Small businesses that are also share trading account holders are being urged to take care of their passwords and online security following a cyber-attack on the online accounts of retail investors this week.
The joint Australian Federal Police and Australian Securities and Investments Commission (ASIC) investigation uncovered evidence of hacking, market manipulation and money laundering involving potentially compromised accounts that traded through Morgan Stanley.
Get daily business news.
The latest stories, funding information, and expert advice. Free to sign up.
The authorities suspect a Russian hacker was behind the attack, which saw unauthorised trades take place in accounts held with Commonwealth Securities, Etrade Australia, and the Australian Investment Exchange.
The hacker was prevented from withdrawing profits from the unauthorised trades yesterday when the Supreme Court of NSW ordered $77,000 be prevented from leaving the country at ASIC’s request.
In a strongly worded statement yesterday, ASIC Commissioner Cathie Armour said the authority would continue to work to “smash any criminal activity” targeting the Australian market.
“ASIC has a world-class surveillance system to gather, match and analyse data to uncover misconduct, and its staff continue to monitor and detect suspicious trading activity and work with market participants to ensure account hacking is swiftly identified and stopped,” she says.
AVG security advisor Michael McKinnon told SmartCompany it was another case of an international criminal taking advantage of people via the internet.
He says what is interesting about the hack is that stock market trading accounts, which are often high-value targets for cybercrime and criminal activity, tended to be quite secure.
“When you have an online stock market trading account you usually have two passwords,” he says.
McKinnon says one was for accessing the account, to view portfolio holdings and other account information, while another was the trading password, which allowed account holders to approve a trade.
While he says it is hard to know exactly how the retail accounts in question had been compromised, McKinnon says there are a few key ways it could have been done.
“The most common is when account holders use a password they’ve used before,” he says.
“If your eBay password is the same as your share trading account, once someone knows your eBay password they’ve got access to your trading account.”
McKinnon says the main tip to avoiding that is password separation, by creating a different password for every account.
However, McKinnon says if he had to speculate about the hack on the share trading accounts it was more likely to resemble something close to a “phishing attack”.
A phishing attack, which usually takes the form of an email from a bank or financial institution and prompts the holder to take corrective action, is a scam a lot of people fall for, McKinnon says.
McKinnon believes this could be especially the case with share trading accounts, because not a lot of people used those accounts all the time.
“What would happen here is the link would take you to what looks like your share trading platform,” he says.
“One of the things, in my experience with accounts like this, if you’re not a regular trader you’re less likely to be accessing the account frequently.
“Given what we know about share trading accounts, and that the banks who operate them have been taking pretty reasonable steps to secure those accounts for a number of years, and because of their high-value target, on that basis I would lean more towards it being a phishing attack.”
McKinnon says small businesses with such trading accounts should do what they can to protect themselves, with his tips similar to the ones listed following the recent fake Telstra email scam.
“The same rules apply here; if an email mentions an account number, you want to actually verify that number is your account number. It is unlikely the scammer will have the exact account number,” he says.
“Pay attention to links in emails, look at the domain name of where the link is going to, if it’s not exact domain name, don’t click.”