Filed Under (Editorial, Reviews & Opinions) by David Wiles on 31-01-2019

[Largely based on an article in the Kaspersky Lab Blog by Anastasia Gridasova linked here.]

Whenever most people talk about computer- or cyber-security, they consider program errors and vulnerabilities as being the only weakness. However, in many cases, the human users of computers are the “weakest link”, and we all, to a greater or lesser degree, have vulnerabilities built into our own psychological makeup that criminals exploit. These weaknesses are covered under a broad term “social engineering”.

It might seem like a bit of a misnomer to imply that this is “engineering” and that it is “social”, but social engineering is methodology – combining sociology and psychology – that manipulates human beings by creating an environment that lead to a predetermined result. In other words, social engineers are skilled in exploiting people’s fears, emotions, feelings, and reflexes,  to get those people to do what they want them to do, like gaining access to useful information.

Four main emotions that scammers exploit are:

  • Curiosity
  • Pity
  • Fear
  • Greed

Some might insist that I might be wrong to call them “vulnerabilities”, as they are normal natural human emotions, but when these emotions are exploited to manipulate potential victims, they are vulnerabilities. These emotions can be manipulated to sway the victims, in such a way that the brain responds automatically, without the intervention of critical or analytical thinking.

Cyber-criminals have plenty of tricks up their sleeve and some of their methods work better on some people than others:

Reverence for authority
This is a typical cognitive bias  that controls behavior, perception, and thinking. We all have an inclination, to a greater or lesser degree, to unquestioningly obey those with a degree of experience or power, while ignoring our own judgments about the validity of such action.

When you are driving down a highway, abiding by the speed limit, and you encounter a traffic cop driving slower than the speed limit, your natural urge is to drop your speed and travel slower because of your cognitive bias of reverence for authority.

In phishing attacks there might be a phishing e-mail allegedly from your boss. Naturally, if the message told you to film yourself dancing in your underwear, and send the video to ten friends, you might think twice, but if your “boss” is asking you to read some documentation or provide them with sensitive information by opening up an attachment, you might be more inclined to click on that attachment.

A sense of urgency
Creating a sense of urgency is one of the most frequent psychological manipulation techniques used by phishers. If you intend making an informed, rational decision, it is always best to examine the relevant information in detail, which will take time.
Social engineers use fear and an overt sense of urgency to coerce their victims into making on-the-spot decisions. Does the phrase “An attempt was made to access your account. If this was not you, click this link immediately…” or “only the first ten clickers get the discount, don’t miss out…”.  When the clock is ticking, the probability of succumbing to instinct and making an emotional decision instead of a rational one is greatly increased.

Messages that shout “urgent” and “important” are in this category. Trigger words are often highlighted in red, the color for danger, to enhance the effect.

Unconscious actions

In psychology, the term “automatisms” (or “unconscious actions” as I like to use) are instinctive actions taken without the direct conscious involvement of the conscious mind. Unconscious actions can be primary (snatching your hand away from a hot stove plate) or secondary (trying to open a door with a sign that says “Pull” on it when you are Pushing).

Phishers try to trigger unconscious actions when sending messages. These include the “Failed to deliver e-mail, click to resend” messages. Annoying newsletters with large “Unsubscribe” buttons, and fake notifications about new comments in social networks. I saw a small program once that had [OK] and [Cancel] buttons deliberately swapped. I found myself clicking on [Cancel] more often when I was meant to click on [OK]. This is Automatism at work!

Unexpected revelations

This is a common method of social engineering. Our psychological makeup creates the tendency to accept information packaged as an honest admission, to be seen less critically than if it were discovered by yourself.

A message you receive that says: “We regret to inform you that we have suffered a password leak. Please click the link to see if you are in the list of those affected.” will be far more readily accepted than finding out yourself that your password might have been compromised.

How to protect yourself against social engineering tactics:

You need to realize that from the outset, perceptions or tendencies, which play into the hands of cyber-criminals, are biological. They are part of the human brain’s development, and helped us adapt and cope with the world. These vulnerabilities developed out of our lack of critical-thinking skills, but we can all help ourselves spot these nefarious manipulations by knowing a bit about human psychology:

