126 Million Covid-19 Phishing Scams in One Week
As far back as 17 April, Google reported that they had blocked 18 million Covid-19 phishing emails in one day.
Phishing is still the most popular form of attack, with ransomware coming a close second. These two threats are what keep most IT Departments awake at night.
Over my (ahem… insert large number of years) in the industry I have been unfortunate enough to witness many attacks on SME’s and charities. One in particular has played on my mind – a hacker attacked a fairly tech savvy charity and used the physical disadvantage of that organisation to orchestrate an elaborate attack that left the organisation £25k worse off. Here are the after affects in their own words:
Sadly, despite regular media reports of cyber attacks on business, most CEO’s of small businesses either remain unaware of the seriousness of the situation or believe that hackers aren’t interested in their data. Don’t be fooled into complacency. Hackers may not be interested in the specifics of the data held by a small accountancy firm in Dunfermline, but they know the worth that the data has for the business. The hacker understands that the data is business crucial and for the hacker this equates to a money making opportunity. So guess what? They use ransomware to ‘steal it’. You are then faced with two scenarios:
To Pay or Not to Pay
- You have no efficient backup of the data, so you pay the ransom.
- You and your IT are smug in the halo of that backed up data, held in three places (yes, you heard correct, three places) and don’t pay the ransom.
Neither of these options gives you the get out of jail card you so desire. Let’s take a look at the likely outcomes:
A Hacker gives you an unlock key to your data, it works – great! Don’t celebrate yet, they may well come back and do it again, if they did it once…
B Hacker gives you an unlock key to your data, it doesn’t work, they ask for more money
Either A or B: They may also have kept a copy of your data and threaten you to publish it online or sell it to the dark web. What now?
The average attack on an SME costs nearly £6,500 to deal with, but this doesn’t include the cost of staff downtime and building back the businesses reputation.
So why do they do it?
Because It’s incredibly lucrative, $174,000 average US salary for a black-hat hacker (those that hack for criminal gain).
Cybercrime is the fastest growing crime in the world, with large organisations dedicated to it. It is often used to fund other crimes.
And its incredibly easy, most organisations leave themselves open to attack without realising:
- 91% of cyberattacks start with phishing.
- 90% of breaches are due to human error.
- 93% of phishing emails involve ransomware.
- One small business in the UK is successfully hacked every 19 seconds.
- A new ransomware attack occurs every 14 seconds, by 2021 it will be every 11 seconds.
The Buck Stops Where Now?
This has been something I have been banging on about for years. Like everything worthwhile in an organisation, it comes down to good culture. We should all have security of data at the forefront of our minds in everything we do: every, single, day.
And let’s not forget about it when we leave the office please, carry it on at home to protect those we live with and the children who don’t know better. A good hacker won’t necessarily try to phish you, they will check out your social media, and then target your less tech savvy friends and family with a well timed ‘hi, just looking to catch up with you’ email from one of them to your business email account. If you can imagine it, they will have thought of it first.
Firewalls and Anti-Virus will Protect Us, Right? Maybe in the 90s but not Now
- Culture You have to get board level agreement on a cyber security culture which is embedded in everything an organisation does. At the end of the day, it is not up to IT to look after your customers data, it is you as the business owner. You set the budget, you set the example. You have to own your own ship.
- Awareness Continual staff awareness, spread that culture far and wide. Send out fake phishing emails to staff to identify those high risk individuals in your organisation. Make it fun, more carrot and stick than rod. Create a cyber champion within your teams.
- Security Audit Organise a proper security audit. You may require to follow a particular security risk framework (ISO, NIST etc) for the industry you are in. But if not, it is still extremely important to analyse and identify the risks to enable you to make the right decisions on your organisational risk tolerance and the budget you want to spend on mitigation strategies.A proper audit will encompass people, process and systems and may well show that there is not a lot of budget requiring to be spent. There are lots of ways to improve security that don’t cost a fortune but are really, really simple to implement quickly. Some of these are: web cams on entrances, good password policies, using a password manager, multi factor authentication – something you know and something you have (password and usually a code to your phone or app), encryption, software patches, checking and restore backups.
- Disaster Recovery Plan I can almost hear the eye rolling from here, honestly, I know, planning for a global pandemic was in no one’s plans. Cart, after horse has bolted. I get it, but it’s not the only disaster. Covid-19 has brought its own challenges. For instance, how would you currently, with all your staff working throughout the city, country, world respond to an outbreak of ransomware? I refer you to the title of this blog, the likelihood is higher, and the outcome will be much more frantic if you don’t prepare. Have a disaster recovery plan, whatever the size of your organisation, you don’t want to be cobbling something together in the event of an emergency. DR used to only be affordable for large businesses. But SME’s are no longer being left out in the cold, there is plenty can be doing so get planning!