Cyberfraud: how to protect yourself

Cybercrime knows no boundaries and no organisation is immune. Cyberfraud, a form of cybercrime, is one of the most significant criminal (and commercial) threats to businesses across the globe. Cyber-attacks cost British industry approximately £30bn a year and this figure is on the rise. The cost of internet banking fraud alone leapt by 64% to £134m in the UK in 2015.

Cyberfraud is a fraud committed using the internet or a computer network. Many types of fraud can be committed in this way, including credit card or banking fraud, investment fraud, advanced fee fraud, non-delivery of merchandise and identity theft. Currently, two of the most common methods by which cyberfraud is perpetrated are through phishing or the use of ransomware (a form of malware).

Common types of cyberfraud

Phishing involves sending bogus emails requesting security information and personal details. Information obtained is then used to facilitate criminal activity, such as payment diversion fraud (for example, a US company was recently duped into sending $25m to a bank in Hong Kong) or executive identity fraud (earlier this year, fraudsters posed as the CEO of an Austrian aerospace parts maker in an email instructing an employee to transfer money to an account for a fake acquisition project, costing the company €42m).

Using ransomware to commit extortion is another method of cyberfraud that is becoming increasingly common. Fraudsters access the victim’s computer systems and encrypt data, preventing the victim from making any use of it until a ransom is paid, usually in Bitcoin or other untraceable means of payment. Victims can become infected with ransomware by opening an infected email attachment or clicking on a URL that downloads malware to their computer.

Ideal victims for ransomware attacks (and indeed other forms of cybercrime) are businesses that hold large quantities of data which are essential for their day-to-day operations. Businesses that hold sensitive customer data (such as healthcare providers, utilities and businesses in the financial services sector) are also vulnerable to threats that such data will be released into the public domain if a ransom is not paid. This year there has been a succession of attacks on hospitals in the US using a piece of ransomware called Locky, which has resulted in Bitcoin payments to hackers.

Losses and costs

Not only can a victim of a cyber-attack face losses through fraud or extortion, but additional associated costs can be significant, including the cost of retrieving data, replacing equipment, compensating customers for losses, legal costs, increased insurance premiums, reputational damage and impact on share price. In some instances there will be third party claims, for example if the victim of a cyber-attack cannot honour its contractual obligations due to the cyber-attack, resulting in losses to third parties.

Regulatory fines can also be significant and are set to increase. Under the General Data Protection Regulation [2016] the maximum fine for data protection breach for a business operating in the European Union will increase to 4% of a business’s global turnover. Some industries (for example, financial services) have their own regulatory body which can also impose significant fines if a business is found to have taken inadequate steps to protect its customer records.

The potentially devastating impact of a cyber-attack on a company was illustrated in October last year, where the hack of a major UK telecoms provider led to the theft of data for over 150,000 customers, cost £60m and ultimately led to a loss of over 100,000 customers.

We predict that the increasing risk of becoming victim to a cyber-attack will lead to more cybercrime-related cases coming before the UK courts.

Steps you can take

The risk of a cyber-attack cannot be eliminated entirely but steps can be taken to minimise the risk and limit the impact of a security breach. First and foremost, cyber security is not solely an IT issue. It should be treated as a key business risk and a board-level issue. If a cyber-attack does occur, it will be the CEO who is called upon to explain what has happened and why. The governor of Bangladesh’s central bank recently resigned following a cyber-attack which involved cyber criminals stealing $81m via Swift transactions. There have been other examples of board members facing heavy fire from the media, shareholders and customers following a cyber-attack.

Good corporate governance and employee awareness are essential. Policies and procedures for IT usage, home working and detachable media usage should be robust and up to date, as should the data protection policy. Data should be structured in a way that makes it difficult for criminals to access business-critical information even if they are able to breach the victim’s IT security.

All businesses should have an incident management plan addressing matters such as disaster recovery and remediation arrangements, liaison with regulators, media communications and managing legal claims. This will enable a victim of a cyber-attack to act swiftly and decisively if a security breach occurs, minimising the loss to the business, risk of litigation and damage to reputation.