Tasmanian businesses and investors targeted by hackers
We have recently been alerted by a number of sources to the rising incidence of a particular type of scam which has seen a number of Tasmanian businesses and individuals targeted, some losing many thousands, if not hundreds of thousands of dollars. Unlike many scams of the past, this is a sophisticated attack, involving hacking of emails of key individuals to learn background information (possibly over a number of weeks or months), forging of documents and using of Australian bank accounts to redirect funds from particular transactions.
Typically the attack runs along the following pattern:
- Access to your email mailbox is obtained by hackers who then go through the emails and attachments to the emails, collecting information such as:
- What kind of assets you or your business has, and what income you receive and from what sources;
- What kind of transactions you regularly engage in;
- Who the key contacts are who have the ability to redirect funds coming to you, if instructed to do so (e.g. your financial adviser, your rental property manager, your customers, your business associates);
- Whether there are any attachments in the stored emails which contain your signature (e.g. a copy of the signed form or a contract being emailed between different parties) – this electronic signature is then copied to a fake document.
- Once a suitable type of transaction is identified, an email is sent from your compromised email address to a key customer or contact person advising of “your new bank account details” and requesting that the customer or contact updates their records so that the upcoming payment is made to the new bank account.
- The nature of transactions vary greatly between different cases! This may be an instruction to your customer to pay their invoice to the new business bank account, or it may be an instruction initiating a transaction (e.g. instruction to your financial adviser to sell a parcel of shares on your behalf). It may be that you commonly email requests to business associates or employees to transfer funds between different business accounts and such an email is faked to initiate a fraudulent transfer.
- This email may be accompanied by a fake “authority” to undertake the change, with a signature digitally copied from a legitimate signed document;
- The emails are well written and may include background information gleaned from your past emails to make them look more credible.
- The “new bank account” as far as we are aware, is always with an Australian bank, and accounts with different banks have been used for these transactions. Once the money arrives, it is immediately transferred through a web of different accounts, quickly leaving Australia and ending up overseas. Please be aware that in making electronic transfers, in most instances the banks’ software does not match the account name nominated on your electronic transfer to the actual recipient bank account. Only BSB and account number are matched in the majority of cases. You may think you are transferring funds to a customer or contact account but the account can be under a completely different name. Banks do not have the software sophistication to advise you differently.
- In some instances, if the bank is alerted quickly enough, they may be able to freeze the account in time before the funds are transferred out to another account.
What to do to prevent this from happening to you
- Remember, this scam has succeeded on many occasions and so the scammers are highly motivated to keep using it on more and more people – you need to remain vigilant with your cyber security measures!
- You already know to keep your passwords fresh and difficult to guess – but you also need to be using two factor authentication wherever it is offered. Two factor authentication is where you opt to receive a text message with a code to your phone or use some other secondary authentication method (such as a security dongle that generates single use codes) in order to confirm a log-in or a transaction. Email and accounting software in particular are two areas where you should be using two factor authentication if it is offered by your provider. This is a simple and yet highly effective security measure and you should take advantage of it wherever possible.
- If you get an email from someone requesting that you update their bank account details prior to making a payment to them – do not reply to that email, call them and confirm over the phone that their request is legitimate. If you change the recipient’s bank account and transfer funds to it without first checking that the request was authentic, you may be found at fault and liable for the lost funds.
- Advise your customers that you will only authorise a change in bank account detail via a two-step process whereby a written request is subsequently confirmed in person or by an authorised officer or employee of the business by telephone. Consider amending your invoices to add a comment to that effect.
- Over the last few years there have been a number of large scale data breaches of various websites which resulted in their users’ details and passwords being exposed, such as the 2012 LinkedIn data breach which came to light in 2016 and exposed over 164 million users and the 2015 Adobe data breach which exposed 153 million users. The Government’s Stay Smart Online website recently reported that 1.4 billion email addresses, passwords and other credentials have been found on the Dark Web. That information – users’ email addresses, logins and passwords – is still out there and is still being mined by hackers. You may not even be aware that your details have been compromised! You can use the free search offered by https://haveibeenpwned.com/ to identify whether your email address and details have previously been leaked in a data breach. If they have – update your password without delay!
- Be mindful of what apps you download onto your smartphone. Malicious apps will try to steal personal information from your phone and could expose your device and data to malware. They can also lead to attacks ranging from unwanted pop-up ads to more serious efforts to steal personal and financial data, or lock your files and demand a ransom for the key that allows you to regain access to them. Always review and manage “permissions” for each app you download! You can find more information about using apps safely here and here.
