As technology improves and provides solutions to restrict traditional widespread and distributed email or web-based viruses or “phishing” attempts, Computercentric are seeing a worrying trend towards targeted and well-coordinated attempts to defraud our customers and separate them from their cash. In the last 2 months, we seen more of these targeting hacking attempts that we have ever seen in our 10+ years in business, with one client losing over £200,000. Read on to find out more, and how you can protect your business.
It’s not just Viruses
Until recently, it has always been the case that a decent, business-grade firewall and anti-virus system would protect you from malicious software and hacking attempts. In the last 2 years, we have seen a massive growth in so-called ransomware, where malicious software will execute code that encrypts all the data on your network, and you are invited to pay a ransom to an untraceable individual in order to get your data back. Such attacks have cost many of our clients thousands of £ in lost productivity and data recovery costs. The industry reacted, and software specifically designed to detect such attacks came onto the market, and the majority of our clients now enjoy protection from such threats thanks to software such as Sophos Intercept-X.
These sorts of attacks are generally broadcast attacks, i.e. they are distribute over email to millions of recipients whose email addresses are found by scouring the web or harvesting data from peoples’ address books. They work on the principle of ‘throw enough mud at the wall, and some will stick.”
Hackers Moving on to Where the Money’s At
If feels to us like the individuals and groups who coordinate these attacks have realised that their efforts are best spent focusing attacks on a single company, and delivering what could be described as a completely bespoke, hacking experience to their victims. Don’t get us wrong, you still need a top-of-the line anti-virus and anti-ransomware system in place. Thanks to concerns and increased awareness of GDPR and PECR, the percentage of email that is spam has dropped dramatically over recent years and months, however the spam that has dropped off the radar is mostly harmless marketing or junk email. Your typical hacker is not likely to take note of GDPR! However at 50% of all email traffic worldwide, it’s still high, and a good portion of that spam email carries a viral or malicious payload of some sort.
The Hackers’ New MO
The new sorts of attack have come to be called “spear phishing”, I guess because it’s phishing, but targeted at a company or individual. The process has several stages:
(1) Find the victim
This is the easy part. A hacker will identify a company who they may stumble across on social media or traditional news outlets, or they will go hunting and pick businesses at random from Google searches or public company lists. Another effective way of finding a target is by rummarging through the email of other hacking victims who have been infected with traditional malware or have had their email accounts compromised. This has the added benefit of giving you a goldmine of information with which to structure an attack. Once the hacker has a prospective target, they will determine their chances of co-ordinating an attack based on the information they can get.
(2) Reconnaissance and research
With a company identified, the hacker will then gather information about key personnel in the organisation. This could be from hacked email trails belonging to suppliers or customers outside of your organisation, or it could leverage public information on Companies House, LinkedIn, Facebook etc… Or they could just pick up the phone and ask your receptionist for the name and email address of your accounts payable department. The hacker might choose to leverage traditional phishing methods at this stage to get additional information such as the email account credentials of key personnel in your business. It’s all about gaining information from you that will help them to look legitimate.
(3) Preparation
This can involve all sorts of efforts. We have seen lots of cases where the hacker will register a domain name which is almost imperceptible different to a domain name that you recognise as belonging to a supplier. For example you might regularly buy widgets from jon@acmewidgets.com. If a hacker knows this, they can register the domain name acme-widgets.com, or acmewidgets.co, and then send an email into your business appearing to come from Jon. If they’ve already intercepted email from Jon by hacking Jon’s company’s email system, then the email you receive might also include Jon’s normal signature, it will be in the same font, and will even use the same style of writing and familiarity that you have come to expect from Jon. We’ve even seen a case this month where a legitimate PDF invoice from a supplier was doctored such that the bank details were changed. The invoice was resent to our client, along with a couple of other apparently legitimate emails advising of the new bank details. Preparation will also involve registering legitimate bank accounts using fake ID, or obtaining stolen credit cards in order to fund any purchases that the hacking attempt will need, such as aquiring domain names and email accounts without leaving a trail.
