Cyber crime: what you need to know
By Adam Helliker
As technology evolves, so too do the risks associated with it. In an increasingly digitalised world, with the majority of commerce transacted online, crime has followed suit. The latest figures show that 25% of UK residents have been a victim of cyber crime, but that still means three out of four people have NOT been affected by fraudulent activity on their computer, and if they follow some simple rules of “cyber hygiene” they are much less likely to become victims of cybercrime..
As with most kinds of crime, the point of cyber-fraud is money. The personal details you keep on your devices - and the data other sites may have about you on their websites - present a juicy proposition to cyber criminals. Even if they don’t use those details to commit a fraud immediately, that data can be sold as a valuable commodity to be exploited by others. When an organisation or a business is hacked and the information is lost, some of that information could be yours. If your bank is attacked, the hackers could discover your online banking password. In some of these crimes it’s obvious to see where the money is being stolen from, but other crimes are sneakier. Often criminals will use your personal data that they have acquired to commit identity theft, when they will pretend to be you in order to get money.
This could be as simple as getting your banking password and clearing out your bank account. Or as complex as collecting enough personal information about you that the hacker can then apply for loans or open credit card accounts in your name. Experts say that after data breaches email addresses and passwords are routinely traded on the dark web (the part of the internet that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable). Last year, for example, the credit agency Equifax was fined £500,000 by the data watchdog following a cyber attack where information belonging to 15million customers, including their addresses and passwords, was breached.
The high cost of cyber crime:
So how much money is being lost through cybercrime in the UK? Last year the Office for National Statistics estimated that 4.5 million cybercrimes were committed in England and Wales. Bank and credit card fraud made up 75% of all offences, with consumer fraud (taking out loans and mobile phone contracts, or making purchases in someone else’s name) made up 22% of the total number of crimes. According to the latest Cyber Security Breaches Survey, 27% of UK businesses and charities had experienced an attack in the past 12 months, with an average cost of £3,000 to each organisation. This adds up to billions of pounds, not to mention the personal costs of consumers losing data or becoming victims of fraud. Human fallibility is at the heart of many such security breaches. That survey found that of UK cyber attacks, 80% were related to “phishing” (when an email is sent purporting to be from a reputable company in order to induce individuals to reveal personal information), and almost a third involved hackers impersonating senior management via email. Research by the security company Kroll found that 88% of UK data breaches last year were the result of human error. The scale of attacks may be higher, given that there has been significant under- reporting in the past, although the new General Data Protection Regulation (GDPR) is likely to prompt a better picture of the number of incidents.
How the criminal works:
What a criminal is hoping for when they steal data is a combination of hard facts - addresses, credit card details, or passport information. This valuable data can either be used in an immediate attack on say, your bank account, or traded through online criminal marketplaces to those better equipped to exploit it. After stealing your data, a criminal will attempt to use email and password combinations to login to your online services and websites (Your email is the gateway to all your other accounts, so using the same email and password combination for a number of different websites increases the risk of having multiple accounts compromised. You may not become aware that you are a victim unless you notice money going from your account or are notified by your bank, anti-virus or service provider. It’s not just the obvious financial sites that are attractive to a cyber criminal. Social media accounts, which for many are a valuable way of keeping in touch with family and friends, can be hacked to blackmail a victim by, say, threatening online exposure of private photographs unless a ransom is paid (this happens not just to celebrities but plenty of “ordinary” citizens). Some hackers may break into the accounts of popular sites, such as Instagram and Facebook, just to show off to other users by demonstrating their capabilities. In some cases, social media accounts are a person’s livelihood and can be highly lucrative for those who build up a large number of followers. As such, any threat to hijack or delete can be very damaging to both the reputation and finances of the victim.
How do the thieves get at you?
The most common way for criminals to deliver their malicious software (malware) to a victim is through the sending of “phishing” emails. These emails will often contain either links to malicious websites or malicious documents, both will attempt to download and install malware if clicked or opened. In many instances, these emails are sent indiscriminately to huge numbers of email addresses that the criminals have obtained from various sources and only need a small percentage of recipients to click on the links for it to be financially lucrative for the attackers.
Criminals can make calls pretending they are from your Internet Service Provider, or a software company, claiming that there is a problem with your computer, or you may have seen fake pop-up error messages on your screen. They may then advise you to download a piece of software which, unbeknown to you, gives them control of your device. This allows them to carry out further criminal activity.
An attack may also be made through a programme you may have downloaded on your device (an App), which may contain embedded malicious malware that is downloaded alongside a legitimately requested Application. These instances are usually dealt with quickly when discovered and reported. Using the well-known and reputable App stores decreases this risk of infection.
The motivation of some cyber attacks may be emotional rather than financial. The offences may be carried out by someone closer to home, say an ex-partner who is taking revenge on a former lover, by targeting them with abusive messages, or bullying and controlling behaviour using a victim’s phone or online accounts. These incidents can be a distressing consequence of a breakdown of trust in a relationship, and may count as domestic abuse.
So, in general, cyber criminals seek to exploit human or security vulnerabilities in order to steal passwords, data or money directly. The most common cyber threats include:
Hacking - including of social media and email passwords.
