When I speak to SMEs, I make the point that the chances of being ‘hacked’ is relatively low when compared with being scammed. Why? In my view, I look at a hack as being a technical attack on a target by someone who is technically savvy and skilled in identifying and exploiting weaknesses in a company’s defence. A scam on the other hand can be perpetrated by people with relatively low levels of technical ability and scams are in fact, a con, just like any other old fashioned con, in that they get the target to agree to, or to do something, that will benefit the con artist.
We always recommend that our clients try as best as they can to have defence in depth. That’s an old military term which is often used in cyber security now to describe multiple layers of defence. This can be expensive though and it must be tempered by budget, targeting controls where they are most needed. What this does is to deter many attackers who are looking for a quick win, so if they have to work long and hard to break in, they’ll often go elsewhere, where the pickings might be easier. And of course, whilst an SMEs defence might be somewhat less than those of an enterprise organisation, the pickings are likewise smaller, making it not cost effective for the attacker to take too much time with a technical hack.
Does this make scams much more attractive to the criminal? Yes, I believe it does, simply because the amount of effort required is low and they are skilled in manipulating people, especially those that have had minimal cyber awareness training. Scamming, just like hacking is generally preceded by some form of social engineering. Social engineering refers to techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons. So, whilst a hacker modifies a computer’s software and hardware structure to carry out certain tasks, social engineering uses people as weapons to attack selected targets. In this way the manipulation is accomplished by employing trust through different forms of communication.
Typically, social engineering is achieved via Phishing, Vishing (video), Smishing (via SMS), malware and Spear phishing where the targets are selected for their importance to a specific attack. Whatever method is used the aim remains the same, it is to persuade the unwary to give up sensitive information, install malicious software or do things that compromise your business security. The best protection against social engineering remains a work force that are aware of the techniques and dangers posed by this.
What is the cost of scams to the across the globe? One statistic suggests that public sector fraud losses amount to about £50.2 billion whilst frauds committed directly against individuals, including marketing fraud and identity fraud, is around £8.3 billion. The total cost of fraud has risen from about £190 billion in 2017 to almost £219 billion. (Source Peters, Peters and Crowe). Of course, not all of this is via online fraud, but it is becoming the most common type of scam we see today.
Some of the most common types of scams that we see include, but are not limited to:
I received an email only yesterday purporting to come from someone called, and I kid you not, Lisa Monaa, inviting me to partake in an extremely profitable project, and I just couldn’t bring myself to read anymore. It was a badly written phishing email with little chance of success.
AI is having an effect as well. I’ve written earlier about the CEO scam whereby a CEOs email is spoofed and sent to an accounts department with an invoice attach, stating that the CEO has received a complaint from a supplier that their invoice is late and to get it paid without delay. That scam has now been updated to a voice simulated by AI, over the phone, demanding the same.
Whilst that scam is quite old, it shows how social engineering has a play. Firstly, they have to find out what the CEOs email is. Not difficult. The company’s email form will almost certainly be shown on their website with a contact like sales@abc.com. So, the attacker knows that the suffix is abc.com. They may well also be able to get the CEOs name from the website or even Company’s House. Next send an email to JSmith@abc.com. If that bounces send it to John.Smith@abc.com and so on until it goes through. Next phone the accounts department, ask for Mary in accounts payable. No Mary here I’m afraid. Oh sorry, I was sure it was Mary, who handles accounts payable then, Oh that’s Julie. So, he now has CEOs email and someone to send the email to. That would probably take about 30 minutes of the scammers time.
The impacts of scams can be very far reaching. Firstly, there is financial loss, which to many SMEs operating on tight margins, can be quite devastating. Then there is the possibility of data breach. If you are a business with lots of client personal data, say a financial advisor, a lawyer, an estate agent, pharmacist, you get the drift, and the aim was to steal data, then you could be hit with a substantial fine from the Information Commissioner not to mention lawsuits from those whose data has been stolen. Reputational damage can be disastrous and then there is the effect on staff who can suffer greatly thinking they have damaged the company and put everyones job at risk.
Bottom line – scamming is endemic, it’s going nowhere, and AI is going to make it more prevalent, not less. SMEs spend far less on their defences and on cyber awareness training making them more likely to be targeted. Combating this threat should be high on your to do list.
Recent Comments