When we talk about cybersecurity we usually think hackers and news about security breaches. Cybersecurity is often perceived to be an issue which the IT department takes care of using firewalls and antivirus tools. This train of thought is actually one of the biggest reasons why organizations fail to take care of cybersecurity.
The key to functioning cybersecurity is to make it a part of the organization's everyday activities. How is this implemented in practice? Let's return to this in a minute, but let’s first have a look at how cyber criminals operate today. When you understand how cyber criminals think, you will understand how to protect yourself from them.
The very familiar motive behind cybercrime – money
In practice, cybercrime is about digitalization of crime and how criminals are continuously seeking new opportunities to make money. And naturally, the current society based on information networks provides more than enough opportunities. Nowadays cybercrime is very organized – we can talk about a criminal ecosystem which comprises of producers, service providers, actual attackers and clients.
Producers are persons or groups who, for example, write malware or its components and sell them forward. Service providers sell their services, such as capacity for denial of service attacks, to criminals. Trade amongst cyber criminals takes place in the dark web market places with bitcoin used as currency.
Today this criminal ecosystem provides anyone who wants to enter the criminal world an easy way to get started. Unlike 10 years ago, cyber criminals today do not need to do everything themselves; it is easy to just buy the components needed for cyber attacks. This digitalization of crime can also be seen in the financial effects of cyber crimes. FBI estimates that the criminal harm caused by both ransomware and CEO scams already exceeds a billion dollars a year.
How does all this connect to financial administration?
From the financial administration aspect the CEO scams and other scams relating to finances are the biggest threat. In practice the aim of the criminals is to make the victim organization pay them money. In its simplest form the scam is made by sending a falsified email in the CEO's name to financial administration, to the CFO, for example. The message often refers to a sensitive situation and urgency, such as to an ongoing business arrangement, of which the CEO cannot divulge any details.
More sophisticated scams can often include a security breach, which enables the criminals to access the victim's email account. A typical target is an organization that uses email accounts that can be accessed directly from the internet with just a user ID and password. The selected victim inside the organization is typically a person who works in sales or financial administration and whose work in one way or another is connected to handling money.
Criminals start the scam by first sending the victim a phishing message via email. This message looks like it comes from the victim's colleague or maybe from a conference organizer. The message usually includes some kind of background story which directs the victim to the criminals' website to enter the email account user ID and password. One common method used by the criminals is a message about a document received via secure email. When a user clicks on the document download link, it opens a website where the user is asked to enter their user ID and password to confirm identity. When the user enters their credentials on the website the criminals are able to hijack them.
Usually the scam only comes to light when the organization receives a dunning letter about a missing payment.
After the criminals have gain access to victims credentials the criminals log on to the victim's email account and search for messages that in one way or another are linked to billing. For example, if the victim is in the middle of negotiating terms of purchase with a third party, the criminals can hide the emails arriving from the third party. The criminals read the messages first and only then transfer the messages for the victim to see. When the negotiations advance to the stage where the third party sends a bill, the criminals change the account details on the bill. This leads to a situation where the victim sees everything as normal and forwards the bill to process a payment.
How can those in financial administration protect themselves from cyber crime?
Since many cybercrimes targeting financial administration are based on scamming, it is challenging to block them using only technical methods. Naturally the protection of end user devices, such as computers and telephones, must be in order and it is advisable to protect email log-in with a two factor authentication, but this alone is not enough. Constructing efficient protection starts already at financial administration processes and by ensuring that an outside scammer cannot, by using email only, mislead an organization to make payments to the scammer's account.
How is this achieved in practice?
The question is mainly about the financial administration processes and the discipline to follow them. Payment processes should be constructed using the four-eyes principle so that no person alone can normally complete the entire payment sequence but that the payment information is checked by someone else than who actually pays the bills. Processes should also take into account the checking of the validity of payment information. Changes in payment information received via email should not be accepted; they should always be confirmed separately – by calling the sender, for example. It is first of all important to plan the processes in such a way that gaining access to an email account of an employee in financial administration does not enable a criminal to falsify payment details. Another equally important issue is the discipline when following the processes. No matter how urgent or sensitive the situation is, payments should not be made based only on the email received from the CEO. If the situation really demands an urgent payment, the validity of the payment order must be confirmed directly with the person who gave the order, either face-to-face or by telephone. In this situation as well it is not advisable to trust email only.
It is worthwhile to invest in training personnel and increasing awareness
The idea is to not scare the personnel with cyber threats, but to raise awareness of how criminals operate and how different scamming attempts can be spotted and prevented. When an organization acknowledges that anyone can be a target of cybercrime and makes cybersecurity a part of its everyday operations, the keys to success exist. In the end, the question is about protecting critical business operations processes, not only about technology.