phishing

The world is fast shifting  from a physical to a digital landscape, through the extensiveness of  the World Wide Web. In fact, data shows that at least 4.55 billion people around the world are now on social media, since important topics and conversations are now held there. 

Perhaps, it is the ease that comes with the striking features of social media platforms that offers such an appealing prospect for new users. But these features, as helpful as they appear to be, seem to distract users from noticing the daring danger that confronts the digital space. 

According to reports by Dataprot, over 1.76 billion corporate records online were leaked by hackers in January 2019. This points to the reality that hackers are on the prowl, and especially through social media platforms, since it is easy to attract potential victims. These common schemes,  perpetuated via malware, viruses, phishing attacks, malvertising, ransomware, etc. on social media platforms, have misled many into falling victims of diverse schemes. 

On Facebook alone, the social media giants announced that nearly 30 million accounts were accessed by hackers in 2018. Likewise, in 2020, WhatsApp issued new warnings and steps to protect accounts from malicious hackers.

The usual strategy of online fraudsters  most often is to invite users to click on hyperlinks dispatched on either group or private chats. The links are the hooking baits, and a click by a user is the first step. They are usually ‘unverified links’ which means they don’t carry a specified name or a visible description. 

What is an Unverified Link?

A link without a description or identified address is an unverified link. A good example is a phishing link, a combination of URLs that lacks substantiation but appears to be legitimate. It is most often shared on  WhatsApp to bait users to install viruses, spyware or ransomware, on their device.

When a user clicks on a phishing link or opens an ‘unverified’ attachment  (like in the screenshot above) it opens access for malware, viruses, spyware, or ransomware, on the device. However, to avert such instances, a website filter is recommended for users, as it will notify a user when a website is not secured or has a potential harm. 

How to identify unverified links or phishing links

One apparent thing about an unverified link is that the web page usually displays lots of meaningless characters in the address bar or includes extra strings of text so that it looks legitimate.  This extra text before the address should raise a red flag that it is a phishing or malicious site.

While highlighting steps to recognise unidentified links, the Federal Trade Commission gave a good example of a phishing email.

Phishing emails and text messages often tell a story to trick users into clicking on a link or opening an attachment. They may:

• say they’ve noticed some suspicious activity or log-in attempts
• claim there’s a problem with users account or payment information
• say users must confirm some personal information
• include a fake invoice
• want a user to click on a link to make a payment
• say users are eligible to register for a government refund
• offer a coupon for free stuff

Worthy of note is that most times criminals impersonate trustworthy sources to get users to click on a link (or download an app) that contains malware.

Usually, a link is just a mechanism for data to be delivered to a device. Code can be built into a website that redirects users to another site and downloads malware to the device en route to the user’s actual destination.

When a user clicks on an unverified link or downloads suspicious apps, it increases the risk of exposure to scammers.  

More red flags that deserve user’s attention

• When the link or email looks like it’s from a company, a user may know and trust it: It may even use a company logo and header, but a critical look will tell a user that the cloned website or mail looks faint.
• The link or email says a user’s account is on hold because of a billing problem, so it is up to the user to know if there is a billing problem.
• The link or email will have a generic greeting, “Hi Dear.” If a user has an account with the business, it probably wouldn’t use a generic greeting but something like “Hello James.”
• The email invites the user to click on a link to update payment details, but if the user has an account with the company, the email will only update the user to the previous process of payment.

Nonetheless, there are tools a user can use to  unauthenticate unverified/phishing links. Ip-46.com offers users analysis of links, verifies its safety and catalogues fraudulent websites.   

Steps to protect the device from phishing

1. Protect computers by using security software. Set the software to update automatically, so it can deal with any new security threats.

2. Protect mobile phones by setting software to update automatically. These updates could give users critical protection against security threats.

3. Protect accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to the account. This is called multi-factor authentication. The additional credentials needed to log-in to the account fall into two categories:

• passcode obtained via an authentication app or a security key.
• fingerprint, retina, or face scan.

