A recent email con that cost three Auckland businesses thousands of dollars demonstrates that it is the relatively simple cyber attacks that Kiwi business owners need to be vigilant against.
Ray Delany, CEO of Designertech, believes the example of the recent Albany and Devonport-based businesses con proves this.
The company, which fell victim to a ruse when placing email orders with Chinese suppliers, shows that when it comes to information security, the overwhelming trend is to think of it in terms of protecting against vast conspiracies, sophisticated malware and determined hackers seeking to compromise data and steal money.
“Probably the most important thing when it comes to information security isn’t so much the technology you have in place to protect yourself, but rather vigilance to detect anything out of the ordinary,” Delany says.
In the latest attack by cyber criminals reported in the media, emails between local business owners and their Chinese suppliers were intercepted and the bank account details changed.
“This is a breathtakingly simple attack, but it is so seemingly legitimate, that it works very well for the attackers,” Delany adds.
By grabbing an email order and then responding to it with an invoice identical to that issued by regular suppliers, but with a notice advising of changed bank details, hackers can get paid thousands while the victim suspects nothing – until it is far too late.
“Such an attack doesn’t require any particular sophistication," Delany adds. "Most computer users today are sufficiently aware of the necessity for security that they will, at the very least, have an Internet security suite installed.
“These suites typically provide a firewall, intrusion detection and prevention, antivirus and identity protection. However, most emails today are still unencrypted.”
That means an attacker can intercept them by ‘sniffing’ messages in-flight (while they are being transmitted) or by accessing them when they are spooling at a mail server.
While free and paid-for tools are available to prevent this particular form of compromise – and he strongly advises using them – Delany says management of all security risks is often better achieved through alertness.
“The ways in which attackers can access information that they can turn into cash are practically limitless," he says.
"Through the combination of freely available hacking tools, social engineering techniques and just plain devious ingenuity, hackers can and will find ways to make it through any chink in your armour.
“There’s no question that you should have an appropriate security posture that includes good technology solutions and sound policies and procedures.
“But what remains most important is a mindset that assumes you are likely to be a target, even if you operate a small organisation which may seem completely outside of the interest of hackers.”
In other words, Delany says, be suspicious.
When anything out of the ordinary occurs with email, business systems or even customers behaving oddly at the front counter, it should raise your hackles at least a little.
“Sometimes it is the really simple things that can lead to real, material losses," Delany concludes.
"It isn’t in the typical Kiwi psyche to be automatically distrustful, but that is why New Zealanders are still falling victim to cyber scams.
"Be vigilant, check things out if unsure – sometimes a simple phone call, as in the case reported in the media article, could avoid a whole lot of headache and heartache."