In this blog, we’ll look at the changing nature of the crimes being committed over the web, and focus on how criminals are now using the internet as a means of perpetrating “good old-fashioned” theft.
First, a bit of history. Until now, most small and medium-sized businesses assumed that they would be off the radar of the typical hacker. The expectation was that attackers would either be big, state-backed operations intent on espionage, or high-end activists or criminals trying to steal valuable data or millions in cash.
For a while, this was largely true. But in recent years, as cybercrime has escalated and became more mainstream, so its nature and targeting have undergone a dramatic change. As the Global Economic Crime Survey shows, well over half of all businesses surveyed are now being attacked externally – while data is still a big target, the objective is increasingly becoming the theft of hard cash rather than information.
This is a major shift. A haulage company – for example – might once have thought it was safe from cyberattack: after all, who would want to find out what types of tyres it was buying? But with criminals now switching to use of the internet as a means of conning money out of companies, and the rise of the cyber fraudster, no business is immune.
Like most organisations, the move to doing business over the internet makes a lot of sense. Whilst a business can reach more customers internet, criminals can also use the internet to reach more victims. For the perpetrators, committing external fraud on businesses has often been a numbers game: try it on with enough potential victims, and even a small hit-rate will generate returns that make the effort worthwhile. They are often percentage players and the internet and growth of B2B commerce is shifting the odds in the criminals’ favour by making it easier for them to target companies – including the smallest businesses – in credible ways.
How? Take a small business that’s using webmail for its internal and external communications. For anyone who knows what they’re doing, webmail is easier to compromise as often a major element of its security is the behaviour of its user. Having done that, the fraudsters can monitor and read email traffic undetected, build up an understanding of the victims behaviour, their contacts and patterns of use enabling them to generate fake emails that have a far greater chance of success. Imagine a junior accounts person receiving an email from someone acting as their boss, telling them to pay an attached invoice while also asking how their child’s birthday party went – all bogus, of course. Most would pay given the air of legitimacy the contact email and personal information lends the message.
So, what can businesses do? As we stressed in our first blog, it’s vital to have the right systems and processes in place to deter, prevent and detect cyberattacks, but a key aspect that’s every bit as crucial is awareness among an organisation’s people of the type of threats it faces, so they have the greatest possible chance of spotting an attempted fraud, as well as being primed to question anything that looks unusual.
What’s more, this awareness needs to go beyond simply setting rules for how your people behave when using the web, especially with today’s generation of employees. It’s not practical to tell them – for example – not to use social media at work; they need to understand why using it might put the business at risk, and what the very real dangers are that you’re trying to avoid. The task is to educate, not alienate, your staff, so when they go online they recognise their behaviour could have a wider impact.
Overall, there’s no doubt that cyber threats are current and growing for all businesses. And it’s not just valuable data or your website that’s at risk. Increasingly more traditional frauds are being perpetrated over the internet. Our advice is to think hard about these risks – and if you’re uncertain, ask an expert. As you read this, cyber fraudsters may already be running the rule over your business, or even reading your emails. Wouldn’t it be good to know for sure either way?