The Internet has introduced cheap, interactive, and instant global communications. Though life has been revolutionalised, the Internet has opened a Pandora’s box that resulted in new forms of criminal behaviour.
Phishing is one of the most common security challenges in digital age. It affects both individuals and organisations in keeping their information secure. Whether it’s getting access to passwords, credit cards, or other sensitive information, hackers are using email, social media, phone calls, and any form of communication; they can, to steal valuable data.
Businesses, of course, are a particularly potential target.
Consequently, business owners must be vigilant to avoid falling victim to phishing attacks, by sharing their views of the most common ways that individuals and companies are subjected to phishing attacks.
Phishing is one of the key components of social engineering. The emails are crafted to resemble correspondence from a trustworthy source (agency) and often dupe individuals to click on a malicious embedded link.
More sophisticated phishing emails execute hidden code if the email is simply opened on the target’s computer.
As articulated last week in this column, phishing, contained in Article 36 of law nº 60/2018 of 22/8/2018 on prevention and punishment of cybercrimes, is a very challenging cybercrime in a technology-driven world.
To date, Rwanda is among a few countries in the world, where phishing is legally punishable. The scale of phishing is steadily growing, and many anticipate the likelihood of catastrophic cyberattacks in the future.
Besides, phishing uses fraudulent emails or texts, or copycat websites to get you to share valuable personal information, such as account numbers, social security numbers, or your login IDs and passwords.
Scammers also use phishing emails to get access to your computer or network then they install programs like ransomware that can lock you out of important files on your computer. Additionally, phishing attacks exploit vulnerabilities in computer networks, cause financial loss to victims and banking institutions and undermine confidence in e-commercial transactions.
Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies or organisation. Or they pretend to be a friend, or family member or bona fide person. The major tool commonly used in phishing is telling lies to get true information related to a person’s identity.
Under new cybercrime law, phishing is committed when a person establishes and uses a website or sends an electronic message using a computer or a computer system in order to have access to confidential information from a visitor of the website or recipient of the message with intent to use them for unlawful purposes, especially for the purpose of stealing money or obtaining access to a computer or a computer system, commits an offence.
"Upon conviction, he/she is liable to imprisonment for a term of not less than one (1) year and not more than two (2) years and a fine of not less than one million Rwandan francs (FRW 1,000,000) and not more than three million Rwandan francs (FRW 3,000,000).”
Perhaps a challenges arises if such an act is committed from afar and where, moreover, it’s not recognised as a crime. Another related challenge is to localize the phisher and where it’s committed.
Nonetheless, expeditious mutual legal assistance can be the most effective approach against phishing given the transnational and volatile nature of electronic evidence. In practice, though, mutual legal assistance procedures are considered too cumbersome.
Despite the complexity, international cooperation, sharing of information and conduct of joint investigative efforts with foreign law enforcement agencies are paramount course of action.
From a cybersecurity context, a flurry of measures must be taken to keep phishing at bay. Some of these steps are: educate employees and conduct training sessions with mock phishing scenarios; deploy a SPAM filter that detects viruses, blank senders, etc.; develop all systems current with the latest security patches and updates; install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment; develop a security policy that includes but isn’t limited to password expiration and complexity; deploy a web filter to block malicious websites; encrypt all sensitive company information; convert HTML email into text only email messages or disable HTML email messages; require encryption for employees that are telecommuting.
It is generally believed that organizations fall prey to phishing attacks because of careless and naive internet browsing. Instituting a policy that prevents certain sites from being accessed greatly reduces a business’ chance of having their security compromised.
As articulated elsewhere, it is quite important to underline educating organisation’s employees about the sophisticated technics of phishers. Employees should be trained on security awareness as part of their orientation. They need to be informed of e-mails with attachments from people they don’t know.
They must know that no credible website would ask for their password over e-mail. Additionally, people need to be careful which browsers they utilize.
Read all URLs from right to left. The last address is the true domain. Secure URLs that don’t employ https are fraudulent, as are sites that begin with IP addresses.
The writer is a law expert
The views expressed in this article are of the author.