As South Africa nears the end of its extended lockdown as a result of the COVID-19 pandemic, the past few weeks has seen a spike in cybercrime with more people working and studying from home, and needing to be online. Hackers have cottoned onto this too, and have been tailoring their malicious attacks to pose as business tools.

This according to specialists at University of Cape Town (UCT), which together with the Institute of Information Technology Professionals South Africa (IITPSA) has issued a warning for those working from home.

“With more people working remotely during the lockdown, the risk of cybercrime increased, but awareness could be raised by using the same social engineering techniques criminals use,” the pair highlighted during a webinar.

“Social engineering could be applied to manage social change and regulate the future development and behaviour of a society, or by using deception to influence a person to take an action that is not in their best interests,” added Ghamza Jacobs, senior systems engineer at UCT.

Specialists at the tertiary institution noted that despite stepped up efforts by organisations to increase cyber resiliency, it is still the employees that present the softest target for hackers at this time.

“To understand why cyber criminals are still successfully attacking organisations using social engineering, we need to understand how people make decisions and how social engineering succeeds,” explains Jamiela Dawood, UCT technical specialist.

To do so, the UCT team applied the Principles of Persuasion outlined by Dr Robert Cialdini of Influence at Work and conducted an experiment on campus to determine how much information they were able to obtain from subjects.

They found that by using the six specific principles – reciprocity, scarcity, authority, consistency, liking and consensus – they were able to get students to share personal information and scan a QR code with no concern about whether it contained embedded malware.

While that does not make for good reading, the UCT team have been able to make the most of their findings in order to better secure their campus from cyberattacks.

“We decided to apply the findings to our campaigns. We at UCT now apply these principles of persuasion to our cyber security awareness campaigns for students and staff. By tapping into these, and using social engineering for good, we have had some success. So, while phishing still happens, the number of people who respond and report early has increased,” says Dawood.

This experiment shows that creating user awareness is critical at this time, especially as many employees will still be working from home despite the lockdown going from level 5 to level 4.

“As ICT professionals, we have a duty of care to help secure our businesses and citizens, and support business as usual – particularly at this time,” adds Tony Parry, IITPSA CEO.

It is therefore crucial that organisations continue to hammer home the importance of being aware of one’s activities while online, and when connecting to the business network, to remain as vigilant at home as you would be at the office.

[Image – CC 0 Pixabay]