Cybercrime and scams continue to rise and are costing Australian businesses millions each year. The government’s Scamwatch website identifies that in 2018 Australian businesses lost as much as $2.8 million to business email compromise (BEC) scams. This represents just the tip of the iceberg in business losses from cybercrime though as BEC attacks are only one of many types of scams taking place. It also only accounts for the instances that were actually reported. Scarily, it’s no longer just big organisations being targeted. Hackers have realised it’s often easier and still lucrative to target SMEs.
As a company offering help-desk support, we regularly see the impact these disasters have - stress, loss of time, loss of income, support costs to regain control of accounts and IT systems, plus the legal requirements and implications.
Local tradie’s loss
Recently a local tradie called in looking for help to re-secure his email. His account had been hacked, leading to thousands of dollars of invoice payments going to a hacker instead of his own bank account.
In this situation, the tradie used his Outlook account to send invoices to his clients - a normal business practice. Once the hacker had gained access to the tradie’s email he was able to divert these outgoing invoices. After changing the banking details on the invoice to his own, the hacker sent the email on to the client. Result? The client diligently pays the invoice into the hacker’s bank account and the theft is only realised later when the tradie follows up unpaid invoices.
In another scenario, a larger organisation regularly received phishing emails (fraudulent messages attempting to obtain sensitive information by pretending to be a trustworthy source). Luckily these were always recognised as phishing and no sensitive information was leaked, but no-one could figure out where they originated. Eventually, the organisation’s email account received notification that the “forwarding mailbox is full”. What forwarding mailbox? On investigation it turned out the hacker had gained access to the account at some point in the past, set up an auto-forwarding rule that forwarded EVERY email the organisation received to the hacker’s account. This explained the knowledge used in the phishing emails and, given the quantity of mail it takes to fill an email account, the hacker’s surveillance of the organisation had clearly been taking place for YEARS.
How did hackers gain access to these accounts? It’s easier than you think to give hackers access to your PC. As little as downloading software or clicking on a link in your email can open the cybercrime doorway. Using the same password in multiple places and using simple passwords create their own vulnerabilities. Without extra security measures, it truly becomes a matter of not if, but when an attack happens.
2-factor protection
In both these scenarios simple 2-step or 2-factor authentication (2FA) would have protected the accounts from attack. Two-factor authentication adds a second layer of security to an account, so even if a hacker does discover your password, your account is still secure. It relies on knowledge and possession - the ‘knowledge’ is something you know, ie your password, and the ‘possession’ is something you have access to, ie an authentication code or key (usually via your phone). Without both of these your identity cannot be verified and access to the account is denied.
Yes, it will take you about ten minutes per account to set up; and yes, it does sound like a lot of hassle … but compared to allowing a criminal access to your personal information and funds? Just get it done.
IMPORTANT NOTE: Take the time to do the full set up and complete the backup recovery contacts and recovery codes. It is important. If for some reason you lose access to one or other of your verification methods (you forget your password for example, or lose your phone) you WILL need a backup method. Once 2-factor authentication is set up your account is now secure, remember? You, too, will be denied access if you cannot properly verify your identity.
Setting up 2-factor authentication
Instructions for setting up 2-factor authentication on your email accounts can be found here:
- Google - https://www.google.com.au/landing/2step/
- Microsoft - https://support.microsoft.com/en-au/help/12408/microsoft-account-how-to-use-two-step-verification
Did we mention it’s REALLY important to set up backup account recovery methods when you turn 2FA on? If you yourself ever need to recover the account you will need two ways to verify your identity. If your primary method is inactive because you have lost your phone or forgotten a password, you will need to rely on a backup method.
Of course email accounts are only one point of vulnerability in today’s world. PC Magazine provides a comprehensive list of the most commonly used apps and instructions on how to activate 2FA in this article - Two-factor authentication: who has it and how to set it up. Well worth at least a browse to see how many of the apps you use in your business and personal life.
If you are scammed
In the two examples given above - a hacker diverting invoice payments of a tradie and an organisation subjected to multiple phishing attacks - the clean-up process in each case was significantly different. For the tradie, uncovering the losses was no doubt extremely stressful. Fixing the situation took significant time dealing with his bank to report the crime and secure his account. There were also IT support costs incurred for recovering and securing the Microsoft account. Once this was all cleaned up it was back to business.
For the organisation whose email account was accessed and monitored by a hacker over a period of time, even though no financial harm was done, the resulting scenario had legal implications because the organisation’s annual turnover is greater than $3 million. Whenever an unauthorised person gains access to sensitive information it is referred to as a data breach and in Australia there are laws covering the handling of these. Any “agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more” are bound by the Notifiable Data Breach (NDB) scheme and are legally required to notify the Office of the Australian Information Commissioner (OAIC) as soon as a breach is discovered. From here companies are guided through the correct processes: procedures for containment, assessment, remedial action and review.
In any case of a scam, large or small, reporting the situation to the Australian Competition and Consumer Council’s Scamwatch program is a worthwhile way to help us all stay on the right side of cybercrime. Forewarned is forearmed and helping to compile statistics and information on crime will help the business community keep ahead of hackers.
How to avoid being scammed
Aside from implementing the correct technology solutions, whether it be individuals simply activating 2-factor authentication, or companies deploying full network security equipment and cybercrime policies, education is an important aspect of avoiding scams. Keep yourself and your staff up-to-date. If staff know the types of methods and techniques scammers and hackers use, they are likely to recognise and identify a scam rather than falling victim to it. Scamwatch is a good source for keeping up-to-date in this area.
ITBasecamp acknowledges the traditional owners and custodians of the country in this area and pay our respects to elders past, present and emerging. The South Coast of New South Wales where we live is Yuin country but indigenous people here come from a number of different groups including Brinja-Yuin, Budawang, Jerrinja, Murramarang, Walbunja, Wandandian and Wodi Wodi. We recognise their continuing connection and contribution to this land.