24 April 2018
The cost of computer fraud
Losses due to computer fraud amounted in 2016 to £3.55 trillion, according to research carried out by Portsmouth University. Of these losses, £125 billion were suffered by UK businesses. Any company that is connected to the internet is regarded by criminals as a resource because of the data it holds, and that data can be used by those criminals to their financial gain. It goes without saying that virtually every business in the Western World is connected to the internet, including those of all of our clients.
The cost to a business that is a victim of cybercrime is often much greater than the actual funds stolen. There is the cost of downtime and consequent lost business, the cost of remediation and data recovery, and in many cases the cost of reputational damage. Cifas, a fraud prevention service, estimates that nine out of ten frauds involve identity theft. Criminals frequently abuse the credit reputation of individuals or companies whose identity they have stolen to obtain goods, cash or loans. The victims later find that their credit rating has been downgraded, with obvious consequences for their trade.
One of the most common examples of identity theft is when an employee is tricked into believing that a false invoice or request for payment is genuine and inadvertently diverts funds into a criminal’s account. This is known as phishing. Not so long ago it was relatively easy to spot phishing scams; they were characterised by spelling errors and poor use of English. But criminals are getting much more adept at making such documents realistic, even setting up fake company websites to fool a victim who checks the identity via Google. More sophisticated are the scams that are perpetrated by hacking into the emails of a finance director and giving an employee plausible instructions to transfer funds. Fraudsters will even try to imitate the writing style of the director so that the false email is more convincing. Some very large frauds have been committed in this way.
A variation of this scam is mandate fraud, where the perpetrator gains access to online banking details and changes the mandate, enabling him to divert funds.
A company’s data can be extremely valuable to a cybercriminal. Data theft is usually for the purpose of obtaining personal data that can be used to commit identity fraud.
A type of cybercrime against companies which is on the increase involves extortion. The criminal introduces malware into a company’s systems which prevents access to valuable data. A ransom is demanded and if this is not paid within a stipulated time span the data is destroyed. It is thought that a large proportion of victims pay the ransom, reasoning that this is cheaper and quicker than trying to recreate or retrieve lost data. Uber famously paid $100,000 to a criminal gang for this reason in 2016. These frauds are generally known as Ransomware or Distributed Denial of Services (DDoS). Ransom payments are collected by Bitcoin or similar cryptocurrency, and are therefore untraceable. Even theft of bitcoin is now commonplace.
Smaller businesses targeted
Cyber criminals tend to share information and are becoming ever more sophisticated. They will build a campaign layer by layer, exploiting different weaknesses, until they are ready to strike. The most skilful fraudsters will mostly target large businesses. Smaller businesses tend to be attacked by less astute hackers, but even these can now purchase malware, designed by experts, on the internet. So small and medium sized businesses are not immune from attack, and it is important to review your systems in order to minimise the risk.
Detection and prevention
Usually employees are the weakest link. Unless they are made aware of the threats, they can be taken in by phishing scams. These will only work where there are gaps in policies and procedures. Such policies should be written down and be the subject of regular training sessions.
Fraud often occurs where outdated software is used. Updates should be installed as soon as they are made available and regular reviews of the effectiveness of the company’s firewall and antivirus programs should be scheduled.
Every company should prepare a risk assessment. For small businesses this should be carried out by a competent external consultant. At the same time an action plan or recovery procedure should be designed. Ransomware attacks can be fended off at minimal cost if systems and data are backed up daily on offsite storage.
Online identities should be backed up by offline data. This means that, if appropriate procedures are in place, online data such as location, IP addresses and cookie data can be checked against data held offline, such as names, addresses, phone numbers and email addresses.
Collaboration with a company’s supply chain can also be very effective. Much of the data held by companies relates to its suppliers. The impersonation of a supplier by a hacker can be a means to obtain funds by deception, but procedures agreed between customer and supplier can be used to identify communications that are not genuine.
This is a problem that will not go away, and if you hold data and are connected to the internet, sooner or later an attacker will breach your defences.
On our part, UHY has mandated the adoption of Cyber Essentials, a UK Government-backed scheme to help protect organisations against a range of the most common cyber attacks. I recommend that SMEs consider this as a way forward, particularly for those who do not consider themselves IT experts and need some structure for their actions.
If you think a review of your system’s vulnerabilities would be worthwhile why not get in touch so that we can recommend a trusted expert?