  • Read messages from persons in authority with a critical eye. Ask yourself, “Why is your boss asking you to open a password-protected ZIP file and giving you the password in the same e-mail?”.  Why would Human Resources address you as “Dear Client” and ask you to confirm your bank account details if they have that already on record? If something looks odd, clarify things using a different communication channel like picking up the phone.
  • Do not react immediately to messages demanding “urgent” action. Fight your natural instinct to panic. Check the sender, domain, and the link before clicking anything. If you are still in doubt, get in touch with someone who might be more knowledgeable, like Information Technology.
  • If you notice that you have a habit of automatically responding to some types of messages, Run through your typical sequence of actions again, but consciously. Take a deep breath before clicking. If it is your habit to check your e-mail first thing in the morning, change your routine if you are stressed or preoccupied. This can help to de-automatize your responses by activating the conscious mind at the right moment.
  • Check your sources. Don’t be afraid to ask questions even though you think they might be stupid or paranoid questions. Most computer-geeks are actually quite pleasant and approachable people, and unless they are really busy or under pressure, will be quite willing to answer your questions or concerns. Your question might actually be helpful to them by making them aware of a potential threat that they might not have been aware of.

Stay safe out there.

The Cyber-Security Awareness Month is behind us and we are into November, but I thought as a final signoff, I would share a few statistics and give some common sense advice to help you to be come more aware of phishing scams and how to spot them.

Don’t think that South Africa is not sophisticated or advanced enough to be excluded from phishing attacks. According to Drew van Vuuren, CEO of 4Di Privaca, South Africa is the second most targeted country globally when it comes to Phishing attacks.

With the cost of phishing in South Africa amounting to approximately R4.2 billion in 2013 alone and with South Africa accounting for 5% of the total volume of all phishing attacks globally, it is not a matter of “if” the university is going to be a target, but “when”. If you are not worried about phishing attacks, you should be! It is not just Information Technology’s problem, it is yours too!

E-mail-related threats are along with other businesses and enterprises the university’s biggest security concern. According to some people in the know, more than half of university personnel having dealt with a phishing scam at least once this year with some receiving more than 500 suspicious e-mails a week. (In a lot of cases Information Technology’s email servers were able to block and filter out most of the e-mail threats before they could be delivered)

According to a 2016 survey done by Symantec, over 30% of South African Internet users share at least 3 pieces of personal information on their social media profiles that can make stealing their identity easy.

60% of the respondents admitted that they had no idea what their privacy settings were and who could see their personal information on sites like Facebook, Instagram, Twitter etc.

šPeople often become victims of online fraud by using the same password  or usernames on multiple sites, including social media sites and Internet banking sites. According to Ofcom’s “Adults’ Media Use and Attitudes Report 2013” report, 55% of the poll respondents used the same password for most – if not all! – websites.

Here are 10 common-sense tips to help you spot and prevent becoming a victim of a phishing scam:

1. Learn to identify suspected phishing e-mails

  • They duplicate the images and branding of a real company.
  • They copy the name of a company or an actual employee of the company.
  • They include sites that are visually similar or identical to a real business.
  • They promote gifts, or threaten the closure of an existing account.

2. Check the source of information from incoming e-mail

Your bank, Information Technology, or cellphone provider will never ask you to send your passwords or personal information by mail. Never respond to these questions, and if you have the slightest doubt, call your bank, IT or your cellphone provider directly for clarification.

3. Never go to your bank’s website by clicking on links included in e-mails

Do not click on hyperlinks or links attached in the email, as it willt direct you to a fraudulent website.

Type in the URL directly into your browser or use your own bookmarks or favorites if you want to go faster.

4. Beef up the security of your computer

Common sense and good judgement is as vital as keeping your computer protected with a good antivirus and anti-malware software to block this type of attack.

In addition, you should always have the most recent update on your operating system and web browsers.

5. Enter your sensitive data in secure websites only

In order for a site to be ‘safe’, the address must all begin with ‘https://’ and your browser should show an icon of a closed lock.

6. Periodically check your accounts

It never hurts to check your bank accounts periodically to be aware of any irregularities in your online transactions.

7. Phishing doesn’t only pertain to online banking

Most phishing attacks are against banks, but can also use any popular website to steal personal data such as eBay, Facebook, PayPal, etc. Even the university’s e-HR site was targeted in 2017.

8. Phishing is international

Phishing knows no boundaries, and can reach you in any language. In general, they are poorly written or translated, so this may be another indicator that something is wrong.

9. Have the slightest doubt? Do not risk it

The best way to prevent phishing is to consistently reject any email or news that asks you to provide confidential data.

Delete these emails and call your bank to clarify any doubts.

10. Keep up to date and read about the evolution of malware

If you want to keep up to date with the latest malware attacks, recommendations or advice to avoid any danger on the network, subscribe to the Information Technology blog or follow them on Twitter. Put your local computer geek or the IT HelpDesk on the speed dial of your cellphone, and don’t be embarrassed or too proud to ask questions from those who are knowledgeable about such things.

