If your business is anything like ours, you’ll be sending and receiving large sums of money every day. In 2018, Freightplus fell victim to three very sophisticated cyber-attacks, in the space of just one week, costing us around $250,000. It could have been far worse. Having learned some hard lessons from those, we have successfully fended off numerous cyber-fraud attempts since. Indications are that the incidence of cyber-fraud is only going to increase and become more and more sophisticated.
Our company accountant, Michelle Irwin, B.Bus (PAX) C.P.A., has put together a brief introduction on the various methods of cyber-fraud and a few simple tips to protect yourself against them. Here’s what she has to say:
Cyber-fraud is a growing concern in this digital age. In a recent health check by ASX, almost 40% of directors of the Top 100 companies in Australia reported that cyber security was their number one area of risk in 2017 (https://www.asx.com.au/documents/investor-relations/ASX-100-Cyber-Health-Check-Report.pdf). Cyber criminals are getting increasingly sophisticated with email payment fraud and a market has sprung up around ransomware-as-service models which have reduced the cost of ransomware and allowed more players to enter the arena.
One area of concern is ransomware. In these attacks, a user will hijack a computer or phone and lock down the files with a demand for payment before the files are released. Generally, a computer will be infected by a Trojan software that is disguised as a legitimate file. This file might be installed as a result of a phishing email e.g. a PDF attachment or embedded in a website and installed in the same way cookies might be. In some cases, the ransomware attack can be reversed, but others include crypto viral extortion which not only infects the computer but also encrypts all the data and can make it virtually impossible to reverse without paying the ransom. Some of the ransomware attacks are done without the intention to ever unlock the files, others will unlock upon payment.
The easiest and most effective means of protecting yourself from a ransomware attack is simply DO NOT OPEN ATTACHMENTS unless you know exactly what they are and that they are legitimate. If in doubt and you know the sender, call them and check before you open. If you don’t know the sender, delete! And make sure everybody with a company email address follows the same practise.
Phishing attacks are becoming increasingly common. In this, the attacker will send an email that appears to be coming from a genuine source. It might appear to be an electricity bill, a government department, or Dropbox. Some of these emails are constructed with bad grammar and odd language, however they are becoming increasingly much sleeker and harder to detect as fraudulent.
There are steps you can take to determine whether the emails are genuine:
• Determine whether it’s someone who would have a reason for emailing you. For example, if you use one electricity company and the email states that you owe a different provider.
• Check the email address by hovering your mouse cursor over the “From” address and checking whether the domain is genuine for example, an email from the ASIC should only come from the asic.gov.au. Some phishing emails will use a domain that is close to the real one, with just a minor difference. For example, it might be microsoftdocs.com posing as Microsoft and asking for you to login to your account.
• Check any links in the email before clicking on them. The best way to do that is to hover your mouse cursor over them. If it is a shortened link (bitly.com or similar), be wary of clicking through. Note: Some of the phishing emails will use a genuine footer with correct links so check the main link they’re asking you to click.
• When in doubt, don’t click anything in the email. Contact the company/department purportedly emailing you. Most often, they are aware of any scam emails going around in their name and will advise you how best to proceed.
Another method of cyber-fraud is when someone sends an email requesting an urgent payment. This can come in a variety of forms, including but not limited to:
• From the legitimate email address of the person purportedly requesting the payment;
• From an email piggy-backing onto the mail server, with one or two letters changed;
• From an unrelated email masked to look like the legitimate email address; or
• From an unrelated email with a note that they are unable to access their work email at the moment, but the request is urgent.
There are some ways to identify fraudulent payment requests. Generally, a fraudulent request will:
• Have a sense of urgency (e.g. I’m in a meeting but I need you to send this payment now);
• Will come from someone purporting to be someone high in the company, and therefore less likely to be questioned (e.g. CEO/CFO/Branch Manager);
• Will say/ask you to ignore standard authorisation procedures;
• May include grammatical errors*;
• Type of request, the language, or the format may be unusual*
* While it’s true that sometimes the request will sound unusual for the person, have grammatical errors, or contain bad grammar, this may not always be the case. If the person managed to intercept company emails, there have been cases of them very cleverly mimicking the typical language and style of the person they are imitating.
Here are some steps you can take to reduce the risk of loss from email payment fraud:
• Have a robust authorisation procedure in place that must be followed from the top down. This might include requiring bank accounts be verified in more than one way. Ideally, at least one method should be by a verified method. E.g. double checking e-mailed bank account details by SMS, or telephoning a trusted contact, using their existing contact details rather than relying on a third-party contact to confirm details as this is a vulnerability that could be exploited.
• Set up all company email addresses with a two-step authentication, to make it more difficult for cyber-fraudsters to access company email accounts. (i.e. logging on to email from a new device requires a code, which is sent by SMS to the email address owner).
• Instruct all employees with company email addresses, to use dedicated passwords that are unique from any of their social media passwords and cannot be easily guessed (such as birth dates, family members’ names, pet names, etc. that a fraudster might find by stalking social media).
• Ideally, avoid publicising travel/meeting plans of your CEO/CFO until after they have returned as there have been numerous cases of scammers following the social media accounts of their intended victims and determining the best time to strike with an email payment fraud email e.g. when the CEO will be travelling and uncontactable.
• If you’re not sure whether an email request is valid, the best option is to wait until you can verify it by other means. No matter how urgent the payment is, it is likely not worth the risk of losing the funds.
• If you believe you may have transferred funds to a bogus bank account in error, contact your bank IMMEDIATELY as there are sometimes cases where they can stop the payment or start steps to recover the funds.
The best first step is to speak to your IT professionals to ensure your system is as robust as possible. This includes:
• Strong and unique passwords. Consider the use of a password manager, which will generate encrypted and strong passwords between local devices and the relevant websites.
• Ensure your computer is virus protected and that the protection protocols are updated regularly. Things move fast in the online world and software that is only a few months old could potentially have weaknesses that can be exploited for the gain of cyber-criminals.
• If you are new to cyber security threats, you can use this checklist to help implement some steps in the right direction, including getting staff involvement.
• Ensure all software, including computer and phone operating systems are kept up to date.
In addition to your in-house or contracted IT professionals, some other resources that might help are:
• NIST/MITRE Comprehensive Guide to recovering from ransomware and other destructive malware attacks https://www.nccoe.nist.gov/publication/1800-11/
• Contact your bank and see if they have a cyber-crime team. Many banks will work alongside businesses to reduce the cyber-crime risk including seminars and training for staff.
• UK National Cyber Security Centre https://www.ncsc.gov.uk/
• Australia Cyber Security Centre https://www.acsc.gov.au/business.html
I hope some of this information Michelle has shared, is in some way helpful, in terms of helping you to avoid falling prey to a cyber-attack.
CEO of Freightplus