Multi-factor authentication makes it harder for scammers to log-in to users’ accounts even if they have access to username and password.

4. Protect data by backing it up. Back up your data on an external hard drive, cloud storage, phones and make sure those backups aren’t connected to the home network. 

However, if a user has already clicked a link, there are certain cautions to take.

Steps to take after clicking on a phishing link

If a user happens to click on a phishing link or download a malicious attachment mistakenly, the following steps given by agingcare.com will minimize the repercussions.

1. Disconnect the Device
   The first thing a user should do is to immediately disconnect the compromised device from the Internet. And If it is a wired connection, the easiest way is to unplug the Internet cable (ethernet cord) from the computer.
   This will reduce the risk of malware, (a catch-all term for any type of malicious software designed to harm or exploit any programmable device, service, or network) spreading to other devices on the user’s network, by sending sensitive information from the device and keeping scammers from remotely accessing the user’s device. However, if it is a mobile device, it is best for the user to restore the device to its factory settings. 
2. Backup Files
   After disconnecting from the Internet, the user should back up files. Data can be destroyed or erased in the process of recovering from a phishing attack. 
3. Scan System for Malware
   The user can take the device to a professional to check the presence of malware. To scan the system, run a complete scan with an antivirus program. An error message may appear, notifying users that the program could not connect to the Internet. It is advised that the user ignore the message. A system scan can be done without access to the Internet, to avoid reconnecting. 
4. Change Credentials
   Malware may be used to crop sensitive information, including online usernames and passwords, credit card numbers, bank account numbers, and other identifying information. If a user has been tricked into clicking on a phishing message, it is advised that the user change their online credentials immediately. This includes email, online banking, social media, shopping accounts, and all.
5. Set Up a Fraud Alert
   According to the FBI’s most recent annual Internet Crime Report, the American public lost a total of over $54 million to phishing attacks in 2020. So to protect online details, the user can contact one of the major credit bureaus and ask for a free fraud alert to be placed on their credit report. This may seem like overkill, but prevention is better than sorry. Once the fraud alert has been set with one of these bureaus, it will be more difficult for fraudsters to open new accounts in the user’s name.

Website filter is very good on every device because it will notify a user when a website is not secured. 

Social media platforms are full of hackers looking to commit computer crimes. A lot of private information is being shared online through private groups. And that is why experts say that on some platforms, 30 to 40% of advertisements are part of the cybercrime economy. So a user must keep reading every information carefully before clicking on any link.  

Conclusion

Unverified text messages and emails have become a dangerous, yet unavoidable, threat in the digital space. The high-quality safety is to err on the aspect of caution and use the “delete” button on emails and texts that appear sketchy. Note that, a legitimate organisation will by no means ask a user to share sensitive, private information via insecure channels like email, text, or pop-up messages. If the message is certainly essential, the sender will try to reach the user through verified techniques like mobile contact or snail mail.

The researcher produced this fact-check per the 2021 Kwame Karikari Fact-checking Fellowship partnership with JAY 101.9 FM Jos to facilitate the ethos of truth in journalism and enhance media literacy in the country.

CLAIM: A viral WhatsApp message link claims the WHO is giving out 500 Euros support.

FALSE. The claim that the WHO is giving out 500 Euros as support fund is false as analysis of the link shows the website is a new website and has no link with the WHO. The WHO has also distanced itself from the link in a statement.

Full Text

A link going viral on WhatsApp with the World Health Organisation’s (WHO) logo claims that the WHO is giving out 500 Euros support. 

Verification

Dubawa opened the link to see what the website holds and followed the instructions. The link, once opened, has a congratulatory message on top which reads, “congratulations you have been selected to benefit from the support provided by the World Health Organization for 500 Euros”

After this message comes another instruction that requires one to answer three questions before one can benefit. The first question seeks to know your business type with three options; official, worker, and unemployment.  Any option you pick leads to the second question which seeks to know your marital status with three options; single, married, and divorced.  Similarly, whatever option you pick leads to the third question which seeks to know your age group; 18-30, 30-40 and 40-70.

