I attended a cyber crime conference in Cambridge last week held by Cambridgeshire Police. The event outlined what the police are doing to tackle cyber crime and what we can do to avoid it in the first place. They said 80% of cyber crime is preventable. It was stressed at the conference that not only can you be hit with financial losses, but cyber crime can have significant impact on wellbeing.
Some stats for Cambridgeshire to get us started:
- There were 142 cyber-dependent crimes in a 150-day period
- One company recorded eight DoS* attacks in a day
- Losses of £752,000 during this time
*Denial of service attack, basically unable to use your network
Here is a quick bullet point take-away from the conference before we delve a bit deeper:
- Cyber crime is a priority for cambs police and is as high a priority for the country as anti-terrorism
- Always report attacks to Action Fraud even if nothing is damaged/taken
- A lot of damage is preventable
Reporting cyber crime to police
We heard that without reporting of hacks and attacks, funds will not be given to fighting cyber crime as the extent of the issue would not be known.
What to do if you suspect you are a victim of cyber crime in Cambridgeshire?
As soon as you are aware…
- Phone your bank
- Report to the local police
- Keep evidence (emails, letters, phone call recordings)
- Report to Action Fraud, even if it is an attempted crime
Mandate fraud is the most prolific crime seen by cambs police. Mandate fraud is when someone is convinced to update a suppliers banking details, therefore sending funds to the wrong bank account.
How is mandate fraud carried out and what should I be aware of?
Mandate fraud will be carried out by phone, email, letters, etc. Essentially the scammers are looking to make staff believe them. This may be with an official looking letter, or by frequently calling them, building up a rapport, and then asking them to please update to our new details.
Double check account number changes, do not automatically use a contact number given on a letter and seek further authentication before responding to an email exchange (see more on two step authentication in this blog post).
We were told about two simple ways for someone to gain access to a bank.They may pretend to be a BT engineer, or someone enquiring about a mortgage or new bank account.
So the scammer can say they are from BT, and then have access to the servers while they “do their repairs”. Alternatively, they can pretend to be applying for a mortgage and then use distraction tactics to gain access to hardware.
This is in relation to the bank itself, but can be applied to an office. If you have information stored on computers or servers, someone could still seek to gain physical access to that by pretending to be a customer or service personnel.
Impersonating a CEO
How this works is that a scammer will send an email pretending to be the CEO. It may appear to be from the CEO’s address (or one so close they hope you won’t notice).
Even if you have payment processes in place, a request from the boss will often take precedence. If a boss asks you to expedite a payment, staff will want to help out and maybe even not want to bother their boss.
CEO spoofing relies on helpful staff not double checking, or not wanting to disturb their CEO.
Small amounts from many bank accounts
Often scammers will take a small amount from many accounts, hoping people won’t report it. Keep an eye on all transactions.
“A mobile phone without a pin is the most valuable thing you can find”
Put a pin on your mobile.
Apparently thing is a thing. It is when memory sticks are deliberately left outside a business, so helpful/curious people will collect them up and plug into their computer to check the content/find an owner.
In the next blog post we will look at creating an IT policy to help protect your business and make staff aware of the dangers (ETA: Link to new post).
Action Fraud website and contact: http://www.actionfraud.police.uk/