Our focus in 2020 has understandably been consumed by the community health crisis caused by COVID-19 and the resulting global economic impact. As we were all forced away from the office to work from home, it seems many people and businesses have let their guard down and cyber criminals have been taking advantage of the situation.
Last week SmartCompany reported that small businesses in Australia had experienced a rise in cyber attacks throughout the course of 2020, with 4,255 reported incidents of email scams in the 2019-20 financial year alone. This increase in cyber crime has reportedly cost businesses over $142 million, according to the Australian Cyber Security Centre (ACSC). As a clear sign that this activity is on the rise, the prudential regulator (APRA) has also weighed in on this issue and last week unveiled its cyber-security strategy for 2020-24, which seeks to lift security standards and introduce higher accountability where companies fail to meet their requirements. To date it must be noted that no APRA-regulated bank, insurer or superannuation fund has suffered a substantial cyber attack, but APRA executive board member Geoff Summerhayes has warned a lack of awareness among the higher ranks of companies will only make it a matter of time.
So it is clear that the rise in online activity through the COVID period as a result of most of us having to work from home has created a perfect storm for cyber criminals. And to give you an idea of just how unscrupulous these scammers can be, during the month of March 2020 when community concerns about Covid were arguably at their highest, the Australian Cyber Security Centre received more than 45 pandemic-themed cyber-crime and cyber-security incident reports, while the ACCC’s Scamwatch received more than 100 reports of COVID-themed scams. Not very nice.
Whilst we often think about such computer hacking incidents as highly sophisticated breaches, the majority of cases involving individuals and business owners are based on fairly common vulnerabilities and are easy to avoid.
The most common scenario is where an individual uses a single password for different applications. It’s most often the unsavvy staffer that uses the same Facebook password as the rest of their corporate applications and email, so once hacked or phished, gives the scammer access to a treasure trove of highly sensitive information. After gaining access to the mailbox for example, the cyber criminal will usually assess a pattern of behaviour over a period of time (sometimes weeks) in order to gain an understanding of emails being sent and received, often with suppliers where they can tap into the movement of money.
It is often the case that at the end of a legitimate email thread to order goods from a supplier, the cyber criminal will send a final message to request that the payment is diverted to a new bank account. This diversion can also be achieved through online accounting software, particularly if the scammer has been able to gain access to a firms’ practice software. The perpetrator will often attempt to change bank account details on an invoice just prior to it being sent, or intercept payroll details just before a pay run is processed. To cover their tracks, they delete the message from sent and deleted folders, and if a response is received to acknowledge the change in bank account details, a mailbox rule is pre-setup to delete the response or move it to another folder, so the employee is not alarmed. Pretty scary stuff.
There are however, a few simple steps that greatly reduce the likelihood of these types of breaches.
1. Use applications such as myprosperity and Xero, that employ Multi-factor authentication (MFA) so that you can block most attempts of unauthorised access to these systems. MFA provides a safety net in case employee passwords are compromised and in the case of myprosperity, can be set up at the practice level as well as the client level. Note that myprosperity does not provide functionality where actual payments of money transfers can be performed, however, we are dealing with incredibly sensitive financial information so we highly recommend that you configure MFA regardless.
2. Ensure that passwords are strong and regularly updated. Never share passwords and educate your staff on best-practices in managing secure passwords. I recall years ago when I was at Xero that one accounting firm who got hacked had issued a common password for up to 20 staff in order to simplify team access to their practice software. Clearly not a great practice from a security standpoint. And if continuous changing of passwords becomes a drag for your staff you can also use password generators which allow the user to regularly create strong and random passwords. Products such as Avast, 1password and dashlane are good examples.
3. Finally, think about deploying an email security system that provides an anti-phishing defence solution allowing you to detect and prevent fraudulent emails being sent from legitimate email mailboxes. Companies like MailGuard and Mimecast offer good solutions that are cost effective and easy to deploy.