This shows this site is a phishing website seeking details of people.

Below these questions on the site are comments by users who claimed to have either received the support fund or gotten the code.

After answering all three questions, your answers are reviewed and a pop-up message tells you how much your subsidy amount has been set at and requires you to complete the steps by sharing to five groups or persons on WhatsApp after which you can now click get withdrawal code. The request to share to WhatsApp is also a characteristic of phishing sites.

Going through the websites and following the instructions, Dubawa noted several red flags. First red flag was the link address which did not contain the organisation’s name like its official website and other WHO related sites do. Also Dubawa checked the website on duplichecker, and found the website is less than a month old as it was created on December 28, 2020.

Another red flag is the grammatical errors found on the website from the congratulatory message, to the question on the business type which had unemployment as an option instead of unemployed, to the question on relationship status that gives the option divorce instead of divorced.

Dubawa also reached out to the WHO for answers. The organisation released a statement on Monday January 4, 2021, distancing itself from the link.

“A link claiming that the World Health Organization (WHO) is offering 500 EUR ($US 615) in benefits to people who answer three questions is a scam.

This fraudulent scheme asks for personal information on individuals and despite using the WHO logo is not in any way associated with the organization.”

Excerpt of the WHO statement.

The WHO warned the public to be wary of such deception and not send money or personal information to anyone or any site claiming to be awarding funds, jobs, grants, scholarships, or other benefits on the behalf of WHO.

The organisation also provided a link where the public can report scams.

Conclusion

The claim that the WHO is giving out 500 Euros is False. Dubawa’s check and analysis of the site show this and this was supported by a statement from the WHO organisation.

Claim: a certain website claims the Federal Government of Nigeria is recruiting and employing 50,000 youths via a link it provided.

The claim that the Federal Government of Nigeria is recruiting 50,000 youths via a link provided by a certain website is false. The website is uncovered to be a phishing website used for fraudulent activities. 

Full Text

A certain websites: http://bit.ly/3IE2yCG bearing the emblem of the National Directorate of Employment claims that the federal government of Nigeria is offering employment and recruiting 50,000 youths via a link the website provided. The information which is shared as a web-based message on WhatsApp has been shared across the platform over 1,750. 

The link requires the user to complete a 4-stage procedure before accessing the said job.  The first step requires one provide name and year of graduation; the second is the provision of contact details such as email, city, and contact number; and third requires the user to upload a passport and share a certain link on WhatsApp as provided by the website before accessing the said job which is the fourth stage. 

In the past, Dubawa has analyzed websites offering jobs to be both dubious and while misleading unsuspecting members of society. It is due to this existing skepticism that Dubawa again opts to verify the authenticity of this website and the pact it seeks to offer.

Verification

Dubawa carefully followed through the stages offered by the website as a requirement for employment. The third stage which requires users to share a certain link to multiple users on WhatsApp before accessing the said job proved inexhaustible as there was nothing on the last stage. 

Also, when the link the website offered was analyzed on Scamdoc, the tool gave it a very bad trust score of 1%  and suggested that the link was recent and known for being used by fraudulent websites. 

Also, we uncovered the link in question to be a data phishing website. These sites are usually riddled with installed root pop-up ads that generate traffic through fraudulent schemes; worse still, they engage in the extraction of users’ data and financial details for nefarious purposes. 

Furthermore, Dubawa uncovered that The National Directorate of Employment has disclosed a news release on its official websites in February 2020 to train 50,000 individuals on ‘Skills for Job’ not recruiting or employing youths as claimed by the website under scrutiny. 

Dubawa reached out to the National Directorate of Employment but was yet to receive feedback over the claim.

Conclusion

The facts uncovered proved that the link and the information the website propagates is false. Furthermore, the Federal Government has never carried employment through third party websites or asked individuals to share or forward a link as a necessary requirement. Its procedures are usually made public through press releases or public announcements.  

Phishing is a cybercrime in which targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure the targets into providing sensitive data such as personally identifiable information banking and credit card details, and passwords. 

