Are you exposed?
There is no denying that 2015 has been a bumper year for cyber criminals with reports of new breaches coming almost daily. Most recently TalkTalk, Vodafone and British Gas have been the unlucky recipients of the only form of unwanted media attention, a data breach! With the big names being hit you could be forgiven for thinking ….
“We’re too small to be a target, who would want to steal our data”,
This is exactly what cyber thieves want you to think.
As an SME in a stuttering, albeit recovering economy, cash flow is hugely important. Many business owners are focussing on liquidity, ensuring cash above all else is available. From a cyber-crime perspective there are thousands of businesses as prime targets, with cash reserves ready to plunder. Today cybercrime is the fastest growing business in the world with an estimated annual cost to the economy of £300bn. Last year, there were 312 major breaches, 348m identities exposed and 317million new malware programs. If you are asking….
“What has this got to do with me? “
It’s because we don’t you to become part of the statistics. Cybercrime is no longer easy to spot or easy to stop. There are many new variations and ingenious strategies cyber criminals now use to relieve individuals and companies of their data and money. These employ powerful psychological methods to gain access (rather than the old blunt-instrument spam email that we can all now comfortably recognise , for example, King John from Nigeria who’s desperate to deposit £100m to put in your bank account). An example of this that has recently come to our attention is that cyber-gangs are researching companies online profiles to specifically target individuals within companies who have access to data or funds.
How does this work?
These new scams are a variation of the older “Spear Phishing” and have a new name – “Whale Phishing”.
There has been a significant increase in this kind of targeted cyber-attack recently because they have a much better chance of success and almost always yield a higher return. Why? Because we are far less likely to question an instruction if it comes from someone we know and TRUST. “Whale Phishing” is an attack where a finance officer is directly targeted normally via email or post, by someone purporting to be a related company or financial/company director. Targeting people with specific access to confidential information or bank accounts is always more efficient then hitting the new office junior with little or no systems access. Company details are easy to find using a process called “footprinting”, which is effectively trawling the internet, gathering as much information about a target and its systems as you can. Places that hold this kind of data are:
- Companies House
- “Meet the Team” page on your website
- Your supplier testimonials
- LinkedIn Profiles
- 1. I search LinkedIn and find that Joe Bloggs is the Director of JB Ltd, I can also see the contact details including the email address and phone number.
- 2. I search the JB Ltd website and find that JB Limited have a testimonial from Jane Bloggs, the finance director at XYZ Co.
- 3. I search LinkedIn for Jane Bloggs from XYZ Co and find her contact details
), or they may send a letter on letter-headed paper though the post. The communication will typically ask Jane to change the bank account details for JB Ltd as they have moved banks. Jane complies as she knows the company very well, has a great relationship with them and next time a payment is made the money will disappear into the Cybercrime economy. Sound far-fetched? – This is a real life example of a company targeted in this way the last month. I can also cite three more real life examples of variations on this theme that have hit our desks at Hallidays IT in the last month. You may now be asking …
“What can I do?”
Here’s a useful list of some simple but powerful ways to protect yourselves
- Agree in writing with anyone you do business with, that any requests for change, payment etc are done over the phone. You could agree on a password that needs quoting each time a request is made and only the team members that you trust will know the password.
- Limit information on business networking sites. If you have testimonials, don’t use the company names that they came from.
- Don’t use job description on LinkedIn profiles – you may not need them if you’re not looking for a job.
- Don’t over-populate your website with information about your company – give a phone number instead where interested parties can call you if they what to know more.
- Pay particular attention to any area where information about company directors can be found.
- Be more vigilant when taking phone calls especially if you work in an accounts or payroll department. Additionally reception workers should be extremely vigilant when being requested to place a call through to a company director for reasons such as “Funds”, “Payments”, “Websites” “Bank Details” etc. It is much safer to take a message from the caller with contact details and then ask a non-director to return the call. This way you can investigate if the original calling company is legitimate and also the reason for the call. If the call really was important then they will understand your caution.
We cannot address every loophole, weakness or target in a blog, these will be unique to each individual and business, but the point remains the same. Stay vigilant and be aware of the information you are giving away. Being Cyber Smart isn’t purchasing a suite of products, unplugging from the internet or training your team, it is a mixture of all three and being in a constant state of awareness, especially about exactly what information you are revealing about yourself.
It’s a sobering thought that most scams recover nothing.
Here’s an excerpt from an article published by the BBC about RBS last week;
70% of its customers who fall victim to a scam do not get a single penny back. Figures from the RBS Group seen by BBC Radio 5 live show the extent to which victims are losing out to scammers. From January to September this year almost 5,000 of the bank's customers fell victim to various scams - at a total cost of more than £25m. The bank says the average cost of falling for a scam has gone up by 40%.
If you want to know more, or don’t know where to start, visit Hallidays Cyber Wise
for the next step in protecting yourself.