Gone Phishing: David Walton

Has our hurried adoption of all things digital made us rich pickings for the cyber criminals? AML’s Business Director, David Walton, examines this theory below.

18 months into various stages of lockdown restrictions, remote working has become the norm for many. We have all learnt to embrace the freedom and flexibility that technology affords. Becoming familiar and increasingly reliant on the tools and applications that allow us to interact and transact with colleagues and clients at the touch of a button or screen.

The same is true of a more remote home life, especially during stricter measures. Our reliance and wider adoption of tech to communicate and shop was enforced, literally overnight.

But the opportunity this accelerated digital revolution offered was not just for office workers and on-line shoppers. The millions of people forced to quickly take up these liberating tools provided rich pickings of potential victims for cyber criminals. Many of those potential victims unwittingly forced online with minimal awareness of the digital jungle they were entering, or even the most basic training needed to protect themselves.

This is your CEO calling…

For businesses, staff working from home needed access to servers and sensitive information on, sometimes, unfamiliar systems. Many of them using personal hardware and software with varying levels of security. Files and conversations were extensively through email to provide ‘audit trails’. This opened a huge vulnerability to attacks from nefarious operators (more on those shortly) to exploit both human error and lapsed security protocols. With 90% of cyber data breaches in 2019 being caused by human error1, this became easier pickings as opposed to hacking through firewalls and monitored systems. A simple Phishing (email), Vishing (phone calls) or Smishing (text) scam could glean enough access to steal data or even money from unsuspecting recipients. Malware hidden in attachments was an all too common trap as we emailed more copies of everything to each other.

CEO impersonations were also up 84% in the first half of 20202, where hacked or convincing fake emails were sent asking staff to purchase gift vouchers for clients or approve fraudulent payments. Invoice fraud too has now become a widespread challenge for finance departments as requests to change payee bank details are easily forged or faked. No wonder 39% of businesses reported a cyber-breach or attack in the past 12 months3. This issue is a topic we covered in content for financial clients recently.

What you didn’t order couldn’t be delivered

I’m sure we have all received message telling us our Royal Mail package could not be delivered. The sudden surge in home deliveries has meant the likelihood of inexperienced online shoppers being duped into providing their bank details for the redelivery fee would have yielded greater returns for criminals during lockdown. The same may well be true with calls, texts and emails from HMRC, banks and credit card companies where the scammers have been finding ever more convincing ways of replicating web pages or log-in screens, tweaking URL’s and cloning untraceable mobile numbers.

Luckily, social media came to the rescue. Online communities sprung up to inform potential victims what to look out for. Allowing scams and threats to be shared moments after first appearing.
Posted by those who spotted the smallest of grammatical errors or an unusually formatted email address for those less familiar with these tactics to learn the tricks of the trade quickly.

Not from a town near you

So, who is doing this? In reality, it’s not normally a teenage hacker in a bedroom with a laptop and a dark web purchased database sending out 100,000 hopeful, badly worded emails. It’s most likely organised criminal gangs with highly sophisticated operations doing this at scale. Unsurprisingly, these gangs can easily do this from a building in any city or town anywhere in the world. Largely untraceable, disappearing overnight at will if needed.

In extreme cases, cyber-crime can be conducted at a corporate or even state level too, targeting secrets and valuable sensitive data from other organisations or government departments and suppliers. Our recent ‘Think before you Link’ campaign for CPNI highlighted this growing threat conducted through professional social networks such as LinkedIn.

Armed to the Bluetooth

This is not an exclusive challenge to the older generation about getting to grips with a more tech driven society but is also for a younger audience whose lives are lived increasing online professionally, financially as well as socially. A heightened sense of the value of their data and how the information they freely share about themselves can be used against them, is prudent.

This may all sound dystopian and unnerving but is likely to continue at a pace as our tech adoption increases at its current rate. It therefore places even more importance on education for the public and employees around the need for vigilance, and an increased awareness of what to look out for, as well as a conscious shift to question and verify authenticity more instinctively.

That education need is something we at AML have been helping clients creatively tackle recently. Taking this complex and technical topic and finding a simple way of communicating how to protect the data and assets that are increasingly a target for criminals.

The harsh reality is that every one of us is a potential target for cybercrime, but it’s up to us whether we enable others to turn us into victims.

1Source: Cybsafe

2Source: UK Finance

3Source: Department for Digital, Culture, Media & Sport, Cyber Security Breaches Survey 2021