Investec Private Banking notes that our perception of “hackers” is a far cry from the sophisticated career criminals we see in real life, and it is this disparity that makes cybercrime so difficult to guard against as people don’t understand their motivations, so worth taking a deeper look into what hackers are targeting.
Menny Barzilay, co-founder and CEO of cybersecurity firm FortyTwo Global, has a thought experiment to get into the mind of a hacker and to understand the challenges they face. While they might be looking to attack a website or internal network, the basic goal is to find sensitive information.
Imagine you’ve hired a new member of staff. On their first day, you give them unrestricted access to the company’s network and then ask them to identify sources of sensitive data. Next, imagine you’re a hacker who has limited access to the network. How difficult would it be to find a company’s most important digital assets?
“A few days or even a few weeks,” he says. “The hacker will start with lateral movement, which means improving his access within a network in order to become a superuser. While they might be looking to attack a website or internal network, the basic goal is to find sensitive information.”
According to Barzilay, if a hacker is trying to attack the financial sector, their goal may be to wire transfer money to another point or to find the core banking system and try to steal money.
Certainly, there are lots of ways hackers will target businesses. Here are the top three:
What’s in an email?
Almost as soon as email became available it has been used to defraud individuals. New data released by Action Fraud and the National Fraud Intelligence Bureau (run by the City of London Police), shows there are 8,000 reports of phishing emails per month.
“Fraudsters no longer need access to your bank accounts in order to steal money,” says Eddie McGovern, head of fraud prevention at Investec. “Phishing emails are used to steal usernames and passwords, which people can then use to access your personal or work email accounts and in turn to assume your identity.”
Requesting money from your clients by using doctored invoices is a key concern. Hackers do this by intercepting emails, changing bank details on the invoice and forwarding it on for payment. By either using your actual email account or spoofing the domain in the email address (changing a letter to make it appear legitimate), the recipient pays, believing it’s genuine.
“It’s the same story with suppliers,” says McGovern. “Fraudsters are able to contact your suppliers directly and then have payments diverted to them. They will often also offer deals that are too good to be true. It’s surprising how easily this works.”
Impersonating the CEO of a business via email, demanding immediate action is an example of a method cybercriminals use to get staff to make payments. A recent report from the City of London Police’s National Fraud Intelligence Bureau shows that more than £32 million has been reported to be lost as a result of CEO fraud.
We’re the same, you and I
Fraudsters aren’t just looking to impersonate you; they’re also looking to impersonate your clients. By gathering data from your emails it’s possible to create a fully rounded profile of clients that can dupe even diligent workers.
“Cybercriminals can use your email data to create fake ID documents for the company or gain access to their accounts,” says McGovern. “Through identity theft, they are able to take out loans and other financial agreements in their name.”
Identity theft can be big business for UK cybercriminals. According to Cifas, the UK’s leading fraud prevention service, identity fraud hit an all-time high of 174,523 cases in 2017 (up 1% from 2016). 95% of these cases involved the impersonation of an innocent victim.
Identity theft is on the rise. When backed up by email addresses and telephone numbers from your email account it often takes just a single piece of personal information to appear genuine.
“Fraudsters use stolen information to contact your client with the intention of persuading them to divulge their bank account details or log-in details,” says Eddie McGovern. “One of the most prevalent is authorised push payments fraud — which cost the UK £145 million in the first half of 2018. Businesses identities can also be used to open card accounts or commit tax fraud.”
Methods of identity theft evolve rapidly. While it may seem like an uphill battle it is possible to reduce the likelihood of being targeted simply by employing some cybersecurity techniques and by being aware of your privacy setting on social media.
Businesses should always adopt scepticism around unknown callers and requests for invoices. Even requests from what appears to be inside the business can make it easy to feel like it’s a minefield for the company, however operating with a level of good due diligence and double checking when deemed necessary could potentially save the business thousands of pounds in a world of increasingly sophisticated cybercrime.
Businesses and their staff should always trust their instincts when it comes to unknown callers and requests for invoices. Should there be any doubt, the employee should call an independently sourced number to clarify the request, reducing the chance of being victim to cybercrime.