Keep safe out there,

David Wiles

Royalty-free graphics from Freepix.com

In a previous article written for the Cyber-Security Awareness Month I talked about “spear-phishing“. Spear-phishing attacks target the university specifically instead of just sending out random “shot in the dark” emails that someone will hopefully fall for. Spear-phishing has been notoriously successful because scammers focus on university employees and student internet activity and send requests that look like the real thing, claiming to be from entities within the environment that you actually deal with.

In the past couple of years we have had a couple of large-scale spear-phishing attacks that resulted in a number of student and personnel accounts being compromised and in several instances some of the victims suffered financial loss.

In April 2017, a number of personnel got an e-mail from “Stellenbosch Payroll” with the subject of “NOTIFICATION: Your 13.69% Salary Increase.”

The e-mail said that there were two attached documents that needed to be downloaded that would detail the salary increase. The mail was sent at a time when salary increases and performance bonuses were being granted.

The bait was the mention of a 13.69% salary increase which would certainly attract the attention of anybody, and many people would overlook the lack of a personal salutation, and the occasional grammar and spelling mistakes, lulled into a false sense of security because it seemed to come from the university, had all the university logos, was speaking about the annual salary increases and offered a sizable salary increase!

Once tricked by this initial bait, the intended victims – university personnel – would click on the links and would be taken to a forged website that looked identical to the real login page of the university Human Resources division.

Here the victims entered their usernames and passwords in order to see the documents for their salary increase. The password did not work, but the only thing that had happened was that the scammers that had set up this server, captured the user names and passwords and thus gained access to the REAL HR website using the stolen details. The forged website had fulfilled its task of stealing the victim’s usernames and passwords.

Having then gained access to the victim’s account on the HR website, the scammers then changed the victim’s banking account details to their own, so that they could get the victim’s salary paid into their own account. Furthermore they would have also recorded the original bank account details and targeted them for further exploitation. The warning signs were there all along. The forged website address was not in the university domain but very few people would spot that detail.

A second spear-phishing attack occurred a year later in May 2018:

It started with an e-mail from a UNISA email account. (Already been compromised and was being controlled by the scammers) The mail warned the intended victims that their email account was due to be deactivated and that they should click on a link to renew their account. The Subject said “Dear SUN E-mail User (c) Copyright 2018 Stellenbosch University” which many victims saw as legitimate. and the signature was from the “2018 Email Microsoft Administrator”.

A note here about how cleverly the spear-phishing scammers researched their intended target. The email used words and other details  like SUN, Stellenbosch University  & IT HelpDesk that would convince many people that the mail was legitimate.

The link took the victims to another forged website. This time it was a perfect copy of the university’s own “Single Sign-On” page that students and personnel used to access important services within the university, like e-Learning and the personnel portal.

The website address was also not in the university domain, but all the rest of the details looked right, even down to the branding and the inclusion of a link “Kliek hier vir Afrikaans“.

Once the victims had entered their user names and passwords on the forged site, the scammers had then gained control over the users accounts and then could send out further e-mail messages from within the university to catch more victims who would see that the sender came from within the university, and would think that the mail and the website was real!

What could we have done to spot and prevent these attacks?

Unfortunately, in my opinion, there is a general institutional attitude that it is Information Technology’s job to prevent and protect its users against such attacks. This is not true. It is not just their job! Everybody who is a user of an institutional network, or a private user, for that matter, has a common responsibility to be aware of the dangers that we face in cyberspace, to sensitize themselves to the warning signs and to become “informed” users, and to help Information Technology by watching out for suspicious e-mails to report them and not using weak or easily-guessable passwords.

For instance here are some common-sense checks that every user can learn:

  • Don’t trust display names. These can be anything a scammer wants them to be.
  • Check for fake email domains. These will often be slightly different versions of the real thing.
  • Look at the university logo and other images.  Are they commonly available on the internet?
  • Review links carefully by hovering over the link text (without clicking). A link that is different from the one in the link text is a sign that it is a malicious link.
  • Look for the sun.ac.za domain name in the link. If the domain is different it is probably a malicious link.
  • Look out for bad spelling and grammar, as this can be a tell-tale sign that it’s not a legitimate message.
  • Spear phishing emails and messages are highly focused and targeted.  The criminal will spend a lot of time making e-mails and website look like the real site.
  • If you have suspicions about an email or other message, never visit the site. Always verify it first, by checking with Information Technology. They will quickly be able to tell you if it is legitimate or not.
  • User strong passwords and never use the same password (especially if it is a weak one) on multiple sites.

