Cybercrime: It’s time to go on the offensive

In light of recent cyber attacks on large firms across the world, Gavin Cunningham of Menzies LLP discusses how to protect your business from cybercrime.

While the threat of fraud is nothing new, the opportunities afforded by online access to business and increased automation of business systems together with the almost universal use of online banking has led to a sharp rise in cybercrime. Every second of every day attempts are being made to defraud UK businesses which are not yet doing enough to protect themselves.

According to a new report from Cifas, a fraud prevention service, out of 325,000 cases of fraud recorded against businesses in 2016, 88 per cent of identity frauds and 30 per cent of facility takeovers were committed online. This demonstrates the massive opportunity the internet affords to organised and dedicated fraud gangs.

Despite this, the majority of UK businesses – 70 per cent – admit to not having any business continuity plan in place to protect them against these crimes. In order to mitigate damage and protect the company’s reputation, it is essential that processes are put in place to respond effectively in the event of a fraudulent attack and, more importantly, to avoid it happening in the first place.

While internet attacks may be motivated by individual malevolence or even state organised cyber warfare, most organised criminal activity is conducted against businesses for financial gain – internet access is the new medium to attempt fraud. ‘Phishing’ frauds involve fraudsters exploiting email systems and intercepting and changing key data with the aim of tricking a business into transferring money directly to a fraudulent account.

Using a circular, false email or malicious link as the ‘bait’, if responded to or clicked on the fraudster can access and extract information from the firm’s business network. A particularly dangerous variation of this attack, ‘spear-phishing’, involves a fraudster researching details about a target business and then establishing email contact to request a transfer of funds using seemingly genuine credentials, for example, the apparent identity of a known supplier.

Many of these cases begin when a fraudster uses information about a supplier obtained via email and from their website and then makes minor changes to the supplier email address before attempting to direct payments to their own account.

The professional and organised nature of many cyberattacks requires organisations to adopt a meticulous approach to checking data and spotting anomalies relating to external payments. In many cases, fraudulent payment requests can be very difficult to identify, with email addresses changed by just one character and invoices sent out to look exactly like real ones from a customer or supplier but crucially with different bank account details.

National Cyber Security Strategy

The government has published a “National Cyber Security Strategy” with the stated aim of making the UK secure and resilient to cyber threats. As part of this it provides some preventative advice through its “Cyber Essentials” scheme which is a useful first port of call for businesses considering what they need to do.

The government’s own survey suggests that complacency and lack of basic knowledge are the biggest problems that need to be addressed and with the growing incidence of online fraud attempts this is becoming increasingly urgent.

Existing government guidelines around fraud prevention focus on training staff to be vigilant in spotting potential signs of online criminal activity, and until effective software is developed that can spot potential fraud attempts then staff are the first line of defence. Introducing checks that might identify any changes to the email addresses of intended payees before transferring funds is an essential step.

It is also important to emphasise the need to be on the look-out for suspicious or unexpected emails. Emails with an address that does not match up to the supposed sender, or with strange attachments, should not be opened or forwarded on under any circumstances. Doing so could simply spread the problem further and allow malware to infect your systems.

While engaging workers in the need to remain alert to suspicious correspondence and anomalies is an essential part of the battle against cybercrime, where possible businesses should not leave themselves vulnerable to human error. Firms can introduce an additional layer of security by adapting existing accounting software, or bringing in new software that can identify changes in supplier details to issue an alert, for example.

Once an anomaly has been flagged, it should be immediately examined so that payments against false invoices or payments to the wrong bank account can be stopped before any transfer of funds is authorised.

The recent cyberattack affecting the NHS is also a powerful reminder of the need for businesses to get the basics right when it comes to online fraud prevention. The organisation has been criticised for its reliance on outdated computer systems and for failing to perform software updates regularly.

Anti-virus software can also offer some protection to machines, however, businesses should be aware that cybercriminals are constantly looking for new ways to override such systems.

Speedy response to cybercrime

In any instance of fraud, the effectiveness of damage limitation is greatly increased where the organisation is able to respond quickly. However, the immediate nature of online banking in the context of phishing fraud makes this even more critical.

The fact that many cases of online fraud are conducted from overseas makes it even more difficult for law enforcement agencies to trace those responsible or for civil law remedies to be followed so those affected can initiate legal proceedings to recover the funds.

As soon as firms suspect that something has gone awry after making a payment, immediately informing their bank is a crucial first step, increasing the likelihood of a transaction being frozen. Calling in forensic investigation professionals can also significantly increase the chance of a positive outcome.

In 2016, Prime Minister Theresa May announced a taskforce comprising key representatives from the government, law enforcement and the banking sector to crack down on online fraud, which she stated “shames our financial system”.

With the authorities currently struggling to protect businesses from these attacks, developing legislation which makes banks more responsible for protecting their own customers against fraudulent transactions would go a long way towards preventing this type of activity. For example, rather than the onus being on businesses to remain vigilant for signs of suspicious payment requests, banks should be required to perform checks to prevent fraudulent accounts being set up in the first place.

Moreover, if a fraud has clearly been identified, businesses should have the right on request to obtain detailed information about the passage of payments and the identity of the payee to assist in their attempts to recover the money rather than the banks sheltering behind client confidentiality as often happens currently.

With cyberattacks occurring constantly, businesses of all sizes cannot afford to ignore the threat posed by online fraud, and whether or not recent government initiatives and measures will go far enough in protecting organisations against cybercrime remains to be seen.

As online fraudsters become increasingly organised and sophisticated in their approach, it is essential that businesses keep systems’ security under review and implement a risk-mitigation strategy to minimise disruption and protect their financial assets from cybercrime.

Gavin Cunningham is head of forensic services at Menzies LLP.

Further reading on cybercrime

Nominations are now open for the British Small Business Awards, the leading event celebrating the brightest stars in the SME sector. Click here to enter, and make sure you get involved today using the hashtag #BSBAwards. Good luck!

Related Topics

Cybercrime

Leave a comment