Hackers are increasingly taking aim at small businesses, which often don’t have IT departments or the resources to protect them against attack. A third of small businesses have suffered a cyber attack in the past 12 months, according to the government’s Cyber Security Breaches Survey 2016.
Many attacks begin with an employee opening an email containing malicious software or ‘malware’. Although many people may be aware of suspicious emails, these scams have become more difficult to recognise, because fraudsters will often research their victims for weeks beforehand before pressing the ‘Send’ button and launching their attack. Using freely available information on websites, social media or online forums, hackers gain personal information on their victim to craft sophisticated email frauds aimed at scamming a business out of money, holding it to ransom or stealing sensitive data.
In the hands of a skilled operator, fake emails can be made to look almost exactly like the genuine article. Often, you will not know that you have been the victim of an impostor email straight away: your computer won’t filter it as junk mail and you will not receive a ransom note. The first time you might notice something is wrong is when your usually reliable client still hasn’t paid, or a supplier rings you to chase an overdue invoice, which you thought you had paid long ago. Until, in other words, it’s too late.
But how easy can it really be to force companies into parting with cash or duping them into making payments into unauthorised accounts? Very, is the simple answer. Here are a few common examples of the scams that are used.
Fake invoice fraud
Cyber conmen send an email containing what appears to be a genuine invoice. Posing as one of your real-life suppliers, or a colleague, they try to trick you into sending money to a fake account. Alternatively, they email fake invoices to your own customers after hacking into your computer system.
In order to infiltrate a company’s IT systems, criminals only need to persuade someone inside the company to click on a link or open an innocuous-looking attachment that contains malware. Once the machine is under their control, the criminals eavesdrop on the company’s normal email exchanges with its established suppliers and clients. The cyber criminals will then pose as one of the parties in bogus emails to trick the other into sending money to an alternate, fraudulent account.
In one case I dealt with recently, a fraudster hacked into a local builder’s email account using malware that evaded detection by common security software programs. Having gained access to the company’s address book, containing the names and emails of its regular suppliers, the fraudster then sent an email posing as a genuine supplier requesting payment of a bogus invoice, using an email address closely resembling the genuine one.
We investigated the incident, proved it was fraud and worked with law enforcement agencies to help recover the money. This common type of fraud, often traced to overseas organised-crime gangs, is catching many unwitting small business owners. The bogus email typically arrives just before a bank holiday break, when the small business, which is rushing to finish its to-do list, is more likely to authorise the payment without double-checking with its supplier.
In another similar case I investigated, the owner of a small British art gallery downloaded malware, disguised as an invoice, enabling the attacker to take over the gallery’s computer and steal a significant sum of money from it. We investigated the fraud and were able to prove that the owner of the gallery was not negligent, and handed details of the crime over to police.
An employee inadvertently downloads malicious software through a fake email, but, instead of tricking you into paying a fake invoice, the criminal locks your IT system in return for a ransom. Nearly 40% of all businesses across several countries have experienced a cyber attack demanding a ransom within the past 12 months, and 20% of victims were forced out of business by the attack, according to one study.
In a recent case I’ve been involved in, an HR department employee clicked on an email attachment claiming to be a CV, which really contained malware. Within a matter of minutes, around 50,000 files were encrypted, bringing the HR department to a complete standstill. A ransom note was deposited on the employee’s computer demanding a payment of approximately $500 in exchange for the encryption keys.
We were able to analyse the employee’s laptop, where we found the original email containing the malicious file. Luckily, the criminals had used an unsophisticated version of the malware and, as a result, we were able to recover all the encrypted data.
Scammers will also target a company’s accounts or finance team, sending malware in an email to steal sensitive information, such as credit card numbers, account information or passwords. The breach might go undetected for a while, as criminals take great care in circumventing security systems and leaving no trace of infiltration.
Once the hackers have control of the machine, they can detect keystrokes – effectively, like having someone looking over your shoulder as you type, collecting passwords and details of bank accounts or credit cards. The scammers can then use this information to make fraudulent purchases, syphon off money to criminal accounts, or they can sell the data on the online black markets known as the dark web.
How to protect your business
You can help to defend your small business from these kinds of attacks by making sure your employees are aware of email security, and by reminding them about these good habits:
- Don’t click on attachments or links, unless you are sure of the source of the email. A malicious virus can infect your computer merely by clicking on a link or an attachment in an email.
- It’s easy for imposters to set up fake email accounts and pretend to be a supplier – be vigilant when it comes to email requests for payment, especially at busy times.
- Rather than hitting the ‘reply’ button, respond to emails using the contact’s address in your address book.
- If in doubt, pick up the phone and speak to a supplier before sending payment.
- If hackers demanding a ransom encrypt your computer, it’s best to seek assistance from a cyber security expert. Making a ransom payment may not solve the problem: the criminals may not unlock your system after having received the money, or they may return to demand further payments at a subsequent date.