Deceptively alluring; invitation to the greedy and gullible

Bulk Phishing Image.png File photo

Wed, 24 Oct 2018 Source: Francis Owusu-Achampong

A South African colleague who was on a duty tour of Ghana in my previous work place commented that Ghanaians are extremely polite when he heard of expressions like ‘please, good morning; please, thank you”, among other typically Ghanaian deceptive cultural mannerisms. I told him I was not too sure whether to take his comment as a compliment, an insult or whether he was simply mocking Ghanaians.

Ghanaians are generally hospitable and welcoming to the extent that when you ask for directions to a place, you may get someone who would volunteer to escort you to the exact point. Just like any human society, however, one should not be easily taken in by any outward show of excessive kindness or even respect as dogs that bite rarely snarl. Another of our weak characteristics is our general lack of risk consciousness and disaster preparedness.

Personally, I do not take expressions of excessive kindness or empathy as connoting respect or anything near that. The expressions of excessive desire to assist may represent an abuse of respect because they do not in any way exemplify the speaker’s real disposition. Tread on the same person’s toes and check the over-reaction.

I simply cannot imagine how “extremely and apparently polite” citizens can be so callous as to engage in mob lynching of suspected thieves or other hapless humans on some flimsy charges. Simply put, all that glitters are not gold to be embraced hook, line and sinker. One must also beware of Trojan horses, irrespective of how elaborately these have been decorated.

Carried into the finance space, it is fair to state that any investment scheme that promises super profits must be taken in with a pinch of salt. Sadly, this common-sense approach to savings and investment is easily jettisoned as soon as some people find investment proposals so alluring or enticing. If it were so easy to make windfall profits instantly, why is everybody not super rich?

Some investors on the stock exchange sometimes make extraordinary gains. One must understand, however, that such windfalls are few and far between in view of the concept of information asymmetry. Barring the unethical practices of insider dealings which are proscribed by various laws in the securities and exchange arena, it becomes difficult for one person or group of people to manipulate demand and supply of investment instruments on any stock exchange for exceptional gains continuously. Those who make their riches on the stock exchange are patient investors who bid their time and study the demand and supply patterns in the long term, buying to hold for extended periods and releasing just in time to obtain some gains. That there is any investment vehicle that produces super profits continuously is a complete fallacy.

The much-acclaimed panel discussion on ponzi schemes organized by TV3 and 3FM last week gave me real food for thought. The panelists were simply superb in their short presentations on how to identify the characteristics of ponzi schemes. I was particularly intrigued by someone’s aversion to the use of the word “greed” to describe investors in ponzi schemes and similar scams. The panelist who used the term brilliantly diffused tension by quoting the dictionary definition of greed, explaining that he did not mean to insult anybody by his use of the term. Listening attentively, I said to myself…” there we go again as typical Ghanaians who play upon words needlessly”. I felt the panelist was simply too diplomatic and his apology was even misplaced.

Greed is defined “as intense and selfish desire for something, especially wealth, power or food, or a strong desire to continually get more of something, especially money”. In the realm of finance, therefore, a greedy person is certainly someone who is motivated by an inordinate desire for extraordinary profit or gain. How else can one embellish the meaning to make it “fashionable or acceptable?”

Interestingly, greed (just like fraud) transcends economic and social status of the originators or victims. The perpetrators and/or the victims can be highly placed or common individuals in society. It was not surprising therefore for one of the panelists to exclaim that he was astounded to find the caliber of people who became victims in the earlier cases of ponzi schemes gone sour in the Pyram and R5 episodes. The higher the return, the higher the risk is a common cliché in investment circles and this is not a new phenomenon or only known to an exclusive few.

Any investment product that promises exceptional returns must be viewed as carrying commensurate high risk. How free people not laboring under undue influence or coercion choose their own levels of risk appetite and ignore this common-sense approach in their investment decisions defy rationalization.

Given the circumstances under which otherwise knowledgeable persons invested in such schemes and lost considerable sums, it does not serve any useful purpose to clothe greed in any other form. It is like calling a spade a farming or construction equipment. The description in no way changes the use to which the tool is put. An ostrich that dips its head in sand at the on- set of a problem does not thereby dissolve the imminent danger or catastrophe.

It all boils down to how we use words to camouflage our true feelings or identities. Hypocrisy has become so embedded in our psyche that we cannot call the bluff of a thieving big man or woman. As a consequence, we consciously breed a corps of immaculately dressed persons with big titles fleecing unsuspecting Ghanaians and ironically earning undeserved respect.

Scams have been a part of human society for centuries, even millennia. They are used to bilk unsuspecting people, or to gain information or power. They usually come in such enticing forms that many people are momentarily disposed to switching off common sense and plunging into the snare of the originator.

The world of internet and other mobile communication media have broadened the forms of carefully crafted scams, most of which border on the proverbial Nigerian 419 schemes. These scams have become more prevalent, especially since scammers can send out millions of emails simultaneously. They usually cast out a wide net in the form of text messages and e-mails hoping to hoodwink a handful of gullible and greedy people hungry for instant riches.

The use of the words “ phishing or pharming” as used in information security risk mimics the noble occupations of farming and fishing, the former of which has given me the desired stress relief in retirement. That the pronunciation of the two sets of words sounds similar does not in any way glorify the menace inherent in the caption of this article.

