Talking to my clients on a daily basis, it seems that many of them still think cyber crime only ever happens to somebody else! However, the reality is that cyber crime is now more profitable than the illegal drug trade. This is partly because entry into a life of cyber crime is a lot easier and less dangerous than traditional crime of old. Forget Pablo Escobar – we now live in an age where an average guy can become a serious criminal with nothing more than a laptop, an internet connection and some basic IT skills.
One of my clients was under the impression that cyber crime only happened at a very high level between governments and big businesses. If not, it was happening at such a low level that you can see the crooks coming a mile off with their badly spelt spam emails, asking you to transfer money into a Nigerian bank account! This was until he became a victim of cyber fraud…
88% of all cyber security breaches involve some form of social engineering
The Target
The Victim (we’ll call him Mr X) in this case was a Director in a London-based communications company that have around 20 staff. The cyber criminal selected Mr X for reasons unknown, though partly because he is very active on social media. Because of this activity the criminal was able to monitor what Mr X was doing over the course of his working week and importantly learn mannerisms and style of writing from his posts.
Over a short period of time the criminal learned the following information that he needed to commit the scam –
- A new member of staff had recently started working in the accounts department and had authority to transfer money. This could have been achieved in a number of ways, such as making bogus cold calls
- Mr X used certain words a lot. For example he called people ‘buddy’ all the time on social media, on the phone and by email
- Mr X had a signature specific to his iPhone. This was probably learned from ‘cold’ emails
- Mr X was attending/exhibiting at a trade show later that week
The Scam
Armed with this information, the fraudster chose to email the new member of accounting staff from a spoofed email impersonating Mr X whilst he was at the trade show. The fake email explained that he needed to transfer payment to use some of the facilities at the trade show and this needed to be done urgently.
The crook requested that around £3,000 be transferred to a false account to pay for facilities at the show. The email started off with ‘hi buddy’ and had Mr X’s signature attached so it looked just like the kind of email he would normally send. The new accounts guy didn’t spot the spoofed email address and as he recognised some familiar characteristics specific to Mr X he qualified the email in his mind as being genuine.
After exchanging a few emails the money was transferred and the fraud was not discovered until the following week! You don’t need to spend money on new technology, you just need to know what to look for – staff awareness is the best defence
The lesson
Cyber con artists are often clever and manipulative and are targeting SME’s like you.
The good news is that you can guard against these scams by educating yourself and your staff.
There are cost-effective procedures you can put in place, most of which are simple adjustments to human behaviour.
If you would like to know more about cyber security and learn how you can train your staff to avoid these kind of scams, join me at my cyber security workshop in Surrey and London and get up to speed on threats to you and your business.