Cybercrime

One of the most common cyber-attacks, phishing operates through emails which are often convincing and appear to come from legitimate senders. These messages entice their targets to click on links or attachments which, in turn, facilitate theft or fraud.

What is phishing?

Phishing uses scam emails to convince users to click on a malicious attachment or link. These can infect the victim's computer with malware which gleans private information, allowing an attacker to steal money, disrupt business operations, or destroy data.

Phishing attachments often bypass security and anti-virus programmes by using Microsoft Office 'macros' which download malware if run. Links may connect to seemingly legitimate websites, which exploit vulnerabilities in the victim's computer to install malicious code. Alternatively, these webpages may simply trick the user into entering personal information.

Sophisticated attackers aim convincing 'spear' phishing emails at carefully selected groups, researching recipients through social media, website information or public facts about their organisation.

High-volume phishing, on the other hand, targets as many recipients as possible - of whom only a tiny percentage have to be caught for possible success. Fake invoices, delivery notifications, receipts and banking updates can all be used as lures in these attempts.

The risks to business

• Data theft (or encryption for ransom)
• Hardware damage
• Fraudulent internet banking redirection
• Financial theft

How can I defend my business against phishing?

• Install and update reputable anti-virus software, and keep systems up to date with new releases and security patches.
• Never open attachments, click links or download software from unknown sources or questionable websites.
• Put in place protective policies and training to ensure that staff have the knowledge to conduct business safely online.
• Limit access to systems and information based on job duties, and split financial responsibilities between employees.
• Restrict internet access to trusted websites, and limit the use of external media devices.
• Be aware of what information is available about you and your organisation on social media and the wider internet. If you know what can be found, you can be more alert to its use in an innocuous-looking email.

Most importantly, learn to spot a suspicious email!

Malicious software is coded with the intention of harming its target. Affecting private and corporate users alike, it can steal information, damage data, hijack website visits and spy on internet activity. Fraudulent redirection of internet banking users is an increasingly frequent form of attack.

What is malware?

Malware can hide inside innocuous-looking software (trojans), or spread between machines without relying on user interaction (worms). It can be custom-designed to evade defences and execute specific tasks.

Once inadvertently installed, malware can carry out many activities unseen. It may spy on website visits, destroy data, or piece together passwords. Increasingly, it’s being used by criminals to encrypt important business information until the organisation pays a ‘ransom’. Internet banking users might also be redirected to fake sites which record their login data to enable financial theft.

Malware is usually delivered via email ‘phishing’ or fraudulent links. Malicious apps and USB memory sticks can also compromise smartphones and computers respectively. Malware can stay hidden for months until activated.

The risks to business

• Data loss
• Financial loss
• Hardware damage
• Paralysis of business activity

How can I defend my business against malware?

• Put in place strong response, recovery and back-up processes.
• Run up-to-date anti-virus software on all machines, and consider systems that use file reputation / behaviour analysis within a safe sandbox system. Network behaviour anomaly detection (alert to attacker commands) is another systems security option.
• Keep your PCs, servers and associated hardware up to date, installing the latest security patches as they become available.
• Make sure that your staff avoid questionable websites, and know not to download free software / apps, run MS Office macros on email attachments, or use USB sticks, from unverified sources.
• Consider application whitelisting (blocking any software not already authorised).
• Use different passwords for different business logins.

Cyber-attacks on SMEs have increased steadily in recent years. With criminals constantly devising new ways to steal information and money, one of the newest emerging threats is Business Email Compromise. This scam is a global phenomenon, targeting companies irrespective of size, industry, who or how they bank. Huge sums can be lost because of one spurious email.

What is Business Email Compromise?

A fraudster emails a company's payments team, impersonating a contractor, supplier, lawyer, creditor or even someone in senior management. The email might appear to be from the CEO, asking that an urgent payment be made, or from a supplier, requesting that future payments go to a new account. Often, it instructs the recipient not to discuss the matter with anyone else.

Since the sender's email closely matches a known address, this type of fraud often goes unnoticed until too late. Cybercriminals may even hack into a real email account from which fraudulent communications are hard to identify.

Business email compromise in the real world

Email compromise thwarted

A finance assistant received an email that appeared to be from one of his colleagues, instructing him to create an urgent payment.