In the final article for the Cyber-Security Awareness Month, I will share a few thoughts on how to increase your awareness about cyber-security and give a few tips and suggestions about what the university could do to fight and prevent these attacks!

Keep safe out there,

David Wiles

When we use the term “hacker” in our day-to-day conversation, we tend to associate it with the type of attacker who uses their technical expertise to break into protected computer systems and compromise sensitive data. We hear about this breed of hacker in the news all the time, and we invest millions of rands in new technologies to improve our network defenses.

However, there is another type of attacker who use their tactics to bypass even the most expensive and effective cyber-security technology. They are the social engineers, hackers who exploit the one weakness that is found in each and every institution like a university: human psychology. They use a variety of media, including phone calls and social media, and trick people into offering them access to sensitive information.

So social engineering is a term that covers a broad spectrum of malicious activity. It is a means of attack that leans on human interaction and involves manipulating people. All the methods that I listed in my previous article use social engineering in one forma or another.

The object of a social engineer is to get people to bypass or suppress their natural reserve or suspicion in order to get access to technology systems or data. An example would be someone who calls the secretary of a department pretending to be from the IT Department. They may question the this person and get them to reveal sensitive information such as login names, e-mail addresses, WiFi passwords, etc. They are in essence con-artists!

Whether it is through a phone call or an e-mail, social engineering attacks are always very effective because they rely on the weakest link of security – human beings.

The best historical record of social engineering is the story of the Trojan War from Homer’s Illiad. After a ten-year siege on the Trojans, the Greeks pretended to accept their defeat. They left behind an enormous wooden horse as an offer of peace, and the Trojans opened their city gates to bring in the horse as a victory trophy, but Greeks soldiers were hiding inside the wooden horse, crept out at night, opened the city gates and allowed the Greek army to enter and destroy the city of Troy.

But there are some things you can do to protect yourself:

  • First and foremost, be suspicious of anyone who contacts you (via Email or telephone) and appears to know a lot about you. They may be very friendly and attempt to gain your trust, but if you’ve never dealt this this person before, ask yourself how they might come to know so much about you and why they are contacting you.
  • If you are contacted by telephone, don’t blindly provide information. If you’re suspicious (that little voice in the back of your mind that says “something is not right here”), hang up.
  • Another effective tactic is to offer to call the person back. Ask them for a direct phone number. If they can’t provide one, discontinue the call.
  • If they do provide a number, do some of your own research. Can you find a website for the company? Do a Google search on the phone number – does it come back linked to the company name you were given?

As a matter of habit, never give up personal or sensitive information over the phone. Your login name, your ID number, your password, your bank account number should never be provided to someone on a phone call (or in an e-mail for that matter). If the person you’re speaking with is persistent in trying to get this information from you, explain that you are concerned about security and do not wish to provide this information over the phone. If they don’t accept that explanation, they should not be trusted.

Take a long, hard look at your social media presence. How much do you reveal about yourself to the social media world? Do you provide information about your position with a company and does that make you a target for a social engineering attack? Do you share your habits – such as where you shop, or where you attend gym, or where you like to eat or socialize? Even the most mundane information you share about yourself online could be used as an angle in a social engineering attack.

Any social engineer is likely to have done their homework on you ahead of time. Not only are your inboxes and phone lines being targeted, your social media sites are too. Whether it’s selfies or cat videos, most us like to tweet, tag, link, comment, like, and post online. Platforms like Facebook and Instagram are full of information social engineers can use.

How many personal details are displayed on your department or Facebook page? I have seen department webpages with personal cellphone numbers displayed for anybody to call.

This past week, my mailbox has been inundated with people concerned about the growth of “extortion phishing” e-mails. Extortion phishing is the practice of obtaining money through force or threats via email. In this instance the victim receives an email suggesting they have been recorded through their webcam whilst watching adult websites. The criminals behind this demands a ransom in Bitcoin or some untraceable cryptocurrency and threatens to circulate the recording to their contacts unless payment is made. Often scammers state that they know your password, have installed malware on the computer, demand a payment.

What is really worrying about this new extortion phish threat is not that it plays on our own innate sense of guilt that we might have been caught doing something wrong, but that the passwords that they say they have are often correct or close to correct because they have been leaked out from data breaches. Many times these password are old and haven’t been used for months or years, but in some cases the passwords have remain unchanged or have only changed by a single letter or number changed. Your password and e-mail address is potentially out there for all to see!

How many times would I have to guess the correct password if the old password is “christopher” and the new password is “Christopher123″.

