Earlier this month, we partnered with the Australian Competition & Consumer Commission (ACCC) to mark Scams Awareness Week (SAW), an annual national public campaign dedicated to reducing the impact of scams in Australia. This year’s theme focused on identity theft and protecting valuable data online, with the slogan “Be yourself. Don’t let a scammer be you.”
Considering the current climate of heightened cyber-risk, this focus on protecting valuable data online is relevant not only for consumers, but for businesses as well. The massive proliferation of data today makes it difficult to know how your business data is being stored and accessed all the time – a problem that is exacerbated as more businesses pivot to working remotely. From exploiting security flaws in video conferencing platforms to hacking unsecure home networks, scammers are taking advantage of any vulnerability possible to gain access to valuable company data.
Initiatives like SAW present us with a great opportunity to remind our customers about the importance of boosting their data security and improving their cyber hygiene. Here are some current trends & insights you can share with your clients as you continue conversing with them on these issues, including some perspectives by two of our partners.
The threat landscape is becoming more treacherous, with cybercriminals continuing to take advantage of the economic disruptions wrought by the COVID-19 pandemic. Crises like these offer a prime opportunity to prey on unsuspecting businesses, who are likely more preoccupied with keeping their businesses afloat.
“In these times of job losses and pay cuts, people have become even more vulnerable to seemingly easy access to ‘free’ money opportunities. They are more likely to follow through with an invite to find out more and be ‘convinced’ in the process,” says Jeffrey Phua, Process Improvement & Accounts Officer at Victoria Aboriginal Health Service.
Indeed, scammers are undoubtedly well-aware that many individuals and businesses are currently in desperate need of economic assistance as a result of the economic uncertainty caused by COVID-19. Cruelly, attackers are capitalising on people’s hardship to steal even more from those who are already suffering, and we’re seeing this at MailGuard everyday. Here’s a malicious email we intercepted recently attempting to exploit users who may be suffering from financial difficulties:
We’re also seeing COVID-19 themed phishing emails (like this one) that are designed specifically to harvest users’ confidential data. Recently, there has been a surge in cybercrime as cybercriminals take advantage of the crisis to steal confidential & valuable data from users. Google states that it is intercepting 18 million COVID-19 scams and phishing emails every single day.
Closer to home, Telstra reported that cybercriminals are targeting staff ordered to work from home amid the COVID-19 pandemic, with convincing phishing emails that even reference the victim’s workplace. In addition, the ACCC reported that phishing scams are up by 44% compared with the same time last year.
Phishing emails were also identified by Tracey Keller, Business Operations Manager at Network Communications Industries, as one of the more prolific ways cybercriminals are stealing business data. She says that she’s observing phishing emails increase in “volume and sophistication,” with a greater number of “embedded links within emails to harvest credentials.”
She adds that cybercriminals are also compromising “cloud-based accounts” and stealing valuable data through file-sharing. This is a possible consequence of the fact that as more businesses switch to remote working, they are relying mainly on virtual communication, video-conferencing and file-sharing apps to ensure business continuity.
Jeffrey Phua also warns of scam emails and text messages that are currently attempting to steal business data via the following methods:
- Scam email or SMS suggesting a celebrity has shared their secret on how to become rich.
- Email from MD, CEO or CFO (spoofed) with instructions to pay an invoice.
- Request to update your online credentials or account/credit card credentials.
- Invitation from a social media friend to check out a list of lucky/raffle draw winners.
It’s integral that businesses educate their teams about staying protected, because the consequences of such attacks can be severe. IBM pegs the average amount a data breach is costing organisations in 2020 at $3.86M, though the ripple effects of a breach often extends far beyond the direct financial costs and can include reputational damage, loss of proprietary information or other strategic assets.
One of the most dangerous of these is business identity theft, a type of fraud that involves the impersonation of a business for unlawful purposes. It can occur through the theft or misuse of key business credentials, and manipulation or falsification of business filings and records. The increased reliance on cloud sharing platforms has led to the widespread distribution of data, including business identifiers and records (like details of corporate banking accounts, ABNs, confidential contracts etc.).
Once leaked, this information allows scammers to easily spoof businesses for criminal gains, like applying for a new line of trade credit, transferring large amounts of funds or committing tax fraud. Scammers often also misuse company information that is readily available on digital platforms (like company websites and social media sites). In the current climate, it’s little surprise that business identity theft is set to grow by a staggering 258% this year.
Mr Phua suggests a key method to prevent this from happening is by adopting multi-factor authentication, a primary factor in avoiding unwanted transactions.
He also recommends providing effective cybersecurity training to employees, because “users are the weakest link”. He advises businesses should help employees raise awareness of cyber-threats among employees and the necessary measures they should take, including information around reporting threats to their system admins.
In a similar vein, Tracey Keller lists three concise ways businesses can defend themselves from identity theft scams.
The first is “education”, followed by “awareness” and “practical strategy.”
Elaborating on the third, she says: “If it does not look right, a quick phone call is maybe all that is necessary, to either the sender of the email, or a trusted IT provider”.
She also recommends businesses adopt the following measures:
- Practical and known business approvals, processes and procedures.
- An effective, layered security solution (for email, browsing, networking, Wi-Fi, endpoints)
- Secured password management.
- A knowledgeable IT provider to assist with all of the above.
Our new infographic, 7 ways to prevent business identity theft, includes more details on some of these recommendations, and we encourage you to share it with your customers. In addition, here are some tips to help your clients design a data security framework to protect their company data & IP, whilst allowing flexibility for mobility and activity-based working.
It’s crucial for all of us to step up our efforts to ensure our customers have the necessary tools and measures in place to stay protected against business identity theft. Today, companies do typically put in place multiple measures to protect their systems and their data, but it’s becoming critical to continuously enhance and fortify those defences.
A multi-layered approach is fundamental to ensure our customers’ cybersecurity is up to scratch. For example, we know that nine out of 10 businesses are being impacted by phishing, even when most have an email security solution in place. No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or G Suite, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a cloud email security solution like MailGuard to complement Microsoft 365.
Thank you to Jeffrey Phua and Tracey Keller for their insights on cybersecurity. Let’s continue collaborating and learning from one another to protect our customers from cybercrime.
What strategies are you advocating to your clients to ensure that your clients and their data are protected at all times? We'd love to hear your views. Feel free to contact us via the details below or join the conversation on our Twitter and LinkedIn pages.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993