It`s that time of the year again, when security organisations start publishing the results of surveys and this week it was the turn of the US National Security Alliance (NSA), which found that roughly a quarter of US Internet users are targets of phishing attacks.
It`s only a matter of time before fraudulent e-mails seeking personal data such as passwords and credit card details become as big a threat here as they are in America and elsewhere in the world.
In SA this year there have been several incidents of e-mails purporting to be from local banks asking potential victims to verify personal information either directly or through links to Web sites that look very much like the real thing.
Although the NSA study found that the number compromised by spyware had dropped to 61% from 80% a year ago and the fraction infected with an active virus dropped to 12% from 19%, phishing remains a big threat because no technology in the world can counteract it.
Social engineering
Phishing continues to grow relatively unchecked because it involves various forms of social engineering to manipulate victims into disclosing crucial authentication information, enabling criminals to bypass technological security measures.
Those who carry out successful phishing attacks have learned to exploit the weakest link in the security chain: the human nature of computer users.
Warwick Ashford, portals managing editor
Those who carry out successful phishing attacks have learned to exploit the weakest link in the security chain: the human nature of computer users.
According to the NSA study, 70% of consumers who received phishing e-mails thought they were from legitimate companies.
Admittedly, those taking part in the study were Americans, but have we really any reason to believe the statistics would be any different in SA?
It would be nice to think we and our compatriots are a lot less gullible than our American counterparts, but the odds are we are just as vulnerable, because social engineers exploit the natural tendency of a people to trust others.
No software solution
The reason this is so worrying, is that realistically speaking, there is no software solution to the problem. The enemy is literally within. There is also the stupidity factor, but I guess you will find that wherever you go.
If we are to get real about the situation, counteracting phishing and other forms of social engineering is not going to be as simple as tackling viruses and spyware. After all, there is still no known cure for the human condition, including stupidity.
So where does this leave the average computer user?
As phishers get better at tricking computer users, is developing a strong mistrust of everything and everyone our only hope?
Maybe not, because the fact that social engineering relies on people not being aware of the value of the information they possess, may be the key to a solution.
Technology fails
Improved awareness is probably the most effective way of succeeding where technology alone can only fail.
The NSA study reinforces the need to be more vigilant online and probably the safest course of action is to shun any request for personal or financial information unless independently verified.
While the responsibility for security lies with every computer user, business would be the most obvious candidate for ensuring the message is communicated to as many individuals as possible, because ignorance is probably the real enemy when it comes to social engineering.
No business can really afford to be without a security policy nowadays, so in‑company training would be a good place to start. Computer users should be made aware of how social engineers operate by educating them on the value of information, and training them how to protect it.
ISPs would be another good dissemination point as the next logical means of Internet access, after company accounts, for most computer users.
Accepting the challenge
As the year draws to a close, all those who are involved in connecting computer users to the Internet should embrace the opportunity, rather than the responsibility, of helping spread awareness about the threats that lurk within, as well as those out in cyberspace.
Although susceptibility to social engineering is easily understood and explained, it is perhaps a little more difficult to account for the fact that the NSA study found that 81% of American homes lack updated computer software, spyware protection, or a secure firewall.
In other words, viruses and spyware remain a significant threat despite the fact that effective off-the-shelf solutions for these problems do exist.
In light of the NSA study, it seems increased vigilance should become a watchword for all online computer users.
If nothing else, perhaps we should consider it our national duty to prove ourselves different to our US counterparts.
Share