“I always thought I was smart enough to know”: Cybercrime threats and how to deal with them
Thursday, October 11, 2018/
Small business owner Phoebe Bell never thought she’d be a victim of cybercrime.
But when she sent $10,000 to someone she thought was her China-based supplier earlier this year, she became one of a growing number of businesses which have been scammed by criminals.
“I always thought I was smart enough to know when I was going to be scammed,” she tells SmartCompany.
Bell, the owner of bohemian homewares brand Sage and Clare, fell prey to an email phishing scheme where cybercriminals pretended to be suppliers she had a longstanding relationship with.
“For around three to four months I was talking with scammers rather than the suppliers themselves,” she says.
The scammers mimicked her real suppliers and finally led her to make a payment for a shipment of product.
“At the time I had to make the final payment of the invoice they asked me to pay into a different account due to auditing issues they were having,” she says.
“I realised once it was too late that the money was gone.”
Bell is one of a much larger cohort of Australian SMEs which have fallen victim to cybercrime in recent years.
Six million Australians have been victims of cybercrime so far in 2018, while 2016 research from Symantec found 43% of attacks in Australia target small businesses.
The scam that tricked Bell, known as a business email compromise scam, caused $20 million in associated losses during 2016-17.
Scammers, who can be based anywhere in the world, are also reportedly focusing Australian businesses as vulnerable targets.
A new report released by cybersecurity firm Cisco for Stay Smart Online has found Australian businesses are facing more cyber attacks than anywhere else in the Asia Pacific region.
Andrew Bycroft, chief executive of the international cyber resilience institute, is not surprised that Australian SMEs are being targeted.
“A lot of people running businesses … they don’t actually understand the problem,” he tells SmartCompany.
“They think it’s actually a technology problem that can be solved by tech, but it’s just a weapon that’s used, you’ve always got a person committing cybercrime.
“It’s a human crime,” Bycroft explains.
Bycroft says humans are often the biggest cybersecurity vulnerabilities in an organisation, and education is crucial in helping employees and business owners understand the risks so they can actively mitigate them.
A report released by the Office of the Australian Information Commissioner in July found the primary source of cyber breaches between January and March was malicious or criminal attacks (59%), followed by human error (36%).
Bycroft’s tips for SMEs looking to bolster their data security:
- Culture — maintain a workplace which takes cyber security seriously and is vigilant;
- Communications — make it easy to share potential threats between employees and other businesses;
- Process — create policies for clicking external links and verifying the identity of stakeholders;
- People — make sure employees are aware of cybersecurity risks and know the common pitfalls such as clicking suspicious links; and
- Technology — identify your key assets as a business and ensure they are protected.
“I know we tend to live in a very busy world these days, but we need to stop and pause even if it’s for five seconds to think about where we are vulnerable,” Bycroft says.
“It’s within everyone’s budget to be able to have a good enough solution to this.”
Bell agrees, saying she’s much more vigilant now about verifying the identity of her business partners.
“You don’t take things on face value anymore,” she says. “It makes you look at everything.”
The most three common types of human error in cyber scams
- An email containing personal information sent to the wrong person.
- Unintended release or publication of personal information.
- Mail (letter) containing personal information sent to the wrong person.
Bell says she’s also looking at her insurance and making sure her plan includes protection against cybercrime.
“We’re lucky enough,’ the business is only five years old, we can take a loss, but what it has meant is that we’ve had to pay for the goods again, so it’s been really delayed.”