Following on from our recent series of Blog articles discussing some of the business risks and statistics around cyber crime and the associated threats to business, we thought we'd take the opportunity to explain what the current crop of key threats are which face your business.
This is not a definitive list - the reality is that your business faces hundreds if not thousands of different types of cyber attack, but the 3 "types" of attack described below are the most common affecting UK SMEs today which, if you're not already, you should have at least a passing familiarity with!
We've also provided a few key tips for preventing or protecing yourself from these types of attacks
Phishing (spear or otherwise!)
Phishing is the name given to "fake" emails which are designed to encourage a user to provide sensitive information such as a username, password, credit card information or other confidential data to a malicious party.
They are different from plain old "SPAM" as a phishing emails usually have a specific objective and will masquerade as having come from trusted (to varying degrees) sources - Paypal, eBay and the major high street banks are all strong brands that attackers will use to trick users into following a link or providing their personal information.
A Phishing attack can often be a pre-cursor to a more serious attack or fraud, where the information divulged by affected users is used to launch a further and more serious attack such as direct theft of money or further compromise of a user's system.
Whilst most Phishing attacks are pretty generic and done en-masse, "Spear Phishing" refers to a much more targetted attack where the attackers will first research an organisation or individual and then tailor their approach to be much more credible, significantly inreasing their success rate.
- Always be wary of any email which encourages you to click a link to "verify" your details or anything similar
- "Hover" your mouse over any link in an email before clicking - look out for obvious fake domain names or addresses
- Use your common sense! For example - HMRC are not in the habit of handing out refunds, and if they were they would not just email you about it.
- Consider a cyber security awareness training programme which helps your users to spot phishing emails
CEO Fraud, Conveyancing Fraud and other financial attacks
Direct financial fraud - eliciting funds from somebody through deception and fraudlent representations - in the cyber crime world comes in many guises, but the two most common methods we see are "CEO Fraud" and Conveyancing Fraud.
The term "CEO Fraud" describes a 'family' of methods of attack whereby an employee of a business is encouraged or tricked into making an online payment to the attackers, seemingly under the instruction of a senior employee - often the CEO, hence the name - but in practical terms anybody with the potential authority to request and authorise payments.
There are two ways that this fraud is typically perpetrated - in the most common and large scale cases, the attackers will register a domain name which appears at a cursory glance (which is all most of us would give it) to be the same as the target company. In this way, an email from email@example.com might quite easily be thought to have come from firstname.lastname@example.org
In more targetted examples, it is possible that one party's own account has been compromised (for example, from a previous Phishing attack) and is being used to send or edit emails in-situ on the target's own email system.
The attackers will go to some lengths to research their targets - LinkedIn for example makes it often very easy to identify an accounts executive who may be able to make a payment, and the name of their CEO, MD or FD that might request one.
Convenaycing Fraud is a not dissimilar attack which particularly targets law firms working in the residential conveyancing sector and their clients.
Using similar methods, the fraudsters typically gain access to the email account of either the victim or their solicitor. When legitimate emails are sent between these parties giving details of bank accounts into which money should be transferred, the fraudsters alter the details so the money is sent to their own accounts.
- Be alert! If something seems out of character, check with your colleague by phone, text or other means. Check the email address closely for "spoof" domain names that aren't quite right
- Have a payment policy which does not allow a single member of staff to make unplanned electronic payments without an agreed form of written or verbal authorisation
- For legal firms, have a clear client engagement letter which outlines how and when you will communicate and the security precautions in place; this should include a secure or encrypted email solution and verbal or written confirmation of any payment instructions.
- Consider a cyber security awareness training programme which can help your users to recognise and identify fraudlent emails
Crypto, ransomware & malware
I am sure most people by now have heard of the 'Crypto' viruses - there have been plenty of high profile cases in the news of organisations affected by the recent spate of Crypto attacks.
Crypto is a brand of malicious software (malware) which, when loaded on to a computer, encrypts the users files - and those of any other users to which it has access, for example on a network shared drive.
The files are encrypted using a (usually very good) irreversible encryption method, rending the files completely inaccessible.
The user can only get the files back by paying a ransom (hence the more wideranging term of ransom-ware, which covers crypto and other malicious software that results in some form of ransom)
- Do not open any email attachments you were not expecting
- Implement a suitable security policy to protect your computers and prevent unauthorised software from being run or installed
- Ensure you have a suitable , multi-layer security system in place that includes a web content filtering solution to protect from website-borne malware
- Check your backups! If you are affected by crypto, you can recover from backup or you can pay the ransom - there is usually no other way out, so it's imperative that you have good, regular backups.
We hope this blog has proved useful - we know how confusing IT and cyber crime can be with so many strange names and acronyms!
We've provided a few key pieces of advice within each section above that can help to protect you from the risks discussed.
If you'd like some further reading, why not download our FREE 7-point guide to some of the fundamental best practices that can help protect your business from cyber crime and risks?
Just follow the link below - alternatively, if you'd like to discuss your IT security with an expert, give us a call on 0333 241 9301 or contact us.