(4) Execution
Armed with all the information they need, your hacker will set about their attack. In the last few months we have seen attacks ranging from the simple to the cunningly devious. At the simple end, it might be an email from a familiar-looking email address along the lines of:
“Hi Sarah, just got off the phone with Kev, he’s said he’s happy to pay us ASAP, would be grateful if you can sort this as we need to get the order moving now so as not to let you down. Not sure if you’ve got us on your system as a supplier yet but will sort this with Kev.”
Names have been changed of course, but Sarah is the lady who pays the bills. Kev is the MD. The email carries a legitimate looking invoice and details for where to send payment. Sarah wouldn’t want to get in trouble with Kev, so in the absence of the proper checks and balances, our hacker gets paid. Within minutes, he’s cashed the money at the bank, and will go to the bank next door to open a new account.
At the devious end of the scale, the hacking attempt will involve a chain of email leading up to the invoice or request for payment, or as mentioned above, it might involve a doctored, legitimate invoice from a real supplier, but with the bank details changed. This is what led to one client waving goodbye to over £200,000 this month. We’ve seen the emails, and to be honest, we’d have paid it too.
Don’t be the next victim
There is no technical solution that we can sell you to help stop this! This is about staff training, and having watertight processes in place to make sure you don’t fall victim. Also, don’t think it won’t be you. We’ve seen targeted attempts to defraud small business with 5 staff, and larger companies with thousands of employees. Remember this type of attack is not necessarily limited to email, it can be just as effective, (albeit slower) through the post.
Make sure your staff are regularly trained and reminded about the importance of being vigilant to such attacks. Whilst it adds a layer of inconvenience, consider maintaining an internal list of email addresses or domain names from which you will accept invoices or requests for payment. Make sure you have proper processes and checks in place, especially when it comes to accepting and processing new bank details or setting up new suppliers on your system.
It’s important to understand the power of the information you and your colleagues have in their possession. Don’t use public computers to check your email or work on sensitive documents. Don’t use encrypted USB sticks, and certainly don’t leave them lying around. If you have staff on the road with laptops and tablets, consider asking us to provide full disk encryption to prevent a hacker getting access to any information that might be on there, should they be lost or stolen.
Get Insured
Many insurance providers are now offering dedicated “Cyber Liability” policies. Such insurance will cover you against any losses resulting from paying a fake invoice, or having your data stolen and requiring the services of Computercentric to restore your data and re-install your servers and desktops. Computercentric can recommend the services of a Cyber Liability specialist, just get in touch to find out more. Such policies are fairly new to the insurance industry, but we predict that within a few years, Cyber Liability will be a standard business insurance, along with your Public Liability, Employer’s Liability and so on. Fortunately, our client who was defrauded of over £200,000 had such a policy in place, and was quickly paid out by their insurer.
Trust Nobody
Unfortunately, we’re not just seeing an increase in email-based hacking / defrauding attempts like this. We’ve seen a significant growth in the number of eCommerce customers who’ve had their web shops targeted in coordinated attacks to extract data or intercept credit card details, so if you sell or transact online, it’s vital that your systems are thoroughly protected and regularly penetration-tested for any vulnerabilities.
We’ve even seen one client with a busy central London restaurant targeted by fraudsters who delivered a new set of PDQ card terminals to their restaurant, fully charged and connected wirelessly, ready to start collecting cash. If the client hadn’t been suspicious, these machines would have gone into service immediately, and the hackers could have collected tens of thousands of pounds before the client noticed that their takings were’t hitting their bank account.
What to Do If you are the Unlucky One?
If you are unlucky enough to fall prey to one of these scams, you must contact the Police of course. However please remember, even if you spot the hacking attempt, don’t keep quiet about it, we encourage you to report it to the Police’s dedicated Cyber crime team here https://www.actionfraud.police.uk/. By reporting the attempt, you can help police to identify the IP addresses, domain names and bank accounts associated with the fraudsters, and shut them down.
The bottom line is, there are bad people out there folks. The only way to avoid them is to know their game, so you don’t end up playing it.