By Helen Teixeira, Securus Global
Originally published in Profile Financial Services – Summer 2013 Newsletter
“Technology is a queer thing. It brings you great gifts with one hand – and it stabs you in the back with the other.”
This quote from CP Snow (a respected 20th century UK scientist and author) could have been written specifically for the internet age. This incredible resource, which has brought us unimagined access to knowledge and huge productivity growth, hasn’t come without a cost. These tools are now available to fraudsters and scammers as well as legitimate individuals and businesses, and they are being used to serve criminal as well as positive ends. This article looks at who the attackers are, how they attack, and what you can do to protect yourself online.
How big is cybercrime?
According to the ABS, between 2007 and 2011 the number of victims of personal fraud in Australia increased from just under 800,000 to almost 1.2 million – an increase of 50% in just a few short years*. Around the world, “Cybercrime” is a well-funded, sophisticated global industry estimated to be worth around USD 388 billion annually – bigger than the legitimate global travel industry***.
Around 80% of cybercrime is believed to be perpetrated by organised cells**. The industry is very attractive to organised crime for many reasons: the pool of easily-accessible victims is huge (every individual and business connected to the internet worldwide), the technology and expertise required to exploit them is cheap, and enforcement and recovery is hampered by national borders and jurisdictional issues.
However it’s not just organised crime that perpetrates attacks. Disgruntled employees (and ex-employees) can do a great deal of damage to businesses with their access to company systems (everything from damaging comments on social media to outright fraud on clients and company bank accounts), and competitors can use the internet to hurt reputations and access commercially sensitive information as well as deliberately sabotage systems.
The weak points
Attackers target vulnerable people, systems and processes. Typical ‘soft points’ include websites, social media (including email), internal networks, smartphones and tablets, computers, credit cards (particularly ‘tap-n-go’ or payWave cards) – the list goes on!
As for the methods they use – most of us know the basics by now, such as to avoid the Nigerian scam! However the case studies below are real, recent examples of attacks which would probably catch many of us, even those who think of themselves as internet-savvy:
Case study 1 – a seemingly trustworthy source
We all know not to open email attachments or links from unknown sources. But what about when you are already expecting a file to come through? This scam caught a number of businesses in the US recently. Companies that had advertised a job online were targeted, and received what they thought were applications from legitimate job-seekers. They opened the “Resumes” attached to the applications – which promptly installed malware on their computers, allowing the fraudsters to steal online banking credentials and within a few hours send over $150,000 to offshore accounts before being detected.
Case study 2 – friends on social media
The scam had (fake) huge numbers of ‘likes’ that made the voucher look popular and “live” countdowns that always showed only a few vouchers left, to create a false sense of urgency. It caught huge numbers of people, who were redirected to a range of dodgy internet sites looking to hijack credit card details, personal information and so on. When people found out they’d been scammed, many blamed Woolworths – which is still dealing with the fallout.
Case study 3 – giving away too much online
Companies are being encouraged to move into the internet age at a rate of knots and many are heeding the call, sometimes posting a truly astonishing level of detail about their operations and employees online. At Securus Global, when we’re asked to do a security assessment of a company, one of the first things we do is check out social media sites like Facebook and LinkedIn. Often we’re able to identify many key employees online. From there it’s often a short step to ring up the IT department, and pretend to be the distressed (and powerful) head of HR who’s stranded on the road and forgotten their password. We rarely fail to find someone who’s willing to ‘re-set’ our password and let us into the company systems.
Another classic strategy is to research the personal interests of the key staff or their partners on Facebook, and send them an email purporting to be from, say, their favourite charity (with a suitably dodgy PDF attachment). Nine times out of 10 the attachment will be opened – and we’re in! Such methods are a lot easier (and quicker) that trying to break sophisticated password encryption.
Case study 4 –online pick-pocketing
Many people have gotten a false sense of security with their new “payWave” credit cards, because you have to wave them really near the merchant’s card reader before they’ll release your funds. Unfortunately, scammers aren’t subject to the same technology restrictions and now have pocket-sized machines which can access credit card data wirelessly from 10 metres away or even more. A leisurely stroll through a shopping centre can yield the scammer a treasure trove of hacked credit card numbers, along with enough details to start using them for lower-value transactions where PIN numbers are not required. The next generation of smartphones with NFC chips embedded inside may make this even easier for a remote attacker – they can get you to do the “leg” work for them, using your phone and a “free” app that you downloaded thinking it was legitimate.
How can you protect yourself online?
1. Use strong passwords and manage them properly.
You’d be surprised how often the “Worst Passwords of 2012” get used (see below – our personal favourite is number 12!)**** For anyone trying to break into your system, these are the first ones they’ll try. Next, they’ll move onto pet and family member names and birthdays, which you may have revealed on Facebook. Be smart and use passwords with numbers as well as letters, some non-
standard characters and at least 8 characters. Don’t use the same password for every online application, and change them regularly. If you can’t remember them all, pick one to memorise. Put all your passwords on an excel spreadsheet with that password to open, and carry the spreadsheet with you on a portable USB.
2. Take care who you reveal your details to online.
The green “password” lock symbol next to the site address, and the code “https” (not “http”) means extra security – you’ll see examples on online banking sites. Don’t proceed to any site if your browser has warned you not to.
3. Stay up-to-date.
It’s important to apply updates, patches and fixes to all your devices as soon as possible – particularly virus to protection software! Set them to update automatically.
4. Be smart with email and SMS.
Delete (without opening) unsolicited messages from sources you don’t recognise. If it’s real, and important, they’ll call! And never click on links – find the site yourself via a search engine like Google if you need to visit, or type in the URL address yourself in your browser.
5. Protect your personal details and devices offline too.
Buy, and use, a shredder for receipts, old bank statements etc – because some scammers still get your information the ld-fashioned way, by going through your garbage. Password-protect your smartphone, table and PC/laptop, and notify your provider ASAP if they are stolen or misplaced. Buy a wallet protector for your payWave cards.
Regularly check bank bills and statements and follow up any anomalies straightaway – this might be the first warning you get that your details have been hijacked. The amounts involved won’t always be large – the smart crims often try a small amount first, to see if you notice, before really taking you to the cleaners.
6. Protect your business.
If you’re an owner or director, this is an area of increasing risk for business. Educate yourself and your staff about the issues, assign someone to be responsible, and develop and implement robust security policies and procedures. You can get expert help from external consultants (such as Securus Global) to test your current security and help you make changes to protect the business, as well as keeping you in touch with the latest developments in the area.
A parting thought
No matter how much technology changes, human nature itself hasn’t really changed much over many thousands of years. The best protection against being scammed today is the same as it was in 1720 (when Sir Isaac Newton and Jonathan Swift, among many others, lost huge amounts in the South Sea Bubble) – if it seems too good to be true, it probably is. Nothing is really for free in this world, whether it’s a hot investment tip, an i-pad app or a chance to win a $400 voucher. Don’t let wishful thinking drive your actions – and remember, trust should be earned before it’s given!
* Australian Bureau of Statistics, 18 April 2012.
** “Organised Crime in the Digital Age: The Real Picture”, John Grieve Centre for Policing and Security at London Metropolitan
University, March 2012
*** Norton Cybercrime Report 2011, http://us.norton.com/cybercrimereport/