When your email is hacked.

Without enhanced email security, you can’t know when it has. Last year fraudsters claimed $12 billion through email security breaches (FBI), and these types of cyberattacks are worryingly on the increase.    

Don’t let your company be one of the victims.  

Mid last year, as an example, one of Toyota’s significant suppliers released some harrowing news. They had fallen victim to an email scam. More to the point they had been hit by a ¥ 4 billion (JPY) email scam, which late last year converted to roughly $37 million.   

The Toyota Boshoku Corporation was fleeced out of the payment after fraudsters targeted someone in the organisation with financial authority. Then they convinced them to change the account information for an electronic bank transfer.  

This type of attack is called a Business Email Compromise (BEC), and it is on the rise due to its simplicity and effectiveness. 64% of businesses experienced a phishing attack in the last year, and worryingly 43% of the breaches involved small business.

Otherwise known as “Phishing” these emails are becoming more difficult to recognise by the day. While there are methods to eliminate the majority of these scam emails, breaches are getting more common as companies aren’t putting enough in place to protect themselves.   

On top of these phishing emails, a total of 52% breaches featured hacking as part of the process. It is a sign that not only are these attacks getting smarter, but the defences need to be more intelligent as well. 

Are you financially protected?  

Two big questions for many small business owners will be:  

1. Can we recover any misdirected funds? and;  

2. Will we/I be liable?  

We reached out to Simon J. Walsh at Oury Clark, Chartered accountants and financial advisors in London to ask them who exactly is liable should you pay the wrong bank account?  

“As long as an individual has not acted fraudulently, or with intent or with gross negligence, the regulations state that where a customer hasn’t authorised a payment, the bank should refund the money.  

If a customer has authorised the payment themselves, the starting point at law is that the bank will not be liable to the customer’s loss, even when the customer is the victim of a scam.  

That said though, at the end of May last year, a voluntary code was adopted by most of the leading UK banks, to give consumers further protection in situations where they have been the victim of fraud.”  

There isn’t any guarantee that you will be financially protected should you be targeted, so do not take the risk.  

What do the experts say?

Our team are seeing increasingly more BEC attacks, and it’s shocking how involved and intricate these are. Our Cyber Security expert Yugansh Sharma shares here what businesses are facing and the effect it’s having to their teams. 

Yugansh Sharma

 It seems surprising at first that we’ve seen an increase in email and security breaches for SMEs in the last 6 months alone, but then again if I was running a hacking or malicious organisation, I’d find it a lot easier to target a SME who tend to be less security conscious, and therefore have less security in place, compared to a 2500 user enterprise.  

The most common breach we’ve seen is an email pretending to be from what looks like a valid source, such a Microsoft, OneDrive, Dropbox etc. and tricking the user in entering in their login details, which end up in the hacker’s inbox. 

Or an email that looks like it’s coming from your boss requesting an urgent payment transfer into a different bank account. 

We’ve seen both lead to fraudulent bank transfers ranging from £20K to £250K – one of the parties involved even had a security compliance department! 

My advice is to get technical solutions in place – you might be tech savvy, but these emails are getting increasingly sophisticated and your receptionist of finance controller might not be the best with keeping up to date with hacking trends. 

In the meantime, if someone’s changed their bank account details, triple-check that, and if you’ve clicked on what might be a dodge link or just generally want to see how you are doing with your security, get in touch with us. “

One of the cornerstones of preventing cyber-attacks is employee awareness. Here are some critical takeaways from Lucidica’s experience to help you spot any potential cybersecurity breaches within your business: 

Disguise Self  

34% of attacks included internal actors. Fraudsters are pretending to be people from inside of your organisation. They spend weeks monitoring individual emails and communication, learning how to play your role best. Utilising solutions such as ATP and two-factor authentication can eliminate a large amount of the spam links sent to your mailbox and keeping fraudsters out your account should your credentials be misplaced. Whilst ATP is a paid add on to your inbox, it uses AI tech to scan all incoming links and attachments for malicious links, preventing anything nasty from coming in. Activating login two-factor authentication is entirely free though. You can utilise the inbuild ones or by using Microsoft’s free app. SME’s are a significant risk. Generally seen as being low in security, SME’s are often a target as a weak link in a big chain.

Get off my cloud

With the majority of companies migrating over to cloud-based servers due to its cost-efficiency, this means a shift of focus for hackers. Theft of data using stolen credentials through phishing scams is on the rise. Look at adding extra layers of protection to your cloud-based services. Software’s such as Microsoft’s Cloud-app security and device management software can enable rules and data restrictions to be applied to prevent data loss. This type of software works with intelligent AI, monitoring behaviour, and notifying the users when the strange activity starts to occur. There are also scans and phishing training that you can carry out on your systems and internally with your team. 

Show me the money

Introducing payment authorisation procedures is a must in 2020. Simon Walsh from Oury Clark had this further to say;   

“Customers should be extra vigilant to ensure they don’t fall victim to invoice fraud. Some steps they should take are:  

  • Confirm bank account details directly with a company on the phone or in-person before making a payment (and look up the phone number to ensure you’re calling the company and not a fraudster).  
  • Don’t rely on contact details in an email, but instead check your internal records or the company’s website for contact details.  
  • If making a payment to an account for the first time, transfer a small sum and then contact the company as above, and check the amount has been received, before sending a larger amount.  
  • Contact your bank without delay if you think you have fallen victim to invoice or some other scam.”  

Putting in these simple measures ensures your money arrives at its final destination. And there’s no harm talking to your clients about their payment procedures.  

Password123

Simple. DO NOT use the SAME passwords for different accounts. Your password is the mainline of defence when it comes to fraudsters. It is the single piece of coded script keeping them at bay. When you use the same passwords for accounts, it can cause a domino effect through different platforms.   

On top of this, these breaches occur worldwide every day. For services, you most likely have an account with. Some big ones such a LinkedIn in the year the 2010s and Adobe are some of the big ones, where millions of users have their usernames and passwords stolen. These lists can be purchased and attempted across multiple platforms.   

Utilising a password manager to store and generate your passwords keeps your company data secure.

Summary

Since we’ve started regularly talking about these phishing attacks over the last year with our clients, the attacks are becoming more regular and even more sophisticated. Business owners of SME’s need to ensure they’re doing their best to protect their business and their clients.   

We don’t want you to become the next victim. We have created a business cybersecurity checklist as a starting point. And of course, if there is anything here you’re unsure of and want to get some advice, please give us a call.   

We want to help you protect your business. 

Checklist

Have you activated two-factor authentication accounts? 

Do you have ATP (Advanced Threat protection)? 

Do you have a client paying process – are your team aware of it? 

When did you last speak to your clients about their payment process?  

How does your team store their password? – Word or Excel is not a secure solution.  

Are any company accounts using duplicate passwords? 

Do you know how good your team’s security knowledge is? 

Do you regularly talk about cybersecurity? 

Do you have your next security audit planned?  

Last but not least, and hopefully, it never gets to this, but do you have an incident management plan?  (The below doesn’t count)

Cyberattack Incident Management plan

Don’t know where to get started?

Please register your interest for our next Cyber Security Seminar, hosted by Yugansh in the first week of April.  

Register for a call from your account engineer to book in a cybersecurity meeting.

Don’t have an account engineer with us? Book in a call. 

Subscribe for more tech news, tips and support (below).