Businesses and consumers are battling a new wave of global ‘scamdemic’ that is targeting the digital economic recovery from COVID-19. As more trade and business has moved online, with reduced social interaction to limit COVID-19, criminals looking to exploit vulnerabilities in the digital ecosystem have unleashed an unprecedented wave of new attacks against companies, their employees and their customers.
Analysis suggests there was a 30,000% increase in threats last year ranging from ransomware, malware and weaponised websites to phishing emails. The sheer scale of the problem reflects a simple situation. While victims need a 100% success rate of preventing attacks, gangs just need to succeed once.
Criminals are focusing where the money is, particularly targeting financial services by impersonating businesses to defraud their customers; around 40% of phishing emails imitate legitimate banks and funders in a bid to extract data or money from victims.
This volume is likely to increase as pandemic-related payment holidays end and borrowers start to receive an increase in legitimate emails about the repayment of loans and debts. Some financial services organisations have seen an eight-fold increase in phishing emails mimicking their brands. Whilst analysis by UK Finance found that most of the authorised push payment (APP) scams identified had originated online, at a cost to victims of £479 million in 2020.
It is not only customers that are being targeted, with gangs also infiltrating institutions themselves to access data and carry out new attacks. Earlier this year, a bank employee was jailed after abusing his position to obtain customers’ security details, which he then passed to other members of his gang so they could try to gain access to the accounts of genuine bank customers - a scheme which netted more than £1.2 million.
In each of these examples, it is not a direct attack on IT systems or company websites, but a frontline attack on individuals by trying to exploit their trust in digital systems and brands. The key goal in each of these attack being to access “personally identifiable information”, allowing criminals to breach account security measures and in turn providing them with direct access to funds or locking users out of systems whilst holding them to ransom for financial return.
With companies under a new wave of frontline attacks, which has expanded due to the new ways of working, we believe education is still a critical step towards helping users recognise threats and become the 1st line of defence against cybercrime.
Putting people in to a classroom or annual training on cybersecurity can help but we have seen that the best way to educate users is through a consistent, constant and robust education programme that not only helps to reinforce the message of what to look for, but is continually updated in line with the new approaches taken by cyber criminals. For example, phishing simulation and triage solutions can help limit the exposure to email attack. These products enable users to click on a single button to report suspicious emails. If they fail to recognise a threat and click on a link in a training email, they receive a message explaining why this was a phishing attempt, helping them recognise this type of email in the future. Genuine threats can be flagged and reviewed centrally by internal cybersecurity teams whilst safely quarantined from the user’s inbox.
With this kind of approach - encouragement is key, so there should be no punishment for failing to respond correctly to a test email. The focus remains entirely on learning and education to make the whole business safer. If staff spot a malicious email feedback is also vital so they know that their vigilance has paid off.
In the battle to keep cyber space secure everybody has a role to play, from employees to customers. Through communities working together to create the best 1st line of defence possible through education and sharing, the financial sector will maintain a stronger defence against the growing digital dangers everybody faces.
If you would like to know more about how we can help you in asset finance, improve your cyber security education programmes or just fancy taking part in our Cyber Escape Experience, please get in touch.
*Content originally posted by the IFN*