To succeed in business, it has been said, you need sharp elbows and a hard head. But as well as the need to fend off competitors, vigilance for cyber attacks – and knowing how to sidestep them – is now high on the agenda of all business leaders.
Cybercriminals might be quick to devise new and increasingly sophisticated scams, hacks and fraud schemes but there are recognisable patterns. Experts reveal the top five most common types of cyber attacks.
u003ch2u003eu003cspan style=u0022font-weight: 400;u0022u003ePhishingu003c/spanu003eu003c/h2u003ernu003cspan style=u0022font-weight: 400;u0022u003ePhishing is an email or a text message spoofing an organisation or person. The aim is to trick the would-be victim into clicking on a link and entering their bank details. HMRC is commonly used in phishing attempts while for individuals, it’s holiday companies.u003c/spanu003ernrnu003cspan style=u0022font-weight: 400;u0022u003e“All organisations need to deal with the threat of phishing because it’s used in most cyber attacks,” says Jessica Barker, co-founder and co-CEO of Cygenta, a cybersecurity consultancy. “Since technical defences have improved, cybercriminals have realised that attacks on organisations are easier, faster, cheaper, less risky and more likely to succeed when they include phishing.”u003c/spanu003ernrnu003ca href=u0022https://www.actionfraud.police.uk/u0022u003eu003cspan style=u0022font-weight: 400;u0022u003eAction Fraudu003c/spanu003eu003c/au003eu003cspan style=u0022font-weight: 400;u0022u003e highlights and tracks cybercrime in England, Wales and Northern Ireland. It recently highlighted an increase in phishing attacks on individuals by criminals pretending to be holiday companies with too good to be true offers. “When demand for holidays soars, so does the number of scams,” says Pauline Smith, head of Action Fraud.u003c/spanu003e
u003ch2u003eBusiness email compromise (BEC)u003c/h2u003ernu003cspan style=u0022font-weight: 400;u0022u003ePhishing is a fundamental but small part of a set of fraud-launching platforms that target businesses. “The biggest business crime is BEC, business email compromise,” says Alan Woodward, professor of cybersecurity at the University of Surrey. “It’s the move from simple phishing through spear phishing to whaling, which draws in C-suite levels.”u003c/spanu003ernrnu003cspan style=u0022font-weight: 400;u0022u003eSpear phishing is a targeted version of phishing: hackers select a company or individual to attack. Whaling is a step further than spear phishing. The target here is the individual believed to hold the keys to the kingdom when it comes to a company’s secrets. u003c/spanu003ernrnu003cspan style=u0022font-weight: 400;u0022u003eA successful BEC tends to stem from social engineering or convincing someone that a hacker is whom they claim to be. Businesses need to give digital literacy training to staff at all levels. For Woodward, that means understanding the likelihood of being targeted and the ability to recognise suspicious emails. That could include checking whether the URLs in emails or text messages match the official websites. Or, if the payroll department emails a request for the company’s bank account password, confirming the request offline by picking up the phone and speaking to the alleged sender. It could make all the difference between avoiding the worst or falling foul of a hack.u003c/spanu003e
u003ch2u003eRansomwareu003c/h2u003ernu003cspan style=u0022font-weight: 400;u0022u003e“Ransomware is the crime most organisations need to prepare for and is the most difficult to recover from,” warns Woodward. “Businesses have to assume it’s a case of when – not if – it’ll happen and have a business continuity plan that allows the business to continue to operate and to reinstate a trusted version of the systems and network.”u003c/spanu003ernrnu003cspan style=u0022font-weight: 400;u0022u003eRansomware isn’t new, but it is increasingly sophisticated as cybercriminals change their methods to infiltrate networks and databases. “Ransomware has evolved,” says Barker. “In many cases, cybercriminals don’t just encrypt their victims’ data. They also threaten to publicly leak it if the ransom isn’t paid.”u003c/spanu003ernrnu003cspan style=u0022font-weight: 400;u0022u003eThe potential lucre that criminals can gain from ransomware is so great that it has spawned its own mini-economy. Ransomware as a service is a niche but growing area in which criminals sell ransomware ‘packages’ on the dark web. This allows other criminals to launch ransomware attacks without needing any technical skill. It also means businesses can be bombarded with ransomware attempts, sent through email attachments and getting people to click on compromised websites that secretly download a virus that locks all files.u003c/spanu003ernrnu003cspan style=u0022font-weight: 400;u0022u003ePrevention is the best cure, with good training to ensure people don’t fall victim to such ploys. But the scale of ransomware attacks makes them almost an inevitability. That poses its own problems. “Many businesses have relied on insurers paying up the ransom, but that has two issues,” explains Woodward. “Criminals’ decryption tools are often terrible, and it’s quicker to rebuild – as the Irish Health Service discovered when it was attacked in May 2021. Insurers will stop paying out – certainly if you haven’t taken reasonable measures to mitigate losses.”u003c/spanu003e
u003ch2u003eRemote access tools (RAT)u003c/h2u003ernu003cspan style=u0022font-weight: 400;u0022u003eNobody likes rats, especially in cybercrime. Remote access tools (RATs) were responsible u003c/spanu003eu003ca href=u0022https://www.actionfraud.police.uk/alert/more-than-50-million-lost-to-remote-access-tool-scams-last-yearu0022u003eu003cspan style=u0022font-weight: 400;u0022u003efor £57m in lossesu003c/spanu003eu003c/au003eu003cspan style=u0022font-weight: 400;u0022u003e in 2021, according to Action Fraud. It’s a simple scheme, but fraudulent at its core. u003c/spanu003ernrnu003cspan style=u0022font-weight: 400;u0022u003eThe scam often begins with someone calling a company, perhaps claiming to be a representative of a trusted supplier or business partner. They could also pretend to be calling from the victim’s bank to investigate a suspicious transaction on the account. They’ll be deliberately confusing about the trail of actions required, before offering the victim a simple solution: to do it for them, if only the victim gives them access to their computer remotely.u003c/spanu003ernrnu003cspan style=u0022font-weight: 400;u0022u003eOnce in, the criminal siphons off vital data and often drains any bank accounts open on the victim’s computer. It’s a crime often used to target individuals but can offer even bigger payloads when it targets businesses. “Only install software or grant remote access to your computer if you’re asked by someone you know and trust,” warns detective chief inspector Craig Mullish from the City of London Police.u003c/spanu003e
u003ch2u003eInsider threatsu003c/h2u003ernu003cspan style=u0022font-weight: 400;u0022u003eSome of the biggest risks are from hackers trying to access a company’s IT systems. But not every attack is launched from outside a company. “Organisations must be aware that incidents and breaches often come from internal as well as external sources,” cautions Barker. u003c/spanu003ernrnu003cspan style=u0022font-weight: 400;u0022u003eAnd insider attacks are severely effective. “They know the information to target and if they’re successful, it can shake confidence in the organisation and damage its reputation,” she says. Keeping your workers happy is vital – and keeping track of them could prevent headaches down the line.u003c/spanu003e