This week the SMH reported the story of the small business owner who lost AU$10,000 in an email fraud attack.
“Small business owner Phoebe Bell believes scammers were watching her emails "for months" before they swiped $10,000 from her homewares operation, Sage & Clare,” the SMH reports.
The scam was a typical example of email cybercrime. The criminals hacked Sage & Clare’s email accounts and found correspondence with a supplier negotiating a $10k purchase. They inserted themselves into the communication and then gave false bank account details for the payment so that instead of paying their supplier, the company unwittingly sent the $10k to the criminals.
Email crime is growing explosively
Perhaps the most concerning aspect of this case is that it’s not unusual, and is part of a recent surge in online fraud.
The availability of easy-to-setup cybercrime kits that can be bought cheaply from virtual store-fronts on the dark web has made it easier than ever for relative novices to get into the cybercrime racket. The days when online criminals needed serious hacking skills or degrees in computer science are long gone. Anyone with lax ethics and a few hundred dollars can get started as a hacker, and that has driven a sharp increase in online crime numbers.
A report from APWG recently revealed that online fraud incidents increased 46% since 2017 and FBI data shows that this crime category has grown more than 2000% since 2015. The global cost of internet fraud is now in the billions of dollars, the FBI estimates.
Although the incident reported this week by the SMH is very serious and devastating to the small business involved, it is a relatively small scale theft in the bigger picture of cybercrime. It’s becoming common for cybercriminals to steal millions of dollars in a single attack, and the frequency of such incidents is accelerating alarmingly.
Serious damage from one email
Phoebe Bell, the owner of Sage & Clare, realised her business had been defrauded last Friday, and tweeted her dismay about the incident:
It hasn’t been an easy weekend in camp Sage x Clare. Late Friday night I realised I’d been the victim of a horrible targeted scam, which has led to the loss of more money than I can even… https://t.co/VUp6fml01A
— sageandclare (@sageandclare) August 12, 2018
“It totally shocked me. I never saw, or thought, this could have been a scam,” Bell is quoted as saying in the SMH article about the scam.
“It's frustrating because we already have so many insurances in place. However, at this stage, it looks like the company has no way of recovering the funds.”
Bell explained that the initial $10k financial loss is not the full extent of the damage since the business will now be short on stock to support the coming seasons’ sales.
Bell posted on Facebook to warn other small businesses about the incident, saying “I thought I was smarter than that… I feel stupid and naive.” Commenters on her post commiserated saying the incident could “happen to anyone,” which is, unfortunately, entirely accurate.
Australian companies unprepared
Most businesspeople don’t expect a simple email exchange to be the vehicle for a major crime, but the reality is, most cybercrime is committed in precisely that way.
“Australian Businesses are targets and are generally underprepared,” was the finding of the 2018 AusCERT report. “Phishing and email attacks are still the most prevalent form of cybersecurity incidents.”
Typical email-based fraud is a relatively simple crime. Criminals do some basic research on a company through social media and google searches, looking for the names and contact details of the company’s staff and then send them phishing emails designed to obtain their account login details. If a victim clicks through to a phishing page and unwittingly gives up their login details, that’s all it takes to compromise their account.
Once the criminals have access to a company inbox they can take their time hunting around for an opportunity to divert large payments to their own bank accounts.
> Learn more about how phishing attacks work in this article: How hard/easy is it to defraud your company?
Cybersecurity 101 for business owners
The explosive growth of email-based fraud requires a multi-layered approach to security that includes virus scanning software, staff training and cloud-based email filtering. There’s never been a better time to take on the challenge of breach-proofing your company.
If you would like to learn more about cybersecurity preparation, please download the e-book Surviving the Rise of Cybercrime. It’s a plain English guide explaining the most common threats, and providing essential advice on managing risk.
“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal.
You can download your copy of Surviving the Rise of Cybercrime for free, here.