The statistics on cybercrime are as frightening as they are eye-watering. The latest estimate from the European Commission puts worldwide losses as a result of cybercrime at €350 billion annually and predicts this to rise almost six-fold to €2 trillion by 2020. From an employment point of view, the Commission estimates that this relatively new form of criminal activity has already cost 150,000 jobs in Europe alone.
Many people think that they are safe because they are not wealthy or high profile enough for a cybercriminal to be interested in them. Nothing could be further from the truth. People should realise that the criminals are interested in anything which they can make money from, regardless of the amount involved.
The automated nature of Cyber-attacks means that even quite small amounts of money are profitable for the criminals. Take a phishing attack aimed at scamming small amounts of money from people’s online bank accounts, for example. The automated software responsible for these attacks is frequently designed to avoid early detection by only taking a few euro at a time from an account. Multiply this across hundreds, thousands or even tens of thousands of accounts and the money quickly adds up.
And the cleverness doesn’t stop there. The criminals are adept at covering their tracks. One favoured means is through so-called “mule” accounts. These are legitimate bank accounts often owned by people who are leaving a country permanently. The criminals pay the owners for the use of their accounts and use them as conduits to ship the money out of the country.
Another preferred way of evading early detection is to target people’s insurance policies with claims. Once the claim is low enough not to trigger personal contact from the insurance company or if the contact details associated with it are altered, it can be years before the fraud is detected due to the fact that most people’s claims frequency is normally very low.
Some attacks aren’t quite so stealthy, however. One that has grown in frequency is so-called ransomware. This is a piece of malware often contained in a seemingly innocent web page or email attachment. This literally locks the user out of all of their files and data until such time as a ransom is paid, usually in bitcoin. Attempts to bypass or neutralise the malware can result in all files and data on the device being deleted.
Unsurprisingly, quite a few victims end up paying the ransom.
Not all cybercrime starts on the internet. Indeed, much of it starts with traditional fraud. Once a criminal gets hold of credit card details, either by physically stealing the cards or by other means such as listening in on phone calls, the most efficient way to profit from their crime is the internet.
One way is to offer an expensive item such as a new iPhone for sale on eBay. Once they have a buyer for it they then use the stolen credit card details to order it from an online retailer giving their eBay buyer’s address for delivery. Simple, neat and effective and it cuts out having to use the middleman of a traditional fence or trader in stolen goods to monetise the card.
Those criminals who do not wish to go to this trouble have a ready market for credit card details on the so-called dark web where organised criminal networks will pay for them.
All of this happens because we live in a world that is incredibly dependent on technology. We interact with our banks and employers using technology. This has made our personal and working lives more efficient but it has also made fraud more efficient.
Sometimes the criminals exploit the intersections between our personal and social lives. One particular form of cybercrime is known as CFO fraud. This employs very realistic looking emails apparently from an organisation’s CFO instructing the accounts department to pay a bill as a matter of urgency.
The criminals have used social media to track the CFO: Finding out when they are going on holiday and where to. After that it’s a relatively simple task for them to create a spoof email from them which will begin with a reference to where they are spending their holiday in order to persuade the recipient of its authenticity.
That should serve as an object lesson in why people shouldn’t share intimate life details on social media. It’s not only burglars who can profit from knowing when you’re not home.
What can you do?
To be cyber-secure you have to start with yourself. Even the most secure technology solutions will prove worthless if undermined be irresponsible or thoughtless behaviour on the part of the individuals using it.
For example, it is well known that a number of firms in Ireland have been subject to successful ransomware attacks over the past two years. The only real defence against this form of attack is a combination of extreme vigilance and safety measures. This means having all anti-virus software up to date and never opening an attachment from an unknown source. It also means backing up all files and data regularly and disconnecting the storage device between backups to ensure that it doesn’t become infected during the attack.
That same sort of good housekeeping should apply to passwords. All too often people use the same password for multiple sites and services and indeed their workplace login – this means that it only has to be compromised once for all of your accounts to be potentially opened up to the fraudsters. The answer is to use different passwords which are changed regularly. If you are worried about forgetting them or getting confused there is software available to store and manage them.
And there are simple steps to take. Don’t go onto any site that you don’t know is safe. Don’t do any online shopping on a site that you don’t know is reputable. Don’t share credit card details on any site if you aren’t absolutely sure about its security levels – use services like PayPal instead.
Check your online banking system at least once or twice a week to monitor activity on your credit and debit card accounts.
Another thing to be careful about is what you plug into your computer. Grant Thornton carried out an exercise for the RTE programme “Hacked” last year where we left hundreds of USB keys lying around Dublin city centre and one third of them were plugged into computers within eight hours. Those USB keys could have carried malicious software but it seems that people didn’t care or understand the risks.
Cybercriminals are very good at psychology and social engineering. Social media friend requests therefore have to be treated with caution. Very often these are from cybercriminals who are using it to gather information about you, your workplace, your family and your friends.
Finally, paranoia is good. If it sounds too good to be true it is too good to be true. If someone asks for data don’t give it away.