By Martin Welz*
Ever wondered why a certain type of Internet fraud is called phishing? When you think about it, the answer is obvious: phishing is another version of fishing. The fraudster throws you a line via email with a juicy bit of bait to lure you to take a bight or even just a nibble. Before you know it you are hooked and, like any professional fisherman/phisherman, he’ll play you carefully drawing you in until he’s got you in his bag.
Ignore for the moment those crude ”Nigerian” fraudsters who offer you a handsome cut of the spoils if you to assist them in “landing” the several million dollars they have an opportunity to steal from some government/bank/international agency. That’s simply one crook seeking to rip off another more gullible crook.
The phishing that interests me is aimed at hooking innocent fish. There are millions of fishes in the sea, but you only need to catch one or two for dinner each day. Ditto on the vast ocean that is the Internet.
As in fishing, a phisher too has to be patient and constantly have his line out. Most fish won’t bite. Some will nibble and still manage to get away. If he doesn’t catch anything today, he’ll try again tomorrow, perhaps with a different kind of bait.
The best phishers are masters of psychology.
Here’s a good example, an unsolicited email from one Gabor Ilona who, with an email origin signaled as @hnm.hu is based in Hungary, a jurisdiction you and the SA Police are unlikely to reach.
Next the eye-catching subject line: Microsoft, the most widely known generic trade name after Apple and Google.
Who doesn’t have Microsoft programming installed on their computer? The phisher has cleverly contrived to spread his net extremely widely.
Next he must chase/herd his prey into the net: In this case it is by creating panic: “Dear User, Your Microsoft account is being compromised and new messages will be blocked.”
Note it’s a threat from behind and a threat up ahead: you are cornered.
But just as you sense you are trapped, an instant solution or escape route is offered: “Please confirm your account and location to indicate that it is still in use.” Followed by an ever so convenient, instant click-through button labeled
Confirm Now.
And, just in case you are starting to have last-minute doubts about all of this, a final kicker: a threat of punishment if you don’t obey:
“Note: In 24 hours, all Inactive Microsoft accounts will be deactivated.”
Horrors. You rush to click and supply your account details and location.
Signed off by “Microsoft © 2021”; it’s all from a brand you can trust …
The crypto fraudster is halfway there. Expect a follow-up shortly.
Another favourite is an email disguised as coming … panic! … from SARS! But then on closer inspection, what a relief it is to discover that it is heralding a generous tax refund that you were expecting or clearly had forgotten about. It’s never a round figure amount: always as odd amount in rands and some cents, to make it look more authentic. All it needs to have this windfall flow into your bank account is for you to verify your name, ID number, address and bank account details …
You can guess where that was headed.
The crypto scamster’s next most favoured guise is to impersonate your bank. Here the most obvious give-away clue is when the phisher has taken his chances posing as a bank that is, in fact, not yours. But he is prepared to take his chances that at least a quarter of the addresses that receive his email will be customers of the one he has chosen today. Give it a few weeks, and he will do another, similar campaign, using one of the other banks’ mastheads, contact details and terminology.
The subject line often reads “Notification of payment” or “payment confirmation”. Who wouldn’t be thrilled to receive an unexpected payment from whomever. So you open it and look. This one purported to be from Capitec Bank, which happens not to be my bank. The email read: ”find and download the Capitec Bank proof of payment below:” Below was an active click-through to an elaborate URL containing the words capitecbank, com-file, and Proofofpayment.cab/file. All very persuasive, so you click … and the pisher gets his first nibble. If you did not rush at it like that, your eye would have progressed down the email to the invitation: “visit 222.capitec.co.za” and “call 011-876 4563”. You found all that so reassuring – a fraudster wouldn’t invite you to check up with the bank! – so you didn’t bother, you simply proceeded to click on the URL you’d been just a little suspicious of  before… and the pisher smiled at having got a nibble after all!
If you had bothered to dial the telephone number, you would have found it’s a dead line.
Two weeks later, another “Payment notification” email from [email protected] . (Perhaps you didn’t register, it’s a no-reply address – there’s no point in your addressing a reply to it.) This one informed me that SARS had returned a payment to my account, and please to click here to find details.
The email then reminded me that Capitec Bank is an authorised financial services provider (FSP46669) and registered credit provider (NCRCP13). It even gave me the bank’s company registration number. All above board, or so it would seem – except, as I’ve said, I’m not a Capitec customer. And SARS and I are up to date with one another, thank you.
Next an email that by all appearances came from Standard Bank informed me that my IT3(B) certification – whatever that is – has been updated. Click here to view and confirm. “Registered phone number and email address we have on our record must be confirmed …” All sounds reasonable enough … except that I happen not to be a Standard Bank client! But if I had been?
Over the past two years that I have been tracking them, not a week goes by that I don’t receive one or two such emails, so the phishers must be hooking enough poor fish to make it worth their while. And the banks are certainly very aware of them. But are any of these fraudsters ever prosecuted? Are victims in a double bind: cleaned out and too embarrassed to admit they were naïve, gullible and/or open to temptation?
I’d love to know, because I’ve never seen such a case reported.
P.S. Another possibility has occurred to the conspiracist me: Could some phishing be a devious form of market research aimed at identifying the naĂŻve and gullible, people more open to temptation? Or people who unquestioningly follow instructions? (Click here.) Think Cambridge Analytica.
Read also:Â
- Don’t fall prey to financial fraudsters – On the Money with Jarryd Neves
- Sim swap fraud: victim loses R30,000 with no course of action
- How Nigeria students “Yahoo boys” scam small fortunes
