Local stories of cybercrime

Cybercrime and scams continue to rise, costing Australian businesses millions each year. According to the ASDs Annual Cyber Threat Report 2022-23, the number of reported cybercrime incidents rose by 23 percent in the past year, with the average cost of a cyberattack to a business increasing by 14 percent. Scarily, it’s not just big organisations being targeted. Cybercriminals have realised it’s often easier and still very lucrative to target SMEs. On average, a cyberattack costs small businesses $46,000 and medium-sized businesses $97,200.

And this represents just the tip of the iceberg in business losses from cybercrime as the majority of incidents are still not reported.

As a company offering help-desk support and a Cyber Security Concierge Service, we regularly see the impact these disasters have - stress, loss of time, loss of income, support costs to regain control of accounts and IT systems, plus the legal requirements and implications. On top of all that, a cybercrime incident can put a company out of business for days or even weeks.

Some real-life examples illustrate the point …

Local tradie’s loss

A local tradie called IT Basecamp for help to re-secure his email. His account had been hacked, leading to thousands of dollars of invoice payments going to a hacker instead of his own bank account.

In this situation, the tradie used his Outlook account to send invoices to his clients - a common business practice. Once the hacker had gained access to the tradie’s email he was able to divert these outgoing invoices. After changing the banking details on the invoice to his own, the hacker sent the email on to the clients. The result? The clients, unaware of the fraud, diligently paid the invoices into the hacker’s bank account and the theft was only discovered later when the tradie followed up unpaid invoices.

An organisation’s silent observer

In another scenario, a larger organisation regularly received phishing emails - fraudulent messages attempting to obtain sensitive information by pretending to be a trustworthy source. Luckily, these emails were immediately recognised as phishing, and no sensitive information was leaked. However, no one could figure out where they originated from.

Eventually, the organisation’s email account received a notification that the “forwarding mailbox is full”. What forwarding mailbox? Upon investigation, it was discovered that the hacker had gained access to the account at some point in the past and set up an auto-forwarding rule that forwarded every email the organisation received to the hacker’s account. This explained the knowledge used in the phishing emails and, given the quantity of mail it takes to fill an email account, revealed that the hacker’s surveillance of the organisation had been taking place for years.

How did a cybercriminal gain access to these accounts? The answer might be easier than you think. As little as downloading software or clicking on a link in your email can open the cybercrime doorway. Using the same password for multiple accounts and having simple or short passwords create their own vulnerabilities, but even a strong password won’t protect you if you fall victim to a phishing attack. Without extra security measures like 2FA, it truly becomes a matter of when, not if, an attack will happen.

2-factor protection

In both these scenarios simple 2-step or 2-factor authentication (2FA) would have protected the companies from an attack. Two-factor authentication adds a second layer of protection to an account, so even if a cybercriminal gets access to a password somehow, the account is still secure. The method relies on two factors: ‘knowledge’ and ‘possession’. The knowledge factor is something you know (e.g., your password) and the possession factor is something physical you have access to (e.g., an authentication code or key, usually via your phone). Without both factors, your identity cannot be verified and access to the account is denied.

Yes, it takes about ten minutes to set up, and yes, it might seem like a lot of hassle. But compared to allowing a cybercriminal access to your personal information and funds? It’s worth the effort.

Take the time to complete the full setup for multifactor authentication, including backup recovery contacts and recovery codes. It is important. If you lose access to one or more of your verification methods (eg. you forget your password or lose your phone), you will need a backup method. Once 2-factor authentication is set up, your account is secure, remember? This means you, too, will be denied access if you cannot verify your identity.

Setting up 2-factor authentication

Instructions for setting up 2-factor authentication on your Google and Microsoft email accounts can be found here:

• Google - Set up 2FA

• Microsoft - Set up 2FA

Did we mention it’s really important to set up backup account recovery methods when you turn 2FA on? If you ever need to recover the account, you will need two ways to verify your identity. If your primary method is inactive because you have lost your phone or forgotten a password, you will need to rely on a backup method.

Make sure to check out the 2FA Directory. It provides a list of all websites that support 2FA as well as instructions on how to set it up. It’s well worth at least a browse to see how many of the apps you use in your business and personal life can be set up with 2FA.

If you are scammed

In the two examples given above - a hacker diverting invoice payments of a tradie and an organisation subjected to multiple phishing attacks - the clean-up process in each case was significantly different. For the tradie, uncovering the losses was no doubt extremely stressful. Fixing the situation took significant time dealing with his bank to report the crime and secure his account. There were also IT support costs incurred for recovering and securing the Microsoft account.

Even though no financial harm occurred to the organisation whose email account was accessed and monitored by a hacker over a period of time, the resulting scenario had legal implications due to its annual turnover being greater than $3 million. When an unauthorised person gains access to sensitive information, it’s considered a data breach. In Australia, there are laws that dictate how such breaches need to be handled. Any “agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more” are bound by the Notifiable Data Breach (NDB) scheme and are legally required to notify the Office of the Australian Information Commissioner (OAIC) as soon as a breach is discovered. Regardless of the annual turnover, this scheme also applies to private sector healthcare providers, credit reporting bodies, credit providers, entities that trade in personal information, and tax file number (TFN) recipients. From here companies are guided through the correct processes: procedures for containment, assessment, remedial action and review.

Regardless of the scam’s extent, large or small, reporting the situation to the Australian Competition and Consumer Council’s Scamwatch program is a worthwhile way to help us all stay on the right side of cybercrime. Forewarned is forearmed and helping compile statistics and information on crime will help the business community in staying ahead of hackers.

How to avoid being scammed

Aside from implementing the correct technology solutions, whether it be individuals simply activating 2-factor authentication, or companies deploying full network security equipment and cybercrime policies, education is an important aspect of avoiding scams. Keep yourself and your staff up-to-date. If staff are aware of the methods and techniques cybercriminals use, they are more likely to recognise a scam rather than fall victim to it. To keep yourself and others safe from cyber attacks, make sure to complete and share the free Cyber Heroes Security Fundamentals course.

If you are unsure how you can protect your business from cybercrime, IT Basecamp provides a vast amount of informational resources and services to implement a security-focused business continuity plan. IT Basecamp’s cyber security division, Cyber Heroes, also provides a cybersecurity program to help you educate staff, implement and improve processes, and comply with government or industry-specific regulations.

If you want to implement full-strength cybercrime protection for your business, contact IT Basecamp or Cyber Heroes today.