Ransomware has taken the world by storm this year, costing millions for businesses around the world. In the last 12 months alone, the number of ransomware variants spotted in the wild has more than doubled. As its prevalence has increased, so has the complexity of the attacks, and new ways to defend against them have been developed. Microsoft have been known to take the ransomware threat very seriously, even releasing a security patch for the long obsolete Windows XP operating system in the wake of the infamous WannaCry attack back in May. With the realease of the Windows 10 Creators Update (build 1703), now there are even more features built right in to the OS that can prevent and protect against ransomware. In fact, it’s so secure that Microsoft claim no Windows 10 devices were affected by WannaCry.
CEO/CFO Fraud is a phishing scam that has gained popularity in recent years, where cyber criminals hack or spoof the email address of a senior staff member and request an urgent payment to an unknown account. These phishing emails are usually sent to staff involved in the finance or accounts of the company, and request payment in a manner which is often outside normal payment procedures. These emails appear to be genuine to convince staff members to comply with the request, believing they are indeed from their company’s CEO or CFO. Once the money has been transferred to the criminal’s account, it is usually withdrawn again straight away and hidden elsewhere.
You should be extra vigilant of:
– Any payment request which is outside of normal policy or procedure, especially by email
– Any urgent or confidential request for payment transfer, especially if not respecting the standard procedure
– Any unusual request such a transfer of high amounts to an unknown account or to a country where the company does no business
If you do receive an unusual financial request by email, we strongly advise you to get verbal confirmation from the sender before taking any action.
Concerned that your organisation may be vulnerable to such phishing attacks? We’re offering a free phishing risk assessment for companies who want to find out and learn how to mitigate these dangers.
“Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.”
Gone are the days when the only phishing threats were from poorly spelled emails asking you to claim Clubcard points. With the cybercrime-as-a-service (CaaS) industry estimated to be worth in the billions each year, cyber criminals are becoming increasingly organised in the way they implement their attacks. Instead of sending out random emails and hoping for the best, spear-phishing involves researching a particular organisation, probing for weaknesses, then sending highly targeted, personal phishing emails. These emails may appear as if they come from your CEO, or IT manager, or even the colleague that sits next to you. It is estimated that over 90% of successful data breaches by cyber criminals started with a spear-phishing attack. The best means of prevention is to implement an ongoing cyber security awareness program, as trained staff can detect and block spear phishing attacks before it’s too late.
For those of you who may not have heard of the Cyber Essentials scheme, it is an accreditation-based program created by the UK government and backed by the industry in both the UK and Ireland, to show that basic cyber security measures have been put in place that will block most cyber attacks. It was designed as an affordable alternative to ISO27001, which may be financially out-of-reach for many small/medium enterprises, and is a requirement for any businesses that deal with the UK government. So, it may have come as a surprise to many to find out that the IASME Consortium, one of six accrediting bodies in the UK, has suffered a data breach which exposed the company names and email addresses of their applicants. While no other information such as these companies’ security configurations were leaked, the breach could well open the exposed companies to phishing attacks from cyber criminals.
A list of Cyber Essentials applicants, including their company names and corporate email addresses, may have been leaked to hackers.
The Information Commissioner’s Office in the UK has issued a statement that organisations who train their staff in data security will be less likely to receive a fine or monetary penalty. The ICO recommends that at least 80% of an organisation’s staff are trained on how to handle sensitive data and keep it secure from data breaches, with a spokeswoman stating that “reasonable steps” must be taken to secure data, with “full account of the facts” taken into consideration in the event of a data breach being discovered.