Leading up to the Meredith Harington client seminar scheduled for 20 October 2016, I have summarised a few important considerations regarding cybercrime and information security. These are serious issues and, having recently attended a cybercrime seminar at Nedbank presented by Nicole Dunbar (Nedbank financial crime and forensic services) I am aware, more than ever before, of the risks we face on a daily basis as business owners and entrepreneurs.
A short definition of cybercrime: using telecoms, internet and related devices for criminal activity.
For the most part, when we talk about the prevention of cybercrime we think of having a good antivirus in place, and when we talk about information security we relate this to ensuring regular backups are made of our data. However, the prevention of cybercrime and loss due to a breach of information security goes far beyond having a good antivirus and making regular backups. What is required is essentially the gaining of knowledge and the changing of behaviour (business and personal) in order to reduce risk.
I will highlight a few areas where we are at risk, but will purposefully not provide any potential solutions, hoping that the readers will consider attending our client function as described above.
Cybercriminals send numerous “bait” emails hoping to “catch” someone out. These emails usually have a link or an attachment which, if followed or opened is designed to either access your electronic device (in order to download a virus or something similar that can extract information for the cybercriminals’ use) or lead you to a fake website (often a very convincing replica of the real thing) asking you to log in using your secure credentials or requesting sensitive information from you. The information gained is then used, possibly at a future date, to access sensitive/valuable locations, for example, your bank account.
This is Phishing on a larger scale primarily aimed at businesses. The cybercriminal will attempt to access information from the organisation through “social engineering” in order to “catch” people in the organisation unawares. For example, contacting the receptionist to obtain a name and email address of the head of finance, following social media to determine when the head of finance is on holiday, and then sending an email, designed to look like it comes from the head of finance, to the finance team to release funds or update details that can be used to access user accounts.
Smishing and Vishing
We all receive SMSs from time to time stating various things (for example an insurance offer or a prize that has been won) and usually including a link that is to be followed. You have probably received voice calls asking for details (personal details, or even bank details). Often, the person making the call already has a substantial amount of information about you that they are able to confirm to you, before asking you for certain information. For example, there have been reported instances of a “Microsoft Consultant” calling and asking for remote access to computers in order to resolve issues.
Through whatever means, once the cybercriminal has access, documents can be viewed, malicious software can be downloaded and further information gathered that can be used to perpetrate cybercrime.
With a limited amount of your personal information, a cybercriminal can perform a sim swap without you knowing (for example, if they know your phone is going to be off at a point in time) and use this to access your bank account (with SMS verification) and load a beneficiary and/or clean out your account.
Malware is malicious software designed to create damage. For example, a Trojan Virus that has been downloaded to your PC through a Phishing email, that alerts the cybercriminal to when you are doing your internet banking (and then attempts to direct you to a fake banking site to obtain your login details) or corrupts data on your electronic device.
Ransomware has increasingly become an issue, whereby cybercriminals gain access to your device or server, encrypt all your data and then demand a payment before the data is decrypted and can be used again.
If a cybercriminal can download keystroke logging software onto your computer, they are able to monitor what it is that you are typing on your keyboard (this, together with the above-mentioned example of malware alerting the cybercriminal to when you are doing your internet banking could be disastrous).
This is an easy way to distribute the above Malware/Ransomware to you.
Deposit and refund scams exist whereby cybercriminals make use of fake deposit confirmations, or uncleared cheques (which later do not clear) to have you release goods or refund amounts to them.
Cybercriminals have been known to contact potential victims in order to “update banking details”. Usually the cybercriminals have already gained a lot of your personal information and are thereby able to lead you to believe that the update to banking details is legitimate. This forum is then used to obtain further sensitive information from you or directly access your bank accounts or change beneficiary details in order to make payments to untraceable accounts (from where the funds are withdrawn)
Consider how much personal information exists on your Gmail account (for example). This is relatively easy to hack, particularly if you have not activated the suggested two step verification on your account.
In addition to the above, and possibly even more alarming, is the amount of personal information available on social media. This information can be used against you to commit any number of forms of cybercrime. Statistics show that 71% of new accounts created on Facebook are spam accounts and 78% of new accounts are used to burglarise vacant homes.
The above is only a summary of some of the very risky cybercrime initiatives in our world today. Without sufficient knowledge and adequate information security in place, it is only a matter of time before you or your business suffers loss resulting from cybercrime.
At Meredith Harington, we are by no means IT experts. But we do know a thing or two about business risk. One of these is cybercrime. We urge you to attend our next client seminar on 20 October 2016 dealing with these and related issues to be presented by knowledgeable guest speakers.