With all the hue and cry around government's recently implemented e-toll system, it is only a matter of time until cyber criminals leverage the e-toll hype and launch a full-scale phishing attack.
That is, if history and professional security insight are anything to gauge by.
Wolfpack operations manager Manuel Corregedor says not only is it child's play nowadays to set up a phishing scam - the time is also ripe for such cyber crime, given that e-tolling is such a hot topic at the moment.
Google defines phishing as: "The fraudulent practice of sending e-mails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, online." The cyber malpractice also involves the sending of SMSes - sometimes referred to as "smishing".
Awareness portal cybercrime.org.za notes a phishing attempt usually starts with an e-mail urging an individual to click on a Web link in order to check something regarding a bank account or another online account. "When you click on the link you go to a page where you are asked for information. The page appears genuine, but is in fact counterfeit. Phishers may then use the personal information you give on the page to steal your identity or your money."
Piece of cake
Corregedor says it would be "very easy" for fraudsters to set up a phishing scam using the SA National Roads Agency (Sanral) - the government agency tasked with running e-tolls - as bait. "These days, an attacker doesn't have to be highly skilled because there are free and relatively easy tools available that can automate the entire process. It is as easy as clicking a few buttons."
Consumers need to be aware of the fact that cyber criminals' modus operandi is to adapt their attack methods based on current trends.
He cites the South African Revenue Service (SARS) as a case in point. "We see a rise in SARS phishing e-mails around the time tax returns must be filed and/or refunds paid out.
"Therefore, consumers should be more alert when receiving e-mails related to an event or service that has a lot of hype around it at that time."
Highly likely
Consumers can brace themselves for opportunistic fraudsters' cyber attacks soon, says Corregedor, because the chances of Sanral becoming the subject of a phishing scam in the near future are very high.
"Attackers (phishers) are aware of the fact that Sanral may send out e-mails and/or SMSes regarding outstanding e-toll payments. Therefore, a phisher could send out an e-mail or an SMS knowing very well that the victim won't be overly suspicious to receive a communication from Sanral regarding such payments - and as such is more likely to click on links and/or provide their personal information."
Corregedor gives an example: "A phisher could send out an e-mail stating that the consumer owes R1 000 in unpaid tolls, with a link to allow the consumer to view pictures of their vehicle going through the gantries. However, when the consumer clicks on the link it takes them to a phishing site, which requires that they login or provide other information to view the pictures."
He says he has no doubt several consumers would be tempted to click on the link to see their pictures.
Sanral claims there are nearly a million tagged users on the roads. Even if a mere 10% of those clicked on the link, it would mean phishers have opportunities to swindle 100 000 motorists.
IQ jab
In light of the likely and possibly imminent danger of phishing scams, ITWeb asked the agency if it had considered a verification/notification system to inform users when there is activity on their account. A one-time password, such as SA's banks send out, would be an option in this regard.
However, Sanral has yet to respond to repeated requests for information around its electronic communication methods and contingency plans in the event of phishing scams.
It was, in fact, a local road user that brought up the phishing issue - on live radio during an interview with Sanral spokesperson Vusi Mona - last week.
Mona raised eyebrows - and ire - with what was widely seen to be an ignominious reply to a Talk Radio 702 caller, who asked (paraphrased): "How do I, as a road user, know that I'm not being scammed, because there are a lot of people who will jump on the bandwagon and try to scam you? How do you guarantee that these SMSes [we are getting demanding e-toll monies] are genuine and not scams?"
To which Mona replied: "Very easy. Raise your IQ a little bit."
The remark drew criticism from local groups, while individuals took to Twitter to express disdain and surprise.
Sanral apologised for the quip, saying it was in jest, but said people calling for Mona's resignation were blowing things out of proportion.
While the caller's question remains unresolved as it stands, ITWeb will continue to pursue the road agency for answers.
Meanwhile, banks' (and other organisations deemed prime phishing targets) continual advice to consumers stands: be vigilant - and think twice before trusting e-mails or SMSes claiming to be an entity they may not be.
"The more aware you are, the less likely it will be that you will fall prey to Internet or e-mail phishing scams," says SA's largest bank Absa.
Share