Step 2: Remember: nobody needs your password or your personal information
Your bank will absolutely never need your password. In fact, no business anywhere will ever need your password.
Password, pins and security codes are for you to identify yourself to systems to do things.
The actual business simply doesn’t need your password for permission, they have access to the whole system.
Unless it’s a bank, chances are the head IT guy at the company has the permissions to do pretty much anything to your account. The idea that they would need your password to do something on their own system is absurd when it’s spelled out.
And even systems that need sophisticated security (like a bank), would never try to identify you over the phone/email by getting you to tell them your password, PIN, or other personal details.
Firstly, they are calling you. The pressure is not on you to identify yourself, it is on the person contacting you. The bank has an absurd amount of information on you, and they are claiming to be calling you using the number on their system.
They would never ask you to provide sensitive information to try verify that they themselves haven’t called the wrong person.
Almost every large service that needs a serious level of security uses two-factor authentication, where you use a different account or device linked to your account to prove that it’s you.
With banks, many of us will be used to having to confirm transactions on our phones using a banking app. Any legitimate service will use a method like this, which doesn’t involve you giving them any information about you.
I’ll also point out that banks such as Absa have already begun collecting biometric data (fingerprints, face scans) from their customers. Trust me, they don’t need to call you on the phone to ask for your ID number.
On that note, almost nobody needs your ID number. Here’s looking at you, people in stores walking around offering promotions and asking for my ID to “check if I’m eligible”.
I don’t care if it will only be used “on the local system” and “according to the POPI act”. You simply don’t need that information - what could you possibly be checking with my ID? And why do you have an ID number database? Sorry Other Big Store, but your specials don’t need to verify my government existence.
Step 3: these are ways to spot suspicious links as crooks get more sophisticated.
It’s pretty difficult to judge the safety of a link from the link text alone, especially with the widespread use of link-shortening services like Bitly or Linkin.bio. But there are good clues and best practices which everyone should keep in mind.
A link sent to you by an unknown number/contact never needs to be opened. A link sent by a contact with no context (or a message that would be strange for that person) can always wait until you’ve messaged them back and asked about it.
Almost everyone who uses a phone will be familiar with getting a message or seeing a social media status from someone they know who got their account hacked and spam sent to all their contacts. Always be patient and suspicious.
Be wary even of work-related emails. The most effective phishing techniques will gain access to one account and use that to send legitimate-looking emails. For example, many cyber fraud cases happen by intercepting email communication and getting staff to pay legitimate expenses to fraudulent bank accounts.
Many of the dangers of links come from being fooled into thinking a visually identical or similar fraudulent website is the real deal, where your information is stolen as you try to log in or use sensitive details.
Always use the official app for a service where possible. Otherwise, always navigate to the official site using a search engine like Google and log in there, rather than following a link.