Getting ahead of cybercrime: Part 1

The cloud is an incredible tool for businesses like yours, enabling you to operate more efficiently and cost-effectively. Improvements in collaboration, communication, staff management and business analytics are more accessible than ever before.

Unfortunately, Cybercriminals are out there looking for ways to profit off this increased reliance on the cloud.

Keeping track of the constantly evolving threats can be overwhelming, so we’ve identified three ‘areas of concern’ for businesses like yours to focus on: Imposters, Attackers and Blindspots.

We’ve dedicated an article to each one of these areas, with links to useful resources and stats from Verizon’s 2021 study on global data breaches. We’ve also provided defensive advice for businesses of all sizes and budgets. Read on for our first instalment in this series.

Watch out for ‘Imposters’

Cybercriminals are able to impersonate just about anyone and anything, and will use dirty tactics to gain your trust and trick you into doing something risky. Below are the types of ‘Imposter’ incidents you should be aware of, along with advice on how to protect yourself against those threats.

Phishing (including phone scams)

• Phishing refers to messages that mimic legitimate communications, but actually have fraudulent intent.
• These could be sent via email, SMS, or any other messaging service. 
• It could also be a phone call from a scammer pretending to be customer support.
• The links and attachments in Phishing messages are malicious, and are used to steal account credentials or infect a device with malware.
• Phishing messages and calls aren’t always mass campaigns. They’re able to be highly customised to target specific people with access to something valuable.
• Phishing can seem very convincing at first glance, misrepresenting itself as an urgent security alert, unmissable offer, or even an invoice to be paid.
• This is an effective manipulation technique, using human fears, temptation and curiosity to force a mistake.
• Verizon found that phishing was present in 36% of global data breaches.

Protect yourself:

Unfortunately, mail filters won’t stop every piece of phishing arriving in company inboxes, but you can reduce the risk of phishing links being clicked by training your employees to recognise the tell-tale signs of suspicious messages. 

Employees should also be wary of unsolicited or unexpected phone calls from customer support. Never provide account or payment information to these callers, and do not download any software no matter how much the caller insists. 

If you need more information, take a look at these cyber-agency guides on Phishing and Tech support scams.

You should know that our team watches for any Xero-branded phishing attempts, and posts examples on our Security noticeboard.

It’s always a good idea to have anti-malware software installed on company devices. This can detect and prevent infection if a phishing link is accidentally clicked.

Business email compromise (BEC)

• BEC is a targeted form of phishing designed to steal your money.
• Cybercriminals can infiltrate inboxes with weak security where they remain undetected while monitoring your inbox waiting for you to receive a legitimate invoice.
• The cybercriminal can easily modify a PDF invoice, or send a follow-up message asking for payment into a fraudulent bank account number.
• They’re hoping that you won’t notice anything suspicious about the bank account number until it’s too late.
• Large sums of money can be lost in an instant, and are difficult to retrieve.

Protect yourself:

While PDF invoices can seem convenient, they can be at risk of modification if someone’s inbox is compromised. Even if you’ve secured your email accounts to protect incoming invoices, there’s no way to know if the recipients of your invoices have done the same.

That’s why Xero also offers more secure options to protect your customers and clients. Wherever possible, your organisation should do business using e-invoices with secure links or via a reputable payment service like Stripe or Paypal. 

Along with general phishing education, employees should be trained to be cautious with messages asking for a manual bank transfer. If the request seems unusual, or the sender is unrecognised, reach out to the company directly to confirm their banking details and whether the request is legitimate.

You can also prevent cybercriminals from infiltrating your company emails in the first place by using strong passwords and Multi-factor Authentication (MFA). 

Man-in-the-middle

• Man-in-the-middle incidents use fake Wi-Fi hotspots to gain access to your devices.
• Cybercriminals can easily set-up a malicious network to impersonate a public hotspot (like a cafe, hotel lobby or airport). 
• If you connect to a fake hotspot, the cybercriminal can view and manipulate any data that passes between your device and the internet. 

Protect yourself:

Once again we recommend tackling this problem by combining employee education and device security measures as we’ve outlined below.

Aside from protecting company devices with anti-malware software, your employees should also know why it’s risky to use public or ‘untrusted’ networks. Mobile data might be a better option, but it’s not always practical. 

If people in your organisation regularly need to jump on public hotspots, you should install VPN software on company devices and train employees on how to switch it on. This will create a secure tunnel to the internet or company servers, regardless of whose network they’re connecting to.

What next?

‘Social engineering’ occurs in 85% of data breaches, so it’s important to address the human element through ‘edu-caution’. This means training everyone in your organisation to recognise the threats above, and react appropriately if something seems risky or suspicious.

Check out the free guides in this article and share them with your employees. If you want to go a step further, look into cybersecurity training providers.

Even with training, we can still make mistakes. That’s why it’s important to have a range of security measures in place, like anti-malware software and strong account security. We talk about these more in our next article.

In the meantime, you can find region-specific resources in Your cloud business guide to Cybersecurity Awareness month 2021. We’ve also created a free, self-paced security course, Manage cloud security for your business, providing essential steps to keep your important business and personal data safe online.