The risk of a cyber attack is an ever-increasing threat to both businesses and clients. It has become so prevalent in the news, that we have possibly reached a saturation point with new attacks being announced daily.
A quick Google search or even just a review of BBC news shows the level of threat and the damage cyber attacks can do. If it's not Facebook, it's LinkedIn, if it's not LinkedIn, it's Google and so on and so on…
Legislation such as the EU's General Data Protection Regulation (GDPR, and its Channel Island equivalents) and the Guernsey Financial Services Commission (GFSC) Cyber Security Rules, 2021 are in place to ensure all organisations take sufficient measures to protect your personal data. Regulation and Technology are improving firms' defences against cyber crime continually but there is only so far technology and good business practice can go to protect clients' personal data. Ultimately, the most vulnerable line of defence is always the human element.
Over the last year or so, there has been a change in tack from cyber criminals; from targeting organisations to going after the clients dealing with these organisations. One of the most common practices seen is for cyber criminals to gain access to a (prospective) client's personal email address, either through password cracking, credentials made available through the dark web following an institution data breach, or through users falling victim to a phishing attack. Through these means, unauthorised persons then have full read/write control of the email account and can send and delete emails and set up forwarding rules. Anything you can do, they can do, in your name.
The perpetrators then monitor the traffic for significant periods of time, analysing patterns and behaviours. Once a pattern is identified, the perpetrators strike using a number of techniques, commonly email masking (hiding the actual address the email has come from and replacing it with a legitimate organisation's name), or domain spoofing, where the email will for all intents and purposes appear like it has come from a legitimate source. This allows the criminals to intercept legitimate communications and replace key details, such as banking instructions.
Individuals are being targeted as they do not have the resource to employ sophisticated cyber security software packages, have access to training programmes, which staff of professional organisations should have in place, or have the good practices enforced on them by legislation that business is subject to. So what can you do to protect yourself?
Here are 11 helpful hints:
Ensure you have active anti-virus/anti-malware software running on all your devices: Whilst not rendering you immune, it will reduce the chance of any malicious software such as key loggers ending up on your devices.
Use strong passwords. A difficult protection to achieve given the amount of passwords we require online, but good password tips are to use a mixture of upper and lower case, numerical and special characters. Also, where possible try to avoid dictionary recognisable words, which are easier to crack.
Avoid reusing passwords: Again easier said than done, but the more unique passwords you have the less likely you are to fall foul on multiple accounts. Internet banking in particular should be kept unique. Do not have the same password for your bank as you do for Facebook or PayPal accounts.
Enable multi-factor authentication wherever it’s available: Although it adds some time to logging in, this one control will stop most attacks dead in their tracks.
Avoid links on untrusted emails: Do not click any links unless you know and trust the sender, and know where the link will send you.
Do not open unknown attachments. If you do not know what it is or whom it came from do not open it.
Check if your personal details have been leaked: Use a website such as https://haveibeenpwned.com/ to see if your email address or login credentials have been leaked as a result of an institutional data breach. If Facebook leak data and your username and password have been leaked, this site could tell you. If you are on the list, change your password(s) immediately.
Read the email: This may sound obvious but read the content of the email carefully. If you are dealing with an individual at an organisation you have had prior dealings with, is the communication as you would expect? Is the spelling and grammar accurate? Most professional organisations take pride in ensuring client communications are as clear as possible. Fraudsters may not be so considerate, particularly if English is not their first language. This could be a tell tale sign of a suspicious email.
Are you replying to who you think you are? If a perpetrator has access to your account they can set up rules changing where your replies go. Check the address you are replying to, is it going where you expect it? Check for small typos in the username or domain name that may be subtle to try to catch you out. mark@gmial.com instead of mark@gmail.com for example.
Be very wary of unexpected changes in key information: Most professional organisations will rarely change details such as bank account details. If you receive a request to change these, call the institution in question and ask for confirmation from someone you know/trust. Don’t reply to the email for verification as you could be asking the criminals.
If you are in any doubt, ask! Most professional organisations will ensure their staff are trained in spotting cyber security threats. If you are in any doubt about a communication you have received from an organisation, contact them and ask. They should always be more than happy to assist upfront rather than deal with any fall out from a successful attack.
Business working together with their clients can help combat the risk to both the firm and the individual from the ever-growing threat of cyber crime, and avoid each other becoming another statistic on tomorrow's latest cyber security news story.