A study carried out by YouGov on behalf of Barclays Bank found that 44% of SMEs in Britain had been targeted by fraudsters and just over half of those (23%) had fallen victim to fraud.
10.6% of all the SMEs surveyed had suffered a cyber-attack, with 8.58% of those making staff redundant to cover the cost of cyber crime. Based on a total of 5.7 million SMEs in the UK, this equates to up to 50,000 UK jobs lost with the average cost of the fraud to each business being £35,000.
GDPR came into play on the 25th May 2018 and the penalties for non-compliance under the new legislation for data breaches are two tiers of fines, both of which are substantial. The first tier being up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher and the second being up to €20million or up to 4% of the company’s global turnover, whichever is higher.
Last year, several art galleries in London fell foul to an elaborate scheme that resulted in a data breach via Spear Phishing that involved perpetrators hacking into the emails between artists and buyers.
What is Spear Phishing?
Spear Phishing happens to thousands of people across the world every day and it’s an online scam often targeting employees from specific businesses. The intent is to steal intellectual property, financial information, trade secrets and other confidential data via an innocent email that arrives in their inbox.
Spear Phishing involves a highly-targeted email or electronic communications attack against a specific organisation, seeking unauthorised access to sensitive information. It is a technique used by cyber criminals in which they send an email that appears to be from a friend or colleague that encourages the recipient to download Malware, click on Malicious links or send sensitive personal or professional information back to the sender. These emails are personalised, making them appear as convincing as possible.
You open it just like you would any other email, but this email is different; it’s not actually from the person who you thought sent it. The sender is actually a criminal hacker known as a ‘Spear Phisher’ who has previously gained your name, email address and a little bit of information about you to prevent their email causing any alarm and being intercepted by spam filters.
For example, using Spear Phishing, email conversations were hijacked following the sale of artworks and informed the buyers that the previous invoices were made in error and instructed them to make a payment into the hacker’s accounts instead. Fraudsters also ran the scam in reverse sending emails from the artists’ email accounts to their respective galleries, requesting payment for artwork to be made to fraudulent accounts rather than the artists account. Under GDPR this could result in significant fines for businesses that fail to protect client email addresses and other personal, identifiable information.
In a recent article from The Art Newspaper, Laura Bartlett, a London-based art-dealer says, “It was quite a high-value sale for me.” The transaction was negotiated entirely by email and when it was finalised, Bartlett sent the buyer an invoice via email, as she has sent all her invoices for the past 12 years. Her client received this but soon afterwards, Bartlett’s emails were intercepted. “Somebody sent out another email saying: ‘Ignore my previous invoice. I sent you old bank details; please use this invoice instead.’” The client duly wired the money to the hackers instead of to Bartlett.
Learn more about Spear Phishing in this useful video
How can Spear Phishing be prevented?
Awareness and educating staff can significantly lower the risk of a staff member becoming victim to a Spear Phishing attack. Exercising good email practice at all times, such as never revealing sensitive information like personal, health or financial information in reply to an email regardless of who it is from.
Never clicking on links in emails which risk personal or financial information and checking that the email address from the sender is correct as Spear Phishing is often from an email address that is off by just one character, despite it appearing correct at first glance.
Microsoft Office 365 has a built-in anti-phishing feature which is offered as part of Microsoft Office 365 Advanced Threat Protection. When a user is covered by an ATP policy (safe attachments, links or anti-phishing), incoming messages are evaluated by multiple machine learning models that analyse the message to detect impersonation attempts, unsafe attachments or links. ATP anti-phishing protects your business according to the policies that are set by your Microsoft Office 365 global or security administrators.
The Attack Simulator within Office 365 enables you to run realistic attack scenarios within your organization. This can help you identify and find vulnerable users before a real attack impacts your bottom line. Three types of attack are able to be simulated including Spear Phishing, password-spray and Brute Force password attacks.
New features are also being added to Attack Simulator. These include advanced reporting capabilities where you’ll be able to see data such as the fastest (or slowest) time to open an attack simulation email message, the fastest (or slowest) time to click a link in the message. An email template editor is also available and enables you can create a custom, reusable email template that you can use for future attack simulations.
Cyber Security in the UK
On the 18th April 2018, the UK Prime Minister Theresa May announced that the UK is committed to spending up to £15million to help Commonwealth countries strengthen their cyber security capabilities and help to tackle criminal groups who pose a global threat to cyber security.
The funding will also underpin projects across the Commonwealth to provide technical assistance, advice and training that addresses a wide range of cyber security, crime and threats, as well as being able to respond to cyber security threats that affect businesses, governments and their citizens. It will also commit members to raising levels of national security and increase cooperation to counter those who seek to undermine security.
Ultimately, this funding will contribute to fostering international stability in cyberspace, build digitally resilient economies and ensuring that the Internet remains free and open across the Commonwealth.
On 18th April 2018, Prime Minister Theresa May said
“The future is at the heart of the Commonwealth events being held this week and with that, we must look towards the emerging challenges that we and our Commonwealth partners face. Cyber security affects us all, as online crime does not respect international borders.
I have called on Commonwealth leaders to take action and to work collectively to tackle this threat. Our package of funding will enable members to review their cyber security capability and deliver the stability and resilience that we all need to stay safe online and grow our digital economies.
The Commonwealth plays a pivotal role in shaping the future for many of its members. We have put security on the agenda for the first time, so we can work together and build a safer future both for Britain, and for the 2.4 billion people around the world who live in the Commonwealth.”
Infinity Group are IT Security and GDPR Specialists. We also have a useful GDPR Checklist and Consultancy Brochure which are available as a free download to help to improve the security of your business network and guide you to GDPR Compliance.