Cybercriminals have historically targeted banks because, as the infamous US bank robber Willie Sutton once said, “that’s where the money is”.
"Cybercrime is the dark side of doing business in the digital age."
Craig Bromley, Director, Client Solutions, Transaction Banking, ANZ
These days, however, the threat landscape has evolved and all kinds of organisations – regardless of size, location and maturity – are a target. Having a robust cybersecurity posture is essential for anyone doing business in this digital world.
Organisations are being attacked from all angles, with the most common vectors of attack being malware, ransomware, phishing and social engineering (via phishing, spear-phishing and email hijacking). A successful cyber-attack is the result of many of these methods being used together.
Take the business email compromise scam as an example. An email is sent by the CEO of a company while they are travelling, instructing the company treasurer to make an urgent and discreet payment. If you were the treasurer, would you approve the payment?
The CEO is away so it seems plausible they would send an email instead of making a phone call. And because the transaction needs to be done immediately, and is sensitive, the natural response could be to skip some of the usual checks and balances.
This is what cybercriminals are hoping for. This request could be the final stage in a long campaign where criminals may have infected a computer with malware, changed a payee’s bank account details, hacked into the CEO’s email account and researched their travel schedule.
They could have observed their victims’ behaviour, maybe through phone calls to the company or on social media, to socially engineer a situation where the treasurer bypasses the usual controls to make a payment. Some companies have fallen for this and have sent millions of dollars to criminals.
Phishing, malware – what does it all mean? Let us explain.
Malware: Malicious software used to access or disrupt IT systems, gather sensitive information, or display unwanted advertising. It is often received through phishing or spam emails but can also be hidden in online ads and pop up messages.
Ransomware: A common form malware restricting access to an infected computer system and demands a ransom to remove the restriction. Ransomware typically circulates as a virus within an email attachment disguised as a seemingly legitimate file.
Social engineering: Occurs when people are manipulated into doing things they shouldn’t or divulging confidential information. It can be initiated in person, via email (Phishing), over the phone (Vishing), through an SMS message (Smishing) or via social media sites such as LinkedIn and Facebook.
It is a more frequently used tool because it delivers a targeted and realistic attack enabled by publically available information and social media.
Phishing: Emails that appear to come from an official source when in reality are a scam attempting to extract sensitive information like usernames, passwords or credit card details.
A victim could unwittingly enter account details into a fake bank website or click on a link which installs malware on their computer and network.
Spear phishing & email hijacking: More targeted versions of the above. Rather than a scattergun approach aimed at several individuals, spear phishing targets a specific person.
An extension of the spear phishing attack vector is business email compromise or email hijacking. A common but effective example involves an email sent by a purported CEO of a company while they are travelling, urging the company treasurer to make an urgent and discreet payment.
To many business people, this landscape and threat can seem overwhelming. Although investment is necessary to manage cyber-risk exposures, there are still some simple steps organisations can take to improve their people, systems and processes.
Everyone has a role. Financial institutions, industry, government, law enforcement and consumers are all part of a cybersecurity ecosystem where everyone needs to work together, and everyone has a role to play in preventing and responding to cybercrime.
For businesses, there are a number of key factors, both externally and internally focussed, which are important to cover to ensure you are adequately prepared. Below are eight important ones.
Internal
• Understand your exposure. Know what information and assets the business holds. Ask yourself: what could be valuable to cybercriminals? What processes and people are in place to protect those assets?
• Educate yourself and your management on the risks of cybercrime. Implement in depth defences. Have a clear cyberpolicy which adopts a multilayer approach to defending your organisation.
• It’s not enough to only invest in preventative measures, have a response process in place so your reaction is quick and organised.
External
•Leverage professionals. If you lack the internal capabilities, invest in external support.
•Look to best practice. There are a number of leading frameworks and examples of best practice which can steer your approach to investing and building the right capabilities.
•Share and seek intelligence. Work with industry partners and government departments to share intelligence.
To get one step ahead of cybercriminals, continuous education, awareness and collaboration are vital – after all, we’re all in this together.
Craig Bromley is Director, Client Solutions, Transaction Banking at ANZ
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
23 Aug 2016
08 Aug 2016
15 Oct 2015