The assistant was on annual leave at the time, but had checked his emails and responded asking if it could wait until his return. He received confirmation that this was fine.

On his first day back, he created and authorised the payment. HSBC, however, identified this as a suspicious transaction and put it on hold. The assistant was then contacted by HSBCnet Fraud Operations team to verify the payment.

The assistant confirmed that he had created and authorised the payment, but the team encouraged him to re-check it given the prevalence of this scam. When he did so, by speaking to the colleague he thought had made the original request, he discovered that it was fraudulent and that his colleague’s email had been compromised.

The assistant informed the fraud team and the payment was withdrawn. On this occasion, no money was lost.

The importance of communication

A member of a finance team received an urgent email from the company’s CFO to make a payment transfer.

The instructions were marked as private and confidential relating to a deal and stated that the matter should not be discussed with any other member of staff as it may jeopardise the deal’s closure.

The finance staff carried out and authorised the transaction.

Later the same day, the finance staff saw the CFO and mentioned that he had carried out the payment as instructed. The CFO looked puzzled and asked, ‘What payment ?’

If the finance staff had simply called or spoken with the CFO to verify the transaction ahead of pressing the ‘Submit’ button, they would have discovered that this was not a legitimate request and that the CFO’s email had been compromised.

The risks to business

• Significant financial loss
• Reputational damage

How can I defend my business against email compromise?

• Make sure your staff are alert to this type of fraud. In particular, they should:
  • be wary of requests for secrecy or pressure to act quickly;
  • never post sensitive information, such as job descriptions, duties or organisational charts, online;
  • be suspicious of sudden changes with regards to business practices both within the organisation or with suppliers, and verify such changes through alternate channels; and
  • carefully scrutinise payment requests where they are out of the ordinary, unexpected or unusual.
• Implement a two-step payments verification process that includes a non-email check (e.g. phone/SMS) with the initiator.
• Always use known contact details to follow up an email request, but don't:
  • reply directly to the initial email; or
  • use any phone numbers or other contact information included in the email.
• Check email addresses.
• If in doubt, do not make the payment.

Texts and phone calls can be used maliciously to facilitate theft and fraud. 'Vishing' calls try to alarm recipients into making payments or providing important financial information. 'Smishing' texts may additionally try to entice their target to click on malicious links, activating trojan viruses which can steal passwords and other high-value data.

How do phone and text scams work?

Phishing phone calls ('vishing') and scam texts ('smishing') are common attacks, designed to trick targets into divulging personal information that can be used for theft or fraud. Both vishing and smishing are cheap, and require little technical knowledge.

Many vishing campaigns are high volume, using auto-dial and broadband calling to contact thousands of potential victims per hour. They try to drive fear-based responses: for example, a spurious bank call-back service which pretends to alert the victim to bank account fraud, then requests detailed card information on response.

Then targeting organisations, attackers often impersonate a senior employee requiring urgent assistance. They may pretend to be in a rush, in an attempt to take control of the conversation.

Smishing has begun to overtake vishing in popularity. With many victims still unused to receiving spam texts – and the growth of text banking – it currently enjoys a higher success rate.

Smishing texts typically request urgent action, which often means clicking on a malicious link that in turn enables data theft. Spam filters stop many phishing emails from reaching inboxes, but no mainstream solution yet exists to prevent texts from reaching their intended target.

The risks to business

• Data theft (or encryption for ransom)
• Fraudulent internet banking redirection
• Financial theft
• Identity fraud

How can I defend my business against vishing and smishing?

• Raise awareness of the potential impact of vishing/ smishing on your business, and implement a policy for reporting suspected cases.
• Train staff never to share financial or company information with unverified callers.
• Learn to spot suspicious calls and text, and never:
  • be rushed into making a quick decision in response to an urgent request.
  • provide personal or financial information over the phone.
  • use numbers provided by the caller or in the text, in preference to known contact numbers.
  • click on a link in a text you were not expecting.
• Where a vishing call is purporting to come from a member of staff, there can be several give-away signs:
  • The caller refers to the organisation by name on a supposedly internal call.
  • The call is made to your country from one country, for information on another.
  • The caller instructs the recipient on using internal systems to provide information.