South Africa’s government is taking cybercrime seriously. The revised version of its Cybercrimes and Cybersecurity Bill, which was published in August 2015, is set to be released during 2016.
The bill is a crucial and welcome step in the fight against phishers, hackers and online identity thieves. It defines various offences that relate to data, messages, computers and networks. It makes it criminal for anyone to acquire, possess, provide or use personal or financial information to commit an offence. Unlawfully acquiring, possessing, providing, receiving or using passwords, access codes or similar data also constitutes an offence.
It doesn’t stop there. The bill provides for the ministers of police, defence, telecommunications and postal services to set up various new structures and positions to improve computer security. For instance, the government will be empowered to establish a Cyber Response Committee, a National Cybercrime Centre, Incident Response Teams and other mechanisms for reporting and investigating cybercrime. Importantly, the legislation also grants extensive powers to the police and the State Security Agency to search, access and seize anything related to investigating such matters.
But legislation alone cannot stop cybercrime. Education is key so that individual computer users learn not to respond to phishing emails. This bill does not force computer users to do or not do something: it simply cannot influence human behaviour on its own. A number of studies globally have indicated that individual computer users remain a weak link in the online security chain.
South Africans hugely at risk
User education is more important than ever. Research suggests that South Africans are being increasingly targeted by cybercriminals. In January 2016, the country jumped from 67th to 22nd position on cybersecurity firm Check Point’s live Cyber Attack Threat Map. Doros Hadjizenonos, Check Point’s country manager in South Africa, told a news website that the company had seen “an increase in phishing attacks targeting video-on-demand users, who are tricked into handing over their passwords under the guise that their accounts need to be updated”.
Meanwhile, internet security company Trend Micro’s latest report shows that unsolicited bulk email or spam, a popular method used to launch email phishing attacks, peaked at 2,269,039 in December 2015. The company also reported that 6,185 personal computers in South Africa protected by their technology had banking malware installed on them during 2015. This is software that’s downloaded onto a computer without the user’s knowledge to perform a malicious act – such as stealing passwords and account numbers.
Phishing remains an extremely popular method of identity theft. Cybercriminals try to trick computer users into divulging personal financial information. This can then be used to steal money or commit fraud. Victims can lose enormous amounts of money. Computer network and security firm RSA’s Online Fraud Resource Centre estimates the global cost of phishing attacks for December 2014 at US$4.5 billion. In South Africa alone, about $49 million was lost to phishing during 2015.
The practice of phishing is becoming more common as more and more services become available online. People can bank, shop and watch movies online, creating a number of new opportunities for cybercrime. Cyberattacks are also becoming increasingly sophisticated and less easy to spot.
Educating computer users
This evolving and growing threat certainly requires legislation that defines offences and establishes structures for reporting and investigating cybercrime. But, as we’ve outlined, user education is equally important.
It is essential that computer users be educated about the risks that cyberattacks pose. This includes developing training and awareness about how to prevent and detect such attacks. These initiatives could range from placing relevant information on financial institutions’ websites to generating media awareness through newspapers, magazines, radio and TV. More formal training sessions and education could also play a role.
Our research group at Stellenbosch University is currently examining ways to improve online security in South Africa. This involves gauging people’s understanding of the threat of phishing and the steps they take to avoid falling victim to such attacks. Whether you think you’re vulnerable to phishing, believe you’re well protected or genuinely have no idea, you can contribute to this research by clicking here to complete the survey.