Firms don’t have to be household names to be targeted by criminals looking to access their accounts, as a growing number of mid-market businesses are discovering.
From phishing to hackers, many are still under-prepared and under-insured for today’s risks, but companies can improve their protection.
Phishing, in which criminals use emails to trick recipients into revealing personal information, passwords and account information, is a key part of the risk. Recipients usually receive an email purporting to be from a business they have dealings with and are invited to click on a link or attachment. This may lead to a fake version of the customer website, which will record their log-in details, or expose their computer to viruses. US security company RSA estimates that phishing attacks cost global organisations USD 4.5 billion in 2014.
Part of the problem is that scams are becoming increasingly sophisticated and difficult to spot. Many phishing emails in the past gave themselves away through typos, poor English and obviously fake email addresses or website address links. That’s no longer the case. A quiz by technology giant Intel earlier this year found only 3% of people could consistently pick out phishing emails from legitimate messages.
Scams are also increasingly targeted, says Sarah Stephens, Head of Cyber, Technology & Media Errors and Omissions at JLT Specialty. Many use information from other attacks such the high profile data breaches affecting TalkTalk and JD Wetherspoons to improve their effectiveness.
“With lists of customers, their preferences and relationships with other companies it becomes much easier to craft successful phishing emails. It gives criminals data about who consumers expect to hear from and how they behave,” says Stephens.
Criminals also make increasing use of information legally obtained, using social networking sites, for example, to target particular individual. With this, they can send emails purporting to come from people their targets know and tailor messages to them more precisely: so called “spear phishing”. In December, security firm Symantec said a growing number of hackers were targeting professionals on LinkedIn by first making contact using fake profiles.
“LinkedIn is a prime target for scammers looking to connect with professionals in a variety of industries including information security and oil and gas,” it warned.
Moreover, while email phishing is a major source of risk, there are countless others that target businesses’ banking facilities – from fraudulent phone calls looking to gain access to accounts (“vishing”) to viruses used to steal log-in details (see box out). The threats continually evolve, according to Adrian Lamasz, a senior partner at JLT Specialty. Criminals methods keep developing as the technology does. As a result, it’s unlikely you’re ever going to be one step ahead,” he warns.
Resisting the bait
That doesn’t mean there is nothing businesses can do, however.
First, as well as reviewing their technological defences and processes to ensure basics such as virus protection and patches are in place, businesses should look carefully at their training. Security firm Verizon’s 2015 Data Breach Investigations Report showed that almost one in four (23%) recipients of phishing emails open the message. With education, according to the company, that can be reduced to one in 20. Programmes that test employees’ response to phishing scams to identify those needing further training tend to be more successful than traditional courses, according to Stephens.
The other thing businesses should do is examine their insurance, since they cannot rely on compensation from their bank. RBS recently revealed that, of the 5,000 of its customers who fell victim to scams in the first nine months of 2015, 70% recovered no money at all.
Download Risk Focus bulletin
For more information please contact Adrian Lamasz, Senior Partner in Risk Practice on +44 (0) 121 626 7813