One way to check if your username and password has been leaked in a data breach is to make use of sites like the Firefox Monitor. You can enter in your e-mail address and the site will tell you if your information such as e-mail address and password has been compromised.

Social Engineering attacks range from unsophisticated attacks, by simply lying to get information, to very elaborate attacks (specifically designed websites to attack targets). The one thing they have in common is that they exploit the weakest link – human beings.

For this reason, these types of attacks will continue to increase so being aware and cautious is the best defense.

Next time I will focus a little more on the type of attacks the university has suffered over the past year or so, and how to spot them.

Keep safe out there,

David Wiles

In the last article, I warned you that we  shouldn’t think that identity theft is always “high-tech”, because it can can happen to anyone, even if they don’t have a computer and don’t make use of social media or even own a cell-phone.

In this article I will concentrate on the “high-tech” methods of identity theft. The identity thief’s goal is always to obtain personal information about you, such as your ID Number, your bank or credit card account numbers, information contained in your credit report, or the existence and size of your savings and investment portfolios so they can use it for their own financial advantage.

The identity thief then contacts your financial institution pretending to be you or someone with authorized access to your account. (You have given the thief that information)  The thief may, for example, claim that they have forgotten their chequebook and needs information about their account…

šCredit/Debit Card Theft – Many people believe credit card fraud and identity theft are the same. In reality, they are different crimes. The main difference between credit card fraud and identity theft is that credit card fraud typically involves a single credit account, but if someone steals your identity, the potential for damaging your credit history can be much greater because someone can open numerous lines of credit in your name. Credit card fraud typically occurs when someone steals your credit card information and uses it to make unauthorized purchases. This can be done by stealing your purse or wallet or, if the criminal works at a retail store or in a restaurant, he or she may simply copy your credit card information during a transaction.

Pretexting – If you receive a phone call from someone from a reputable research firm asking you to participate in a survey, asking  seemingly harmless questions like the name of your cellphone provider, bank, and even your preferred shopping center, this is probably a pretexting scam. Pretexting is the practice of getting your personal information, such as telephone records, bank or credit card numbers, or any other information, under false pretenses. A pretexter pretends they are someone else to obtain your personal information claiming they are from a survey firm, and want to they ask you a few questions. Sometimes they will claim to be representatives from other types of organizations – not just survey firms –  but banks, SARS, insurance companies and ISPs.

Skimming – Identity thieves place small machines, or skimmers, in the card slots of ATMs in order to steal credit and debit card numbers and pin codes from their unsuspecting victims. This has also been reported to occur at some petrol stations where you can pay at the pump. It is not easy to look at a card reader and see that it has been altered in some way before you insert your debit or credit card, as some of the skimmers are so advanced that they are virtually undetectable. In some cases, a skimmer may remain in place for months at a time, unnoticed by employees of the “host” store, and it could take months before victims realize that an identity thief has stolen their card number and PIN. Most victims only find out after the thief starts starts making illegitimate purchases or withdrawals from their accounts, often to the tune of thousands of rands.

Man-in-the-middle attacks – Smartphones and tablets has become a major point of access to the internet. There are many WiFi networks that people can connect to from almost anywhere, (like public libraries, airports, shopping malls and government or municipal facilities), but it opens a massive “port of entry” for hackers. This has led to the increase of “Man-In-The-Middle” attacks. A Man-In-The-Middle attack, also known under the acronym MITM, happens when a communication between two parties is intercepted by an outside entity. The perpetrator either eavesdrops on the communication or impersonates one of the two parties, making it appear as a regular exchange of data. A MITM attack targets users of enterprise email accounts, financial applications, and e-commerce websites in order to steal account details, credentials, bank account or credit card numbers and to monitor password changes.

Phishing – The Internet scam known as “phishing” (the “ph” substitution distinguishes the activity from the real “fishing” but the activity is intrinsically the same) is a spam e-mail message that contains a link to what appears to be from a legitimate business, such as your bank, but it is actually a fake website. The e-mail often states that you must update your account information through a bogus link to a phisher’s website and the user, unknowingly, gives out personal information to the fake website.

Pharming – A relatively new Internet scam is “pharming”. Using a virus or malware, the victim’s Internet browser is hijacked without their knowledge. If the address of  a legitimate website is typed into the address bar of a browser the virus redirects the victim’s browser to a fake site.  All identifying information, such as bank passwords and credit card numbers, is collected by the scammers who steal the user’s identity.

