Fake payment phishers busted in South Africa

It’s more Cape of Storms than it is Cape of Good Hope for an alleged phishing gang reportedly busted in Cape Town in South Africa’s Western Cape.

The gang supposedly used a mixture of email and SMS to lure their victims into payment scams, tricking them into handing over sufficient PII (personally identifiable information) to allow the crooks to help themselves to money that the victims thought was going somewhere else.

Internet access from a desktop computer or a laptop is still a luxury in South Africa, so email gives cybercriminals only so much reach. But mobile phones are ubiquitous; sending business offers and approving payments over SMS are common and popular; and electronic communications fall under an opt-out regulatory system.

That means that users are inured to SPASMS, as Naked Security jocularly refers to spam via SMS. And that, in turn, makes smishing, or phishing for PII via SMS instead of email, a viable approach for cybercriminals.

In countries with an opt-in regulatory framework for electronic communications, such as Australia, users are, in my opinion, much more likely to reject unsolicited SMSes out of hand, simply because they’re unlawful by definition.

→ There’s something intellectually paradoxical about having to reply to an SMS or an email to say that you didn’t wish to receive it in the first place. The nickname “CAN-SPAM” for the USA’s opt-out spam law was presumably intended to imply that it would flush spam down the can [US slang for toilet], but the name also perfectly reflects that, “Yes! You can spam,” until I tell you that you can’t.

As always, be very careful of any sort of payment-related advisory received electronically. It may sound upbeat and professional, but that’s no guarantee of legitimacy; it may sound threatening or worrisome, but that doesn’t mean you need to respond.

According to the Cape Times, police who busted the Cape Town phishing-and-smishing crew reported finding a collection of corporate letterheads on the laptops confiscated in the raid. Mocking up realistic-looking documents is so easy these days that you can’t trust anything online on looks alone.

And be very sceptical of employment schemes which offer you “work from home” opportunities handling financial transactions for a third party. It’s really easy for someone who has drawn you in via an electronic communication that they started to keep up the illusion that you are dealing with someone reputable and legitimate.

If in doubt, get hold of the company they claim to represent using contact details you have found out independently yourself.

Don’t rely on phone numbers, website names or email addresses given to you by someone who approached you first – if they’re crooks, they’ll just answer the phone with the name of the company whose identity they have “borrowed,” which proves only that they are sitting at the other end of the number they told you to call!

And if you are in any doubt that “work from home” schemes can end in tears, both financial and legal, have a listen to this int‪erview, aired recently aired on BBC Radio 5 Live, in which Jamillah Knowles and Yours Truly discuss the risks of handling money for people you can’t be sure about: