Sophos Cloud Optix
It’s more Cape of Storms than it is Cape of Good Hope for an alleged phishing gang reportedly busted in Cape Town in South Africa’s Western Cape.
The gang supposedly used a mixture of email and SMS to lure their victims into payment scams, tricking them into handing over sufficient PII (personally identifiable information) to allow the crooks to help themselves to money that the victims thought was going somewhere else.
Internet access from a desktop computer or a laptop is still a luxury in South Africa, so email gives cybercriminals only so much reach. But mobile phones are ubiquitous; sending business offers and approving payments over SMS are common and popular; and electronic communications fall under an opt-out regulatory system.
That means that users are inured to SPASMS, as Naked Security jocularly refers to spam via SMS. And that, in turn, makes smishing, or phishing for PII via SMS instead of email, a viable approach for cybercriminals.
In countries with an opt-in regulatory framework for electronic communications, such as Australia, users are, in my opinion, much more likely to reject unsolicited SMSes out of hand, simply because they’re unlawful by definition.
→ There’s something intellectually paradoxical about having to reply to an SMS or an email to say that you didn’t wish to receive it in the first place. The nickname “CAN-SPAM” for the USA’s opt-out spam law was presumably intended to imply that it would flush spam down the can [US slang for toilet], but the name also perfectly reflects that, “Yes! You can spam,” until I tell you that you can’t.
As always, be very careful of any sort of payment-related advisory received electronically. It may sound upbeat and professional, but that’s no guarantee of legitimacy; it may sound threatening or worrisome, but that doesn’t mean you need to respond.
According to the Cape Times, police who busted the Cape Town phishing-and-smishing crew reported finding a collection of corporate letterheads on the laptops confiscated in the raid. Mocking up realistic-looking documents is so easy these days that you can’t trust anything online on looks alone.
And be very sceptical of employment schemes which offer you “work from home” opportunities handling financial transactions for a third party. It’s really easy for someone who has drawn you in via an electronic communication that they started to keep up the illusion that you are dealing with someone reputable and legitimate.
If in doubt, get hold of the company they claim to represent using contact details you have found out independently yourself.
Don’t rely on phone numbers, website names or email addresses given to you by someone who approached you first – if they’re crooks, they’ll just answer the phone with the name of the company whose identity they have “borrowed,” which proves only that they are sitting at the other end of the number they told you to call!
And if you are in any doubt that “work from home” schemes can end in tears, both financial and legal, have a listen to this interview, aired recently aired on BBC Radio 5 Live, in which Jamillah Knowles and Yours Truly discuss the risks of handling money for people you can’t be sure about:
Listen now:
(BBC Radio 5 Live: Outriders 14 May 2013)
"get hold the company" – hold *of*, presumably?
“Internet access from a desktop computer or a laptop is still a luxury in South Africa”
I believe the person who wrote this article don’t even know were to find this country
on a world map………
Get a life mate, I am a proud South African, been in your country a couple a couple
of times, and believe me, there is no more laptops or desktops less or more per capita as in your USA.
South Africa is actually one of the countries that is easiest to find on a world map, on account of its very sensible name. (Central African Rebublic has a similarly self-locating name, but South Africa is easier to find on a map because its coastline makes it stand out clearly.)
Anyway, the person who wrote this article actually bothered to include a map showing where both the country and Cape Town are to be found 🙂
I'm going to back myself and say that internet access from a laptop (as against from a phone) is noticeably less prevalent in ZA than it is, say, in Australia. (I'm not from the USA, for what it's worth.)
Not that there aren't lots of South Africans online, of course. But while a R100 [about $10] prepaid phone is within most people's financial reach, I'd suggest that R3000 for a personal netbook/laptop [$300] and the ongoing cost of internet access to go with it remains a bit of a stretch for many people.
Therefore, if you're a cybercrook, targeting people with phones gives you a potential South African audience of tens of millions, against (say) millions with laptops. Now add in the prevalance of (apparently entirely legal) SMS spam in South Africa, which has IMO softened up the populace to dodgy messages, and…well, you get my point.