Vishing – This is similar to “phishing” which uses e-mail. However “vishing” scams attempt to trick targets into divulging personal information such as credit card, bank account and social security numbers using new telephone technology. Typically, “vishing” targets will receive a phone call from what appears to be a legitimate business, such as their bank or credit card issuer, and the victim is informed the target that their account has been compromised. The “visher” usually requests that the caller enter their account or credit card number or even their social security number to secure their account, thereby compromising the victim’s identity.

SMiShing (SMS phishing) – This form of “phishing” specifically targets smartphones. Smishing, uses the scammers’ old favorite—phishing, to sending out email to entice their intended victims to click a link that actually downloads malicious software or virus on the smartphone. As its name implies, smishing comes from “SMS phishing”. A smishing attack goes after the smartphone via text message, and usually occurs when a message is received from an unknown number that offers some sort of incentive. It might be telling you about a free offer, a coupon, something wrong with your account, or even more likely, it might claim that “your friend” has sent you a “greeting card” or message. Unlike viruses of the “old days” that sought to lock up your computer or disable your files, smishing attacks remain hidden and continue to feed information back to the smisher. Information like contacts list, email address books, and passwords are sent to the scammers.

Spear-phishing – Our last method is spear phishing. That term is used because the scammer is targeting you specifically instead of just sending out random “shot in the dark” emails that someone will hopefully fall for. Spear-phishing is very successful (especially within environments like the university) because scammers pay attention to your internet activity and send you requests that look like the real thing, claiming to be from entities within the environment that you actually deal with. Scammers can pull off spear phishing attempts based on the information that you share about yourself, as well as other bad habits like using the same password for multiple websites. As soon as you post updates to social media, especially about accounts, people you interact with, purchases you’ve made, and more, you’re handing over vital information that a scammer can use to target you.

How to protect yourself from Identity Theft:

  • Don’t give out your personal information on the phone, via email or snailmail unless you’ve initiated the contact, or unless you are sure it’s safe. And don’t feel guilty about saying No.
  • Never use your pet’s name (or children’s name) or a nickname as a password.
  • Ask your financial companies about their policies for preventing identity theft.
  • Be VERY careful about answering surveys — and certainly don’t give out any personal information to anyone who calls on the phone or asks via email. If you do answer survey questions, use common sense and don’t give out any information that could be sold or used by identity thieves. In other words “control” the information that you give out.
  • Tell your colleagues, family and friends about the dangers of identity theft. Awareness and sensitization empowers even the most “non-technical” person.

In the next article I will be providing a bit of information about social engineering.










Keep safe out there,

David Wiles


Identity Theft takes place whenever a criminal gets hold of a piece of your information, and then uses that information for their own personal gain.

While a lost or stolen wallet, purse or cellphone may simply mean the loss of your cash and credit cards, it may also be the beginning of an identity theft case. The return of the item does not guarantee cards were not copied, or that the your personal information was not used to commit identity theft.

In the previous article I pointed out 5 areas in your world where identity theft could take place that were actually rather low-tech.

  • Old-fashioned letters (including junk-mail)
  • The trash can
  • Flash disks
  • Your drivers license or ID Document
  • Household paperwork.


Don’t think that identity theft is always “high-tech”. It can happen to anyone, even if they don’t have a computer, don’t make use of social media or don’t own a cell-phone!

Dumpster diving – literally digging through your trash – remains a popular method for stealing large amounts of your personal information. South Africans receive over 1.2 million tons of junk mail every year and much of this mail – such as pre-approved credit cards, credit card bills, and bank statements – includes your personal information. Dumpster-diving identity thieves root through your trash because they know the documents you discard as garbage contain personal identity information that can be used in a variety of illegal manners, like employment-related fraud, loan fraud, bank fraud, benefits fraud and tax fraud.

Mail Theft – Mail theft is the number 1 white collar crime in the USA today. Mail theft is a crime and is defined as anyone taking any piece of mail, be it a letter or a package, for any purpose. This includes stealing from post ofice workers, from private mail boxes, from collection boxes and even from mail trucks. One of the main motivators in mail theft is to steal that person’s identity and receive access to their private information, including bank accounts and credit cards.

Social Engineering – Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted, the criminals are usually trying to trick you into giving them your passwords or bank information. Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust, than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password. That is why phishing is so successful, often victims willingly give their personal information to the scammers, as they feel they can trust the person asking for the information.

Shoulder-surfing – Shoulder surfing occurs when someone watches over your shoulder to steal valuable information such as your password, ATM PIN, or credit card number, as you key it into a device such as an ATM or tablet. When the shoulder-surfer uses your information for his financial gain, the activity becomes identity theft.

