How Paying Bills Can Be Disastrous for Your Business
Social media, business websites and proficient accounting practices have given cyber criminals a ridiculously easy way to make money through targeted attacks!
Why is Australia so bad for Cyber Crime?
1. Information is a Two-Edged Sword
With businesses embracing online promotion of their products, services and structure to attract new clients and establish credibility, we are unwittingly making available details that can be used against our business. Information gathered online is used to create malicious email requests supposedly from senior management or creditors for money transfers or to ‘update’ account details.
2. Not Everyone Is Who They Say They Are
If your Accounts department received an email claiming to be from you, a member of your management team or an established supplier requesting transfer of money to a new or overseas bank account, are they likely to question to request? Or perhaps an email is received requesting a known supplier’s account details get updated. Does your Accounts team have a process for double-checking if a request is legitimate?
3. BEC Attacks Are on the Rise
Known as ‘Business Email Compromise’ (BEC), this type of online email scam has the potential to hurt your business more than a phishing attack. It requires few technical skills of a criminal beyond the ability to research your business details online. As Nicole Rose, PSM Acting Chief Executive Officer at ACIC, notes, “Increasing access to and uptake of the internet provides serious and organised crime groups with the ability to target thousands of Australians simultaneously from anywhere in the world”.
What is a BEC: A cybercriminal impersonates an executive or clients and attempts to coax an employee, customer or vendor to transfer fund or sensitive information to the phisher.
Whilst this may sound ridiculous, The Australian Criminal Intelligence Commission’s (ACIC) recent report into organised crime revealed during 2015-16, 749 such scams were reported in Australia. And in just the first quarter of 2016-17, 243 new cases have been reported.
“But Our Technology Protects Us”
As much as we would like to say otherwise, this is a problem that cannot be solved with just technology! In fact, Deloitte’s recent report ‘Cyber Regulation in Asia Pacific’ that focused primarily on financial institutions noted:
‘Generally, businesses operating in countries that have more advanced ICT infrastructure and a bigger digital economy face greater cyber risks. For example, Korea, Australia, Japan and Singapore have been found to be nine times more vulnerable to cyber-attacks than other Asian economies.’ (bolding of italics added by itro).
So, what can you do to reduce your risk?
1. Be Careful
Email filtering still plays an important role in helping your teams proactively minimise risk to your network and funds! Good email filters1 interrogate mail in two ways before forwarding to a receiver:
- By qualifying the legitimacy of sender details; and
- filtering through content of an email.
However, even good email filters rely on being configured correctly to provide maximum security. That is why it is so important to have an IT Provider who is experienced in configuring and proactively maintaining email filters to ensure they remain current with best-of-practice security measures.
2. Employee Education
educate your teams the importance of always taking the time to think before they act on an email request. Valuable points to check when assessing an email include:
- Sender Details. Is the email coming from a legitimate contact? For example, a bank is NOT going to send you an email via Hotmail (ANZ@hotmail.com). Check the sender’s name as well as the domain extension. It’s an easy, effective way to avoid opening malicious emails.
- Opening Files. Teach your team to check files attached to emails before opening them! Encourage them to seek advice from you, a manager or your IT Provider when in doubt. A small sample of file extensions your team should be cautious about opening include:
Files that execute commands, such as
- program files (*.exe)
- batch files (*.cmd and *.bat); and
- script files (*.vbs and *.js).
File types that allow for embedded script operations, such as:
- Microsoft Access files (*.mdb);
- macros in Microsoft Word files (*.doc); or
- in Microsoft Excel files (*.xls).
And for MAC users, be cautious with:
- C Shell Script files (.csh);
- executable files (.osx);
- images (.tiff); and
- iOS application files (.ipa)
- Money Transfers. Encourage your Accounts team to ring and verbally qualify any unexpected email requests for money supposedly sent by a senior team leader or internal department before making a transfer. Even if a follow-up call causes annoyance, that is a far better option than having to tell management funds were unwittingly given away!
- Account Details. Emails requesting a vendor or supplier’s account/delivery details get updated also need to be treated cautiously! Ring them first to qualify the request is from them, not malicious.
Sadly, it is not advisable to manage business contacts and email requests on face value alone. Teach your team to be aware of risks, and get your IT Provider to outline what security measures they have configured to protect your devices and network. Combining education and technology will greatly improve security of your business assets.
If you would like to know more about email filtering, firewalls or how itro can configure your technology to maximise your protection, please call Lucas or Matt now on 1300 10 3000.
1 Refer to “Hundreds of businesses are being hit by this crafty cyber attack that’s more devastating than phishing scams”, by Dominic Powell, published by SmartCompany-Technology