The increasing digitisation of industry plays a vital role in business growth. But it also brings risk.
Cybercrime targets victims from private individuals to large corporates, through various forms of phishing and illicit installations of malware. The results are lost income, reputational damage, financial loss and ransomed data.
While the majority of criminals have quite basic technical capabilities, attacks are increasingly enabled by sophisticated tools available in the online criminal marketplace. With some criminal groups even industrialising their activities, cybercrime is evolving and growing fast.
Print our short guide for SMEs, download our Five Top Rules for reducing your risk, or read more detail on the pages below.
One of the most common cyber-attacks, phishing operates through emails which are often convincing and appear to come from legitimate senders. These messages entice their targets to click on links or attachments which, in turn, facilitate theft or fraud.
Phishing uses scam emails to convince users to click on a malicious attachment or link. These can infect the victim's computer with malware which gleans private information, allowing an attacker to steal money, disrupt business operations, or destroy data.
Phishing attachments often bypass security and anti-virus programmes by using Microsoft Office 'macros' which download malware if run. Links may connect to seemingly legitimate websites, which exploit vulnerabilities in the victim's computer to install malicious code. Alternatively, these webpages may simply trick the user into entering personal information.
Sophisticated attackers aim convincing 'spear' phishing emails at carefully selected groups, researching recipients through social media, website information or public facts about their organisation.
High-volume phishing, on the other hand, targets as many recipients as possible - of whom only a tiny percentage have to be caught for possible success. Fake invoices, delivery notifications, receipts and banking updates can all be used as lures in these attempts.
Most importantly, learn to spot a suspicious email!
Malicious software is coded with the intention of harming its target. Affecting private and corporate users alike, it can steal information, damage data, hijack website visits and spy on internet activity. Fraudulent redirection of internet banking users is an increasingly frequent form of attack.
Malware can hide inside innocuous-looking software (trojans), or spread between machines without relying on user interaction (worms). It can be custom-designed to evade defences and execute specific tasks.
Once inadvertently installed, malware can carry out many activities unseen. It may spy on website visits, destroy data, or piece together passwords. Increasingly, it’s being used by criminals to encrypt important business information until the organisation pays a ‘ransom’. Internet banking users might also be redirected to fake sites which record their login data to enable financial theft.
Malware is usually delivered via email ‘phishing’ or fraudulent links. Malicious apps and USB memory sticks can also compromise smartphones and computers respectively. Malware can stay hidden for months until activated.
Cyber-attacks on SMEs have increased steadily in recent years. With criminals constantly devising new ways to steal information and money, one of the newest emerging threats is Business Email Compromise. This scam is a global phenomenon, targeting companies irrespective of size, industry, who or how they bank. Huge sums can be lost because of one spurious email.
A fraudster emails a company's payments team, impersonating a contractor, supplier, lawyer, creditor or even someone in senior management. The email might appear to be from the CEO, asking that an urgent payment be made, or from a supplier, requesting that future payments go to a new account. Often, it instructs the recipient not to discuss the matter with anyone else.
Since the sender's email closely matches a known address, this type of fraud often goes unnoticed until too late. Cybercriminals may even hack into a real email account from which fraudulent communications are hard to identify.
A finance assistant received an email that appeared to be from one of his colleagues, instructing him to create an urgent payment.
The assistant was on annual leave at the time, but had checked his emails and responded asking if it could wait until his return. He received confirmation that this was fine.
On his first day back, he created and authorised the payment. HSBC, however, identified this as a suspicious transaction and put it on hold. The assistant was then contacted by HSBCnet Fraud Operations team to verify the payment.
The assistant confirmed that he had created and authorised the payment, but the team encouraged him to re-check it given the prevalence of this scam. When he did so, by speaking to the colleague he thought had made the original request, he discovered that it was fraudulent and that his colleague’s email had been compromised.
The assistant informed the fraud team and the payment was withdrawn. On this occasion, no money was lost.
A member of a finance team received an urgent email from the company’s CFO to make a payment transfer.
The instructions were marked as private and confidential relating to a deal and stated that the matter should not be discussed with any other member of staff as it may jeopardise the deal’s closure.
The finance staff carried out and authorised the transaction.
Later the same day, the finance staff saw the CFO and mentioned that he had carried out the payment as instructed. The CFO looked puzzled and asked, ‘What payment ?’
If the finance staff had simply called or spoken with the CFO to verify the transaction ahead of pressing the ‘Submit’ button, they would have discovered that this was not a legitimate request and that the CFO’s email had been compromised.
Texts and phone calls can be used maliciously to facilitate theft and fraud. 'Vishing' calls try to alarm recipients into making payments or providing important financial information. 'Smishing' texts may additionally try to entice their target to click on malicious links, activating trojan viruses which can steal passwords and other high-value data.
Phishing phone calls ('vishing') and scam texts ('smishing') are common attacks, designed to trick targets into divulging personal information that can be used for theft or fraud. Both vishing and smishing are cheap, and require little technical knowledge.
Many vishing campaigns are high volume, using auto-dial and broadband calling to contact thousands of potential victims per hour. They try to drive fear-based responses: for example, a spurious bank call-back service which pretends to alert the victim to bank account fraud, then requests detailed card information on response.
Then targeting organisations, attackers often impersonate a senior employee requiring urgent assistance. They may pretend to be in a rush, in an attempt to take control of the conversation.
Smishing has begun to overtake vishing in popularity. With many victims still unused to receiving spam texts – and the growth of text banking – it currently enjoys a higher success rate.
Smishing texts typically request urgent action, which often means clicking on a malicious link that in turn enables data theft. Spam filters stop many phishing emails from reaching inboxes, but no mainstream solution yet exists to prevent texts from reaching their intended target.