Theft of personal items – When a personal item like a handbag, a wallet or purse, a cellphone, or a laptop is stolen, all the information in that item can potentially be used for identity theft. The value of the stolen items is often not much, and replacement is more of an inconvenience to many of us, however your personal information can never be recovered, and is intrinisically more valuable than the item that was stolen!

What can you do to minimize “low-tech” identity theft?

  • Never give out personal or financial information over the phone or in an email.
  • šPassword-protect your cellphone.
  • šShred credit card receipts, junk mail, and other such documents with sensitive personal or financial information.
  • Be aware of your surroundings at all time.
  • Tilt the screen of your cellphone screen away from the person next to you and stop working in crowded airplanes, trains, airports, cafes, hotel lobbies and other public spaces
  • Work with your back to a wall preventing others from getting behind you and looking over your shoulder.

Next time we will look at the modus operandi of high-tech identity thieves.

Keep safe out there,

David Wiles


In the last article I provided you with a few tips on how to create strong passwords, in order to make the hackers job harder at accessing your personal data, in other words, “How do scammers get your information?”.

But where do scammers get your information?

The graphic below depicts the world where most of us find ourselves, and where scammers might obtain important snippets of our personal data that, in many cases, is there for the taking:

Your personal information is in places beyond your control!

The cellphone has become a indispensable communications tool in the 21st century. According to the Pew Research Centre, South Africa is placed 24th on the world list with a smartphone usage of 37% of the total population. However according to a recent global survey by McAfee and One Poll, 36% of those smartphone users have no form or password, pin or fingerprint protection on their devices. This means that if their phone falls into the wrong hands, they risk opening up all sorts of personal information such as bank details and online logins to whoever finds or steals the smartphone.

How much of your personal information have you placed out there on the internet?

  • šOver 30% of South African Internet users share at least 3 pieces of personal information posted on their social media profiles that can make stealing their identity easy.
  • 60% of South African Internet users have revealed they had no idea what their privacy settings are and who could see their personal information on those sites.

Old-style junk mail, invoices, receipts and ordinary letters can still provide scammers with a wealth of information. Dumpster-diving  can reveal documents with your ID Number, old bank statements with your account details, old credit cards, unwanted junk e-mail, payslips and tax forms. Even old prescriptions & medical aid claims can provide scammer with a wealth of information from your personal information.

The modern equivalent of a filing cabinet, a flash disk poses a huge risk to the security of your personal data. Flash disks are small and cheap and can often be forgotten plugged into computers, fall out of pockets and be stolen, providing scammers with all the data stored on that device.

Your bank, your employers and SARS all store and work with your personal information. You have placed a tremendous amount of trust in these organizations to keep your personal data safe. How many people at your bank, for instance, have access to your personal data, who can they potentially give that data to?

Your drivers license has a lot of information on it, including fingerprints, date of birth and ID number. The new style “smart” licenses will hold even more information, and if the license gets int the wrong hands it can be used for identity theft. For instance, in order to open up a cellphone contract, you would need an ID document or driver’s license, bank account details and proof of address, almost all of which can be obtained by dumpster-diving or someone rifling through your paperwork.

Finally your computer (at work or at home) or your laptop holds a huge amount of your personal information. If stolen, the hard-drives can easily be trawled for personal information. If there is no password or a weak password on the laptop it makes stealing this information so much easier!

…This is your world!

  • šSince 2007, more money has been made from trafficking financial data acquired by identity theft, than money made from drug trafficking.
  • š8.8 million South Africans were victims of identity theft in 2015.
  • š1 in 3 South Africans do not have a password on their cellphones or computer.
  • š70% of South Africans change their passwords after being compromised. (So 30% of South Africans don’t do anything even after they have been compromised)
  • š1 in 3 South Africans admit sharing passwords with other people

There are 4 areas where we all neglect the security of our personal information:

  1. IndifferenceLack of Feeling
  2. IgnoranceLack of Knowledge
  3. InabilityLack of Training or Education
  4. InactionLack of Respect

During a recent information session I was asked to suggest to people what they could to to improve their personal data security and to prevent identity theft:

When someone comes and knocks on your front door, do you just open the door and let them in? No, you check who it is and then you decide if you want to open your door to them or not. The power of access is in your hands because you control the door!

The same principle applies to your personal data. Be careful and vigilant and be the gatekeeper of your personal data! Control what data is given out and who receives it. You have the control!

Next time we will look at the modus operandi of identity thieves.

Keep safe out there,

David Wiles

Earlier this week I pointed out that most people still underestimate the importance of having a secure password, and still make the mistake of using simple words and numbers as a password.

