The extent of the phishing challenge

The prevalence of phishing, which poses a significant risk to Internet security, continues to grow at alarming rates (Gupta et al., 2016). Phishing represents a method of online identity theft, in which cybercriminals attempt to deceive computer users into divulging personal financial information such as passwords and account numbers (Butler, 2007, p. 518). Symantec’s 2016 Internet Security Threat Report (Symantec, 2016, p. 31) indicates that one in every 1,846 emails sent globally are phishing emails (this excludes directed spear phishing attacks). Furthermore, this report indicates that in 2015, malicious emails grew in number and complexity and remain an effective medium that cybercriminals employ to launch phishing attacks (Symantec, 2016, p. 31).

As first large-scale phishing attacks were launched in 2004 (Gupta et al., 2016, p. 2) and South African online users were targeted for the first time in May 2005 (Butler, 2005, p. 2), phishing attacks have increased in both quantity and sophistication and by 2013 more than 37 million users around the world had been subjected to phishing attacks (Kaspersky Lab, 2013). The latest South African statistics indicate a digital onslaught on South Africa. In January 2016, South Africa jumped from 67th to 22nd position in global cyberattacks (Check Point, 2016). Following this dramatic increase, the South African Banking Risk Information Centre (SABRIC) announced that the South African banking industry is embarking on a national campaign to empower consumers to avoid compromised cybersecurity (SABRIC, 2016).

The 2016 reports of the Anti-Phishing Working Group (APWG), an association committed to reducing phishing, indicate a 65 per cent year on year growth in phishing (Figure 1). It is evident from Figure 1 that although cyclic in nature, there is a clear increasing global phishing activity trend.

Cybercriminals can use the information obtained through successful phishing to either transfer funds from a victim’s account or to commit fraud, including identity theft, when they open accounts or enter into transactions in the victim’s name (Khonji et al., 2013, p. 2092). Cybercriminals are also increasingly taking advantage of social networks, instant messaging and mobile applications to reach potential victims (Symantec, 2016, p. 31).

Phishers target industries “with a heavy volume of monetary transactions” (Bose and Leung, 2014) and as a result...