Organisations large and small continue to debate how to improve their cyber security awareness. Some firms, through their GDPR compliance, are making good progress, but few organisations seem able or willing to grapple with the number one cause of cyber crime; human error. Whilst many firms say they understand the risks, few take the threat seriously enough. At the same time firms cannot decide what to do, often because of the impenetrable language used by security software suppliers to describe their services, not to mention all the acronyms! (see acronym glossary)
The need for strong firewalls, anti-malware software and operating system patching is now understood; the big issue continues to be the human factor.
The top cyber insurance claim cause of reported cybers attacks is ‘human error’ through phishing emails and or social engineering scams. It seems we just cannot stop ‘clicking’ those links and attachments. The majority of these are caused by basic mistakes that with a little cyber security awareness tuition would be corrected. The statistics from many credible sources show that every day firms up and down the country are being robbed of their hard earned income. Sometimes referred to as ‘fund transfer fraud’, it accounts for roughly 35% of all cyber insurance claims.
A real life cyber insurance claim this year took place at a firm of Conveyancers who were robbed of £250,000. This type of fraud has been given many names from ‘man-in the-middle fraud’, ‘business email compromise fraud’ and the old favourite, ‘funds transfer fraud’, each with its own acronym of course! This particular example also falls into the category of ‘social engineering’ which is often used for this type of more sophisticated fraud.
The incident was initiated in early 2019 with a phishing email purporting to be from the solicitor’s back office and billing systems supplier with an urgent request for the user to sign-in to run a system update, which the user duly did landing on what appeared to be a genuine page. It wasn’t, and the ciminals gained full access to the firm’s computer network, but kept quiet whilst they monitored various transaction trails. One caught their eye that mentioned a very specific instruction from a seller to post the sale proceeds rather than BACS them.
Having found a big enough target, the cyber criminal prepared his attack. He already had a lot of inside information on the firm from his social engineering enquiries and launched a sophisticated phishing attack. On the agreed date the conveyancers posted their letter and cheque to the sellers. At the same time the criminal sent his clever phishing email pretending to be from the seller, saying that they had changed their mind and would prefer to have the funds by BACS transfer, for which he supplied bank account details, the criminal’s bank details!
You can see where this is going. The seller’s email addressed looked correct and to the firm the communication appeared perfectly genuine and they transferred £250,000!
At a time when we are all ‘going digital’ our transactions are vulnerable to attack, and increasingly sophisticated ones, that if we are not really really careful will catch us out.
Cyber security breaches are never the result of something that could not be prevented
Contact us for advice on cyber security awareness talks and training Phone: 01342 301325 Email: email@example.comImproving your Cyber Security Awareness