Keep in mind that your e-mail and social network accounts contain very personal information about you. You must have a strong password to keep your personal life personal, and not become a victim of identity theft. (In 2015, 1 out of every 6 South Africans were victims of identity theft)

  • Using e-mail or your profile on Facebook, Whatsapp or Google, hackers can, and do, extract a huge amount of personal data of your personal “online” life.
  • If you use the same password for multiple online accounts, you run the risk, if this password is hacked, of all your online accounts being compromised.
  • Using a personal name for an online account, the name of the city that you live in, the names of your children or your date of birth, give hackers vital clues for attempting to access your personal data.
  • For an average expert hacker, it is always easy to find passwords that are made up of words from the English vocabulary or other languages, using a basic technique called “brute force” or “dictionary” attacks.

What makes a password safe?

  1. A password that is at least 8 characters long.
  2. The password does not contain information that is easy to find online such as the date of birth, the telephone number, your spouse’s name, the name of a pet, or a child’s name.
  3. The password does not contain words found in the dictionary.
  4. The password contains special characters like @ # $% ^ &, and numbers.
  5. The password uses an combination of uppercase and lowercase letters.

A trick that the experts use to create secure passwords:

Think of a phrase and use the first letters of the words in the phrase.

  • For example: “In South Africa a barbecue is called a Braai!”
  • Take the first letters of each word and the password that is created is: ISAabicaB!
  • This will be very difficult to guess, but easy to remember.
  • At this point you can decide to make your the Google password is ISAabicaB!-G,  and Facebook ISAabicaB!-F and your university account  ISAabicaB!-US and so on.
  • There is already a capital letter and a special character (!), so you just need to add a number to finish off a good password like 9-ISAabicaB!-US (9 could be the month you created the password in – for example)

You will have already made your password a lot more difficult to hack, and it can be a lot of fun to create!

Next time, I will show you where hackers get your personal information. Be prepared to be shocked!

Keep safe out there…

David Wiles


The past two years have been particularly devastating for data security world-wide, with a number of well-publicized hacks, data breaches and extortion attempts.

Annually SplashData publishes a list of the most common passwords. The list is created using data from more than five million passwords that were leaked by hackers in 2018 and with a quick glance at the list, one thing is clear – we do not learn from our mistakes.

People continue to use easy-to-guess passwords to protect their information. For example, “123456” and “password” retain their top two spots on the list—for the fifth consecutive year and variations of these two “worst passwords” make up six of the remaining passwords on the list.

SplashData estimates almost 10% of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3% of people have used the worst password – 123456.

Here is the list of the top 10 passwords of 2018:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. letmein
  8. 1234567
  9. football
  10. iloveyou

Despite this risk, some people think that they are very clever with their passwords:

There is one that is used by a lot of personnel at the university


it looks very cryptic, but when you look at a computer keyboard it is easy to spot:










It is a sobering fact that most people still underestimate the importance of having a secure password, and still make mistake to use simple words, numbers as a password.

“Passwords are the only control you have to secure your data with most systems these days. If your password is easily guessed by someone, then the person essentially becomes you. Use the same password across services and devices, and they can take over your digital identity.” Shaun Murphy, CEO of SNDR.

In our next post we look at how to create a strong password you can remember…

Keep safe out there…

David Wiles

Filed Under (Editorial, Tips) by David Wiles on 21-08-2018

FacebookThe FBI have issued a warning about cyber-criminals using Facebook Messenger to trick people into opening malicious links that harvest their personal data by circulating a message that urges people to open a link.

The message reads ‘Hey I saw this video. Isn’t this you?’ coupled with a URL. other variations use phrases such as “someone is saying bad things about you” or “someone is spreading rumors about you.”.

The most common version of the scam takes the user to a fraudulent website designed to resemble the Facebook login page.

The webpage is forged and is controlled by a fraudster who is able to steal any details inputted by users mistakenly believing they’re logging into their Facebook account.

If people use the same email address and password combination on other websites, hackers can use the stolen details to login to those as well.

This can allow criminals access to online banking, or frequent flyer miles.

The best way to spot and avoid these scams is to avoid clicking on any links that you receive from friends or family until you contact the sender outside of app to verify that he was the one who really sent the message.

The key to the scam is the seeming familiarity of the sender: a friend, family or relative.

Scammers use two rules of thumb to lure victims.

  • The first is to gain the confidence of their target through the credibility of a friend, authority figure, or organization that the victim is likely to trust.
  • The second rule of thumb scammers use is to create a sense of urgency or threats to get victims to act immediately without stopping to think!