Cybersecurity Without Insanity? It could be as simple as 3 – 2 – 1…
This week: It’s a bank holiday weekend here in Ireland, and for some strange reason, the sun is also out. So, I was planning to keep this week’s Cyber 3-2-1 light-hearted. But now that I look at the stories I’ve picked – insider threats; 16,000 victims of cyber fraud; and warnings about our children becoming money mules – I’m not so sure. Anyway, I hope it’s sunny wherever you are.
3 – How’s this for employee loyalty?
An English company was the victim of a ransomware attack. But to add to their woes, a staff member then took advantage of the situation by trying to get the company to pay a ransom to them.
According to this report by Sophos Naked Security, the business was hit by ransomware in 2018. “While working with both the company and the police to deal with the attack, the perpetrator, Ashely Liles, turned on his colleagues” by editing emails from the cyber gang so the Bitcoin addresses listed for the ransomware payments were addresses controlled by him, and then using his inside knowledge of the firm to send more believable and threatening emails to his employer to increase the likelihood that a ransom would be paid. He was caught when system logs recording his activities were reviewed by someone else.
Key takeaway: If you have a cyber incident response plan, does it assume every internal staff member is 100% trustworthy?
2 – 16,000 Irish people lost €40 million because of the services of one fraudster’s site
16,000 Irish victims had €40m taken from them by criminals who made phones calls using the iSpoof.cc site, which made the calls look like they were coming from banks, delivery companies, toll operators, gardaí (the Irish police force) and the HSE (the Irish national health service).
According to a report in the Irish Independent, up to 300 suspects used the site to make 10 million calls to con innocent people around the world. The English operator of the website, who earned GBP £2 million from the site, has been jailed for 13 years. Six people based in Ireland have also been arrested.
Let’s do some back-of-the-envelope calculations here: There are just over 5 million people in Ireland. If there were 16,000 victims, that means 1 person in every 320 were fraud victims because of this one service. To put it another way, there was a hurling match in Limerick last weekend, attended by about 49,000 people. Within that crowd, there could have been over 150 fraud victims of the iSpoof.cc website. In other words, this was not a small-scale scam.
Apparently, the number of fraud calls dropped by 90% in the weeks after the site was shut down. Unfortunately, similar services have now popped up elsewhere, so the scourge continues.
Key takeaway: As I mentioned last week, we need to be politely paranoid – If a call or message is dire, urgent, or too good to be true, it is likely to be a scam.
1 – Make sure your children aren’t mules
Police in Ireland have warned the public, particularly young people, not to become ‘money mules’.
A money mule is someone who allows their bank account to be used by a criminal. The criminal uses the account to launder the proceeds of crime, including cyber crime (e.g. invoice fraud). The criminal will transfer money into the account and then instruct the account owner to transfer the money elsewhere. In return, the owner of the bank account is promised a fee. According to a recent report in The Journal, this is often seen as “easy money” but “gardaí want to warn them that there could be implications for them if they get involved and that students can end up being charged with fraud themselves. Being charged and convicted of this offence can have serious implications for students, including being banned from travelling to certain countries such as the United States.” I discussed this problem a couple of years ago, when about 1,000 people in Ireland were under investigation at that time.
Key takeaway: We need to make sure our family members and their friends understand that allowing someone else to use their bank account is easy, but it will make things very difficult for them in the future.
PS I talk about these news stories, and delve into how to manage cyber risks and regs without losing your sanity, on the “Cybersecurity Without Insanity” podcast.
All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.