Consulting firm Aon warns that e-mail interception fraud is on the rise in South Africa. Cyber criminals leveraging advanced technology tools gain unauthorised access.
According to Aon’s first Cyber Risk Survey for South Africa, 22% of participating companies have suffered a cyber incident in the past five years, and the majority (67%) have deployed a cyber risk management tool.
The study aimed to identify current trends in cyber risk governance practices being deployed in South African companies.
Aon notes that, in addition to phishing, social engineering and business e-mail compromise attacks, fraudsters also launch man-in-the-middle attacks, in which communication between two parties on public WiFi networks or compromised routers is intercepted, allowing the capture of sensitive information.
Jenny Jooste, client manager for cyber and professional indemnity technology at Aon South Africa, says although there are no statistics available to quantify the size of the problem, e-mail interception fraud has become more prevalent over the last two years.
She adds that phishing e-mails and social engineering are the most common methods of infiltrating e-mails. “The reason being people believe that what they see on social media is 100% authentic and that IT controls will block spam and phishing e-mails. The reality is that people go on to unsecured WiFi and internet sites believing they are secure.”
User behaviour and a false sense of security remain challenges. As an example, Aon South Africa says some SMEs and mid-sized companies are under the impression their profiles are not high enough to warrant an attack.
“The reality is companies employ staff on a full-time basis just to access any company system and demand a ransom demand/ or intercept e-mails,” says Jooste. “They call it the “shotgun” approach – when a spam e-mail is sent to a listed SME – the first one to click on the link could potentially affect a large multimillion/billion organisation or the engineering firm with ten staff based in Bloemfontein.”
Aon recommends that both internal and external teams perform penetration testing to identify areas of concern. These teams should work together to establish a roadmap and timeline for addressing the most critical issues, prescribing necessary fixes and adjustments, including the implementation of additional mitigating controls.
The days of no budget available for proactive IT security are over, Jooste adds. “Without data and connectivity, you have no business.”