I am motivated to join the education on ponzi schemes and other seemingly alluring scams to throw more light on the concept of phishing in the internet space to forewarn unsuspecting people about this scam. Hopefully, people would not throw away their wisdom when greed and gullibility come knocking at their doors with exceptionally juicy offers.

Phishing as used in information risk is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details, often for malicious reasons. Offers are disguised as coming from a trustworthy entity in an electronic communication via text or e-mail.

Phishing has been created as a homophone of fishing due to the similarity of using a luring substance or bait in an attempt to catch a victim. It is reported that the annual worldwide impact of phishing could be as high as US$5 billion. (https//en.wikipedia.org)

Phishing is typically carried out by e-mail spoofing or instant messaging. Phishing scams often direct users to enter personal information at a fake website, which is usually fairly identical to the legitimate web site of say a bank or other financial institution. The only difference is usually the URL of the website of the institution. ( A URL is an address that shows where a particular page can be found on the World Wide Web. URL is an abbreviation for ‘Uniform Resource Locator.

Communications purporting to be from social web sites, auction sites, banks, on line payment processors or IT administrators are often used to lure victims. Phishing emails may contain links to websites that distribute malware or software designed for malicious purposes.

Phishing is an example of social engineering techniques used to deceive users, and exploits weaknesses in current web security. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures, like effective electronic firewalls.

Phishing scams may come in a variety of ways, some of which are explained below. Practical examples are also provided to enable potential victims to ward off such enticing propositions.

A phishing scam may come in the following ways, designed to trick one into providing vital information about one’s bank account details, in the hope of some reward.

1. (Dear Sir/Madam, your income tax refund of Rs. 15,480 has been approved and your bank account will be credited shortly. Do kindly verify your account no. 5 XXXXXX6755. If the same is incorrect, quickly follow the link below to update your bank record on file)

Here, a recipient must simply ignore the message, particularly so when you have not filed any income tax returns and expecting any refund. When you respond with your correct account details, the scammers may even come back to ask for your PIN and other sensitive account details and drain the balance on your account subsequently. Since when did you file income tax returns in South African rands?

2. In other cases, the scammers may send a message through e-mail or text ostensibly from your bank which is in the process of upgrading its systems. They may request you to confirm your account details for the upgrade to be completed.

Note here that no credible bank will ask you to confirm your account details to assist them in any technology upgrade. Banks have back- ups stored for any such exercise and may not request the customer for their account details. Also check for the correct URL of your bank’s website to ensure that it has not been cloned.

3. Another way by which you may be defrauded is when the scammers send a message to the effect that you have won some huge amount in a lottery that you have not even participated in. Then they will ask for your bank details and password to enable them to credit your account with the proceeds.

Never respond to such crap, unless the spirit of greed has suddenly possessed you. Even when you become the beneficiary of a bank’s raffle, the bank will simply inform you but not ask for your account details which they have already. Do not respond to any fake requests for additional information on your financial records.

4. A new scam in the mobile telephony space is for scammers to send a message that the telcom company is upgrading their system or there is a problem with your mobile wallet that needs to be fixed. The miscreant would ask for vital details about your account, including your balance and or PIN, which they would then use to deplete your wallet or bank account, where such has been linked to your main bank account.

In such situations, simply refrain from responding to the message, orally or through text or email.

Other types of phishing scams

When directed at specific individuals or companies, a phishing attempt is termed spear phishing. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success.

Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.

The term whaling has been coined for spear phishing attacks directed specifically at senior executives and other high-profile targets (Wikipedia). In these cases, the content will be crafted to target a senior manager and the person’s role in the company. The content of a whaling attack email may be an executive issue such as a subpoena or customer complaint.

Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization.

Intentionally misspelled URLs or the use of sub-domains are common tricks used by phishers. For instance, the correct web address for Ecobank Ghana Limited is www. ecobank.com. A spoofed or fake address may however be cloned to read www. ecobanc.com to deceive a recipient into believing that the message is from the legitimate website of Ecobank Ghana Limited, but note the spelling in the spoofed web site created by the scammers.

Another common trick is to make the displayed text for a link (the text between the tags) suggest a reliable destination, when the link actually goes to the phishers’ site. Many desktop email clients and web browsers will show a link’s target URL in the status bar while hovering the mouse over it. This behavior, however, may in some circumstances be overridden by the phisher. Equivalent mobile apps generally do not have this preview feature.

Internationalized domain names (IDN) can be exploited via IDN spoofing or homograph attacks, to create web addresses visually identical to a legitimate site, that lead instead to malicious version. Phishers have taken advantage of a similar risk, using open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain. Even digital certificates do not solve this problem because it is quite possible for a phisher to purchase a valid certificate and subsequently change content to spoof a genuine website, or, to host the phish site without SSL at all.

Next week, I intend to discuss other forms of phishing scams and suggest ways by which reasonable people could avoid becoming victims of such scams. At this point, my caution is for all to tone down their risk appetite and gullibility as the economy gradually moves into a stabilization mode. In a well functioning economy, extraordinary gains may become rare and people can only expect to get reasonable returns on their investments with credible financial institutions.

References: www.wikipedia.com.

The writer is a Fellow of the Chartered Institute of Bankers and an adjunct lecturer at the National Banking College, a farmer, and the author of “Risk Management in Banking” textbook. Email; koriginal59@gmail.com Tel. 0244 324181 / /0576436414

Columnist: Francis Owusu-Achampong