The files of a small business become encrypted and a ransom demand from a hacker arrives.
A staff member leaves their work laptop on a train and it contains personal data.
An employee of a firm makes a bank transfer of £25,000 to fraudsters after falling victim to a phishing email supposedly from a senior manager.
An employee misconfigures a computer software update over a weekend, leaving critical systems unavailable.
Email “phishing” scams are hardly new, but they remain surprisingly effective as one financial services agency found out recently. The method was simple. Criminals set up a Gmail account that mimicked the real email address of one of the company’s senior managers. They then sent an email from the fraudulent address to an employee, requesting the transfer of £230,000 from the business to an outside bank account.
Fooled by the manner of the email and the address it came from, a wire transfer was issued to the criminals’ bank account, and the money immediately withdrawn. When the agency discovered what had happened, both its bank and the receiving bank tried to recover the cash – but to no avail. The business learned the hard way that employees should be encouraged to question unusual requests from colleagues, and carefully check the validity of the emails they receive. Failing to do so can be extremely expensive.
One of the most effective ways of damaging a company is to stop them from trading. And a way of doing that is by disabling their IT systems with a DDoS – or “Distributed Denial of Service” – attack. This method targets a specific network (as you’d find in any company) and uses a “botnet” to flood it with so much traffic that it’s unable to cope, and shuts down. This technique has been used by countries to attack other states, but smaller businesses are also at risk – sometimes from their own employees.
Recently, a disgruntled worker at a loan firm carried out a DDoS attack on his employer’s IT network, using his inside knowledge to target the system’s weak points. The attack was so effective it brought down the company website, leaving it unable to conduct its business. With the police also involved, it took several days for the company to get up and running again.
Like other areas of criminality, ransoming has changed drastically with the arrival of the internet. In the past, these crimes used to involve criminals demanding money in return for the safe return of a hostage or incriminating items. Today, things are even more sinister – and a lot more expensive. One Hiscox client was targeted by hackers who accessed, then encrypted, its most sensitive files.
A ransom demand was then made. The hackers had generated thousands of passwords until they’d discovered the details of the company’s network administrator and gained access, not just to confidential information like contracts, but to the company’s bank accounts. This “brute force” attack was damaging in two ways. Firstly, because of the immediate financial cost, and secondly, because the data breach had the potential to break the trust between the company and its clients.
Ransomware is malicious software which locks your screen or encrypts—or scrambles—a user’s computer and/or files. It’s often delivered via harmful email attachments, outdated browser plug-ins, websites, text messages, and more.
Unlike most viruses that work to corrupt your files or system, ransomware essentially kidnaps your files for an anonymous ransom payment. If there is a flaw in the ransomware code, your data may be permanently unrecoverable, even if you have the decryption key. The files may also not work the way they should after decryption.
What’s worse: You also could be targeted again in the future.
Phishing scams are usually emails that appear to be from legitimate companies or trustworthy individuals. They can also be in the form of text messages or even phone calls. They trick users into providing sensitive information. Phishing emails often look very realistic, so they are tough to identify. The primary goal is to obtain credentials, financial information or other sensitive data.
Scammers who send phishing emails can use your computer to attack your organisation. A successful phishing attack can lead to virus infections, ransomware, identity theft, data theft and more.