When the Digital Door Opens – Understanding Cyber Crime Entry Points for What They Are and Can Become

Introduction

In our digital world, the greatest threat to a business or individual often begins with something small—an email, a phone call, or a message that appears trustworthy. These seemingly innocent interactions can be the point of entry for much more devastating consequences. So what are the Cybercrime entry points and what should you do about it?

The Entry Points – Understanding the Threat Vectors

These are not just technical terms—they are everyday tactics that criminals use to breach your systems:

• Phishing: Generic, mass emails that appear to be from trusted institutions (like banks or SARS), designed to trick you into sharing personal or login information.
• Spear Phishing: A targeted form of phishing. Instead of casting a wide net, criminals use personal information to send tailored emails, making the scam more believable.
• Vishing (Voice Phishing): Phone calls pretending to be from tech support, banks, or government departments asking for access to your devices or confidential data.
• Smishing (SMS Phishing): Deceptive text messages, often pretending to be urgent delivery notices or banking alerts, with malicious links.
• Pharming: Redirecting users from a legitimate website to a fake one that collects login credentials or credit card numbers without the user even realising it.
• Business Email Compromise (BEC): When a legitimate business email is hacked or impersonated to send fraudulent instructions, often to divert payments or impersonate executives.
• Online Shopping Scams: Fake e-commerce sites or listings that accept payments for products that are never delivered, or steal card information during checkout.
• Tech Support Scams: Pop-ups or calls claiming your device is infected, coercing you to download remote access tools or malware.
• Ransomware: Malicious software that encrypts your data and demands payment for its release. Entry often occurs through phishing or infected websites.

The point is, if you have received an interception attempt, you should not ignore it. It is tremendously helpful to identify its origin. If an interception has occurred, then there are key steps to take, even if no further action, such as data compromise or (any form of) loss, has taken place.

Under the Electronic Communications and Transactions Act 25 of 2002 (“ECTA”), the act of interception would also violate the Act’s prohibitions on unlawful interception of data and deceptive or fraudulent electronic communications. In addition, the act of illegal interception or access to your system (once compromised) may constitute a cybercrime under the Cybercrimes Act 19 of 2020, which should be reported to the South African Police Service (“SAPS”).

In summary, these incidents occur with an (unlawful) interception where the action taken is to gain interception is deceptive by nature (and often criminal at the outset), once there is access unlawful processing of personal information occurs and usually includes a breach, which ultimately may occur to culminate in a further action, which is more often than not criminal and severely damaging financially or by reputation. The intertwined nature of privacy regulations (underpinned by constitutional rights), criminal and civil recourse are all at play. It is therefore vital to seek specialist legal advice.

Reporting Obligations Go Beyond “Cybercrime

As a general regulatory requirement, the Protection of Personal Information Act 4 of 2013 (“POPIA”) requires responsible parties (whether individuals or companies) to secure personal information against loss, unauthorised access, or destruction. And when that fails—even if unintentionally—there are two critical duties:

1. Report the Breach

Even if it was not a direct “cybercrime” (in terms of the Cybercrimes Act 19 of 2020), any unauthorised access or potential access to personal information (whether yours or that of a party you are processing) must be reported to:

• The Information Regulator
• The data subjects (the people affected)

2. Report the Processing If Unlawful

It’s not just about the breach. If personal data is processed (used, stored, or transferred) unlawfully, this must also be reported to the Information Regulator — even if there is no data loss. Many business owners believe that if no criminal act has occurred, there is no need to report unauthorised access. This is not the case:

• POPIA is about data responsibility, not intent.
• Failure to report may result in enforcement, fines, and reputational damage.
• You may not be aware of the full extent of the breach without an investigation.
• You could unknowingly become a launchpad for future cyberattacks.

Your Next Steps if a Compromise Occurs: A Legal and Practical

Response Plan

1. Isolate the Incident
2. Assess and Document: Identify the data involved, the method of breach, and whether it was accessed or leaked.
3. Report as Required: Notify the Information Regulator and all affected parties as required under POPIA.
4. Legal Support and Recovery: Obtain legal assistance to mitigate liability, support victims, and fulfil contractual obligations.
5. Prevention Through Training and Policy: Update cybersecurity policies, employee training, and data management practices to enhance security.

Conclusion

Whether you were targeted or inadvertently used as the access point, you are not powerless—but you are responsible. Proactive reporting and action can help you manage risk, protect your clients, and preserve trust in your business.

At SchoemanLaw Inc., we help businesses prepare for and respond to cyber incidents and POPIA compliance challenges.

For further assistance, consult an attorney at SchoemanLaw.