Cybercrime, like any other enterprise, operates on the strength of a calculation of risk versus reward. We are all – unfortunately – familiar with the simple phishing email telling us our shipment could not be delivered, or using some similar pretext to persuade us to divulge confidential information about ourselves. Presumably (since they keep doing it) a tiny proportion of recipients are fooled by these, and since both the risks of the enterprise and the effort needed to operate it are tiny, they will continue to irritate us. But they are only the bottom-feeders of the email scam ecosystem.
At the other end of the scale are the big-time database hacks that have hit the headlines because they compromised the privacy of thousands of individuals. In Australia, Kmart and David Jones have been high-profile victims. Organisations that keep extensive client databases are rightly concerned to protect them.
But between these extremes there’s a whole stratum of cybercrime that uses email compromise to steal sizeable sums, many times over. Because the individual sums are not spectacular, the media don’t get too excited about these thefts. But the US Federal Bureau of Investigation recently reported that Cybercriminals prepared to invest some time and effort into researching the organisations they have hacked stole an estimated A$3 billion between October 2013 and February 2016.
Once a cybercriminal has hacked an organisation that uses email to authorise financial transactions, they may well sell any database data they find on to other criminals, and concentrate on using their access to the target organisation’s IT system to study its corporate culture.
“They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy,” the FBI said.
Cybercrims who play in this space can be very creative, forging email requests for money transfers that purport to come not just from CEOs but from corporate legal counsel or regular suppliers. They choose dollar amounts which do not raise eyebrows – in fact keeping everybody’s eyebrows at rest is a big part of their game.
What can we do?
Law-enforcement agencies do what they can to raise the risk of these cybercriminal attacks to their perpetrators. For their part, organisations can protect themselves in a number of ways:
- Continuing education of all staff about the evolving nature of these threats is vital. Simple awareness and a willingness to challenge are a major source of protection.
- Audit your systems and corporate culture to make sure you know all your vulnerable points. Consider bringing in a cybersecurity expert to assist with this vital step.
- A single email should never suffice to release funds for any purpose. Review all such procedures, and add simple but, to a cybercriminal, confounding steps. A phone call confirming the email instruction, in which the transaction number, and a secure passcode exchanged, may be all that is needed.
- Consider introducing cryptographic technology to your payments system.
There’s ample reason to believe that your organisation may be vulnerable to the consequences of a hack of a single employee’s email account. You can and should protect yourself.