Phishing - bogus emails asking for security information and personal details.
Using malware - software that is specifically designed to disrupt or damage computer systems. This includes ransomware throughwhich criminals hijack files and hold their owner to ransom.
Breaking and entering - for a cause:
Hacktivists are criminals who carry out cyber attacks but their aim is disruption for a cause, rather than cash. They can target organisations whose political beliefs are opposite to their own, or businesses who they may accuse of acting against their wishes. They often announce attacks in advance in the hope of gaining media attention. An attack by activists may involve the theft of sensitive information or the disruption of trading for a business. Some see Hactivism as an acceptable way of encouraging change in society, but others view this type of cyber attack as a malicious and destructive means of protest .
Hostile nations can use technology to spy on other countries and steal state secrets, or to attack its infrastructure (such as the power supply) by waging cyberwarfare, which can cause as much damage as the operations of conventional war. Some states, including China, Russia, Iran and North Korea, regularly use their cyber capabilities to threaten the interests of other nations.. The UK is protected by the National Cyber Security Centre, part of GCHQ, which identifies hostile activity by both individuals and other nations and works to strengthen the nation’s resilience against such adversarial actions.
Some cyber criminals use their skills to attack commercial organisations to steal intellectual property or other sensitive data and thereby gain a business advantage. Cyber attacks can result in substantial financial loss arising from the theft of corporate information. Businesses suffering a cyber breach can also face big bills to repair their systems and devices. These attacks can also damage a business’s reputation and erode the trust of customers, which can lead to loss of trade and, ultimately, profits.
While the world has benefited hugely from modern technology, a reliance on internet-based operations comes with the downside of vulnerability to misuse by those on criminal or nefarious missions. Some companies
whose systems are not fully resilient are vulnerable to disruption. There are examples of elections being corrupted, power supplies cut off, and ransomware has taken businesses offline.
In 2017 The WannaCry ransomware delivered thousands of spam emails to businesses across the world, encrypting the files of victims, rendering their systems inaccessible unless they paid hundreds of dollars. The attack hit the UK’s National Health Service which found its computers were locked out, meaning thousands of patients were
The most sophisticated technology is vulnerable to the shortcomings of those who use it; tech can’t innovate human error out of existence. Employers need to support staff in recognising when they might be vulnerable to malicious intent, but there is inaction and complacency on both sides. A poll by the US software company Centrify found that 77% of UK workers have no basic training in cyber security. The majority - 69% of respondents - said they lacked confidence in their ability token their own or their employer’s digital information safe. A third admitted using the same login credentials across multiple accounts. Human beings are the first and last line of a company’s defence and ensuring that all are as cyber aware as possible is a wise investment. So too is updating software and hardware regularly.
What you can do:
Don’t reuse passwords for multiple accounts, especially email – your email account is the gateway to all your online accounts. If it gets hacked, all your passwords can be reset. So keep it unique.
Turn on two-factor authentication – this free security feature adds an extra layer of protection online and stops cyber criminals getting into your accounts – even if they have your password.
Update regularly – using the latest software, apps and operating system can fix bugs and immediately improve your security.
An employee received a telephone call with an automated voice message explaining that her computer had been compromised. She was instructed to press “1” to download a remote access tool called “Supremo”, which granted access to the computer. She was asked to transfer money into a bank account in order to “track the hackers”. The suspect had falsely shown twice money had been transferred into the victim's accounts. She was then instructed to make bank transfers to the value of £57,000 through online banking. Her bank contacted her asking to confirm the transfers. The following day, she checked her online banking and noticed a further £12,000 had left her current account. She realised that this had occurred while the suspect was claiming to fix her pin code gadget generator. In total, she lost £69,000.
A member of the public found that his phone was starting to behave oddly and he was eventually locked out. He was then contacted on his social media account by criminals telling him that child pornography had been installed on the phone. He was ordered to pay a fee otherwise the images would be shared with his family and friends. An investigation later found that his hackers had gained access to his phone through malware installed on a game which the victim had downloaded through an unrecognised - and unsafe - app.
An office worker received an email from a client, containing an attachment. The email was entitled "Thanksgiving Day....." The employee opened the attachment and unknowingly downloaded malware Emotet and Trickbot onto his company’s computer. The business was locked out of online banking, and the account was only restored after its IT provider, assisted by the bank, had re-installed a new system.
An employee at a school received a suspect email containing an attachment. He downloaded the attachment which installed Trickbot malware onto his laptop. The school’s bank login details were compromised. The criminals attempted to make fraudulent payments for £400,000, but these were stopped by an authorisation procedure. Bank details were changed on his supplier’s database so as to divert funds to the attacker’s bank account. The victim subsequently lost £16,000 which had been transferred into the hacker’s accounts.
The Instagram account of a 26-year-old social media influencer was taken over and held to ransom. Compromising images were displayed on the account and money was demanded otherwise it was threatened that all of her 300,000 followers would be deleted. The victim was unable to log on to her account and suffered huge damage to her reputation and considerable loss of income.