Sometimes it is a fake website put up to look entirely like a genuine website, tricking users to insert their details and passwords to log-in, thereby making it possible for the site creator to get the user’s information from the back end. Other times it is a request through mail, text, or even phone calls by someone posing as a financial institution or a customer care representative of an organization the target has a deal with.

Under Nigeria’s Cybercrime (Prohibition, Prevention, etc.) Act 2015, phishing means the criminal and fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details via the Internet.

Despite this law, however, electronic scam popularly known as ‘yahoo-yahoo’ is popular among Nigerians. The ‘yahoo-boys’ usually deploy phishing tactics on their prey, by sending fake business emails and online dating among others.  Numerous arrests have been made in Nigeria and of Nigerians abroad. Yet, phishing does not seem to be slowing down. 

Although phishing is usually used to hack accounts, harvest passwords and credit card details, it can be used to do more than that.

In 2019 alone, $3.5billion was lost to Fraudsters through Cybercrime including phishing, according to the 2019 Internet Crime Report published by the FBI Internet Crime Complaint Center (IC3).

In the report, Donna Gregory, the chief of IC3, admitted that “Criminals are getting so sophisticated…It is getting harder and harder for victims to spot the red flags and tell real from fake.”

In its Q2 2020 report, Kaspersky, a cybersecurity company, found that Nigeria has 7.01percent of Kaspersky users attacked through Phishing.

In 2019, Microsoft called for a safer online community in Nigeria for improved economic growth. It said the call became necessary because phishing attacks increased by over 250 percent in Nigeria and other parts of the world.

Research has shown that Webmail, Financial Institutions, and Payment systems are the most targeted. 30% of Reported Phishing Attacks are to webmail, 19% on Financial institutions and another 19% on Payment systems, according to APWG’s Phishing Activity Trend Reports.

Users of Microsoft, Facebook, and Paypal are the most vulnerable to Phishing Attack, according to the Phishers’ Favorites report for Q1 2020. 

Apart from the financial scam, Phishing could also propel conspiracy theories. It has happened before. In 2016, during the electioneering process in the U.S, a phishing attack was launched against John Podesta, the campaign chairman of Hillary Clinton, Democratic presidential candidate. His emails were leaked. Some of it mentioned words like ‘pizza’ and ‘hot dogs’ which sparked a widespread conspiracy theory, Pizzagates, that Democrats are involved in Child Trafficking. It has since been debunked.

Phishing Attacks have continued to surface on several Fact-Checks by Dubawa.

• In June, 2020, claims surfaced that Nigeria’s Federal Government is disbursing 30,000 naira to citizens as Covid-19 lockdown funds. The claim turned out to be false and the site found to be a data phishing website.
• In August, 2020, a claim that N-Power has shortlisted applicants for its second stage surfaced. It turned out to be false and the site’s request for user details passed for a phishing attack.

All mobile phone users need to protect themselves from phishing attacks, but the greatest challenge is identifying a potential phishing attempt. Here are some red flags:

Check the Website URL: Oftentimes, people do not take note of a website URL as far as they can see the content, especially when it is forwarded to them. But the URL is as important as the content of the website. Check the spellings, hyphens etc.

Companies do not request sensitive information: Be aware that companies do not request sensitive information such as passwords from users. Also, banks do not request ATM Pin or complete credit card details.

Multiple Confirmation: If sensitive information is requested, reach out through a different medium to confirm, especially when you know the officials in person. There are times a deal is signed and sealed virtually, but when suspicious targets reach out through other mediums such as phone calls.

Spellings, Grammatical Errors: No company will send you a mail filled with spelling and grammatical errors. Look out for such. They are a red flag.

Too Good To Be True: This is elementary but often overlooked. If the offer seems too good to be true and eye-catching, check again. 

The researcher produced this fact-check per the Dubawa 2020 Fellowship partnership with Vision FM to facilitate the ethos of “truth” in journalism and enhance media literacy in the country.