- Phishing continues to be a popular method for obtaining someone’s login details and passwords – this is where an email that looks legitimate is in fact a fake, and contains a link to a ‘spoof’ site that looks like the real deal. Once you click on the link, you are taken to the spoof site that requires you to log in and then captures the details you type in. Watch out for links embedded within emails especially where it is for sensitive sites such as internet banking. It is safer to ignore the link and go to the website directly in your browser.
- Reconsider your strategy for storing emails with sensitive attachments containing signatures such as completed forms and contracts.
- Passwords continue being of crucial importance now more than ever. And yet the biggest hurdle to creating a secure password is having to remember it afterwards – and you are supposed to have a different password for each site or service you use. This seems to be one of the main reasons people continue using the same simple password for everything even when they know they shouldn’t. This hurdle can be overcome by using a password manager – software that remembers and keeps track of the passwords for you. The downside of a password manager is that if the password manager has a security vulnerability then all your passwords may be compromised, however security experts maintain that this risk is outweighed by the risk presented by having weak and repeated passwords, in particular because leading password managers heavily encrypt their stored data. If you do choose to use a password manager, you should choose one that offers two factor authentication. There are many password managers out there, ranging from free to premium-priced and each offering varying ranges of features. We suggest that you look into the current offerings, check out their ratings and reviews and/or speak to your IT support provider. This recent article from PC Mag can help you get started.
- Regardless of whether you choose to use a password manager, you need to be mindful of the passwords you use. New guidelines for password security issued earlier this year have turned accepted wisdom about passwords on its head. You can find out more about the new guidance here.
- Human error can undermine the best laid plans so you need to ensure that your spouse, your kids and your employees are all across cyber security measures and policies at your home or your business.
- You may also wish to investigate cyber insurance options. Cyber insurance policies differ but generally cover different types of threats that go beyond the scenario outlined in this newsletter, also addressing privacy and media risks. A cyber insurance policy may include cover for system damage, business interruption (reduction in profit due to system outage), liability for damage to other parties due to malware inadvertently passed on from your system, the cost of regulatory investigations, the cost of privacy breach notifications, reputational harm, identity theft and intellectual property rights infringement. We suggest you contact your insurance advisor to gain information on cyber insurance cover available.
Remember – there is a large payoff for the scammers with these sophisticated schemes and they have frequently been successful in recent times. They are highly motivated and patient – and this means you cannot afford to be complacent.
The holiday season is a high risk period, with fewer employees in offices to review business correspondence and transactions, possibly less time (or inclination!) to review personal banking transactions and in general people tend to let their guard down at this time of the year.
We encourage you to be proactive and vigilant; there are many general security measures that should be regularly attended to, for example, having a robust anti-virus and anti-malware product, making regular back-ups which are stored offsite and restoration tested, being careful around opening attachments and updating your system software regularly for security patches. Your IT support provider can assist you with identifying weaknesses in your particular system and can help you choose the most appropriate security products for your circumstances.
We recommend that you consider installing and implementing a Unified Threat Management (UTM) system to ensure that your organisation’s electronic information is as secure as possible. A UTM is a type of network hardware that allows administrators to monitor and manage a wide variety of security-related applications and infrastructure through a single management console. UTMs typically provide a firewall, intrusion detection and prevention, anti-malware, spam and content filtering of emails and web sites, and virtual private networking capabilities. The benefit of a UTM is that it simplifies the management of all the threat management tools and devices available. It allows administrators to have visibility and react quickly to performance issues and perceived threats, and provides real time reporting of the performance of the system and actions of the users.
It is also important to be mindful that a data breach such as the one described above may expose you to the Data Breach Notification Laws under the Privacy Act which we discussed in the previous newsletter.
We encourage you to speak to your Ruddicks adviser if you have any questions or require further information.
Liability limited by a scheme approved under Professional Standards Legislation.
The contents of this publication are general in nature and we accept no responsibility for persons acting on information contained herein. The content of this newsletter does not constitute specific advice and readers are encouraged to consult their Ruddicks adviser on any matters of interest.
Any advice provided is not ‘financial product advice’ as defined by the Corporations Act. Ruddicks is not licensed to provide financial product advice and taxation is only one of the matters that you need to consider when making a decision on a financial product. You should consider seeking advice from an Australian Financial Services licensee before making any decisions in relation to a financial product. © Ruddicks 2017