Don’t Fall Prey to the Most Common Cybercrimes!

Posted by Bernard Schoeman on 27 September 2023.



Bernard Schoeman

CA(SA), Post Graduate Diploma Accounting, BCom

The Tax Shop Head Office

More about Bernard Schoeman

Bernard studied BCom majoring in information systems and accounting at the University of Cape Town and qualified as a Chartered Accountant (SA) in 1997 after completing of his articles with Deloitte & Touche. Bernard has extensive international and local experience having worked for nearly three years with financial institutions in the UK (London) and having audited numerous companies listed on the JSE in South Africa. He is a member of the South African Institute of Chartered Accountants.

“The bottom line is that cyber risks sit right alongside rising systemic risks, and is the biggest emerging, and constantly evolving risk facing businesses today.” (SHA Specialist Risk Review 2022)

In Africa, Interpol has identified phishing – particularly Business Email Compromise (BEC) – as well as online scams, as both the biggest current crime threats, and the crimes most likely to increase in the next three to five years.

This is Interpol’s list of the prominent cyberthreats identified in the African region:

  • Business Email Compromise
  • Phishing
  • Cyber extortion including ransomware attacks
  • Online scams
  • Banking trojans and stealers

Below, find out how these cybercrimes are perpetrated and how to protect yourself, your company and your employees with tips from SABRIC and CISA.

Business Email Compromise (BEC)

For 7 consecutive years, BEC attacks have been the most financially devastating cyber threat worldwide, and continue to be the most prevalent cybercrime, says Interpol. A type of phishing attack, it causes significant financial losses and often reputational damage.

It includes cybercriminals using an organisation’s email account to send out fraudulent messages with malicious links or attachments that install malware or steal confidential information.

Most commonly, however, BEC involves cybercriminals manipulating emails, especially payment requests containing bank account details. This is because it’s common business practice to send confirmation of or changes to bank details, or invoices containing bank details, via email.

In BEC attacks, these emails are intercepted – or fraudulent emails or invoices are created – changing the account details to the cybercriminal’s account. Any payments subsequently made are lost to cybercrime.

A recent High Court ruling in this regard, set a precedent applicable to all businesses, as the judge noted: “… the plaintiff’s case established clearly that sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated.”

Specific BEC preventative measures include:

  • Inform clients that your company will never change banking details via letter, SMS or email.
  • Consider not putting banking details on your invoices – rather ask customers to phone you to check the details they have.
  • Use bank-defined beneficiaries for online banking where possible.
  • Before making payment to a supplier’s bank account after receiving an emailed invoice, check that the bank account details on the invoice are genuine.
  • If you receive any instructions to change banking details from a supplier, call them to verify.
  • Check with your insurers if you can get cover for this risk.
Phishing

One of the oldest, most pervasive cyberthreats and a major source of stolen credentials and information, phishing is a cyber-attack aimed at stealing sensitive information like usernames, passwords and credit card details, typically using deceptive emails or websites, apparently from trusted sources, that contain malicious attachments or links to viruses or malware.

Phishing is linked to an estimated 90% of data breaches and causes not only direct financial losses but enables other forms of cybercrime.

Cyber extortion and ransomware attacks

Cyber extortion involves cybercriminals using digital methods to threaten or extort victims for money and/or assets. It often involves the attacker threatening to reveal embarrassing personal information, delete important data, sabotage systems and networks, or launch distributed denial-of-service (DDoS) attacks.

An increasingly popular type of cyber extortion is ransomware, a malicious software that locks users out of their own data, business systems and devices by encrypting their files. Victims must pay a ransom to have their files decrypted and regain access.

Such attacks can be extremely costly to businesses with substantial financial losses incurred due to ransom payments and recovery efforts, as well as downtime, lost production, and reputational damage.

Ask your accountant for help in preparing a business continuity and disaster recovery plan so you are prepared if the worst happens.

Online scams

Online scams take advantage of users’ poor levels of digital literacy to lure them with false promises. Below are the most common online scams increasingly prevalent in the African region.

  • Advance payment scams – fraudsters ask for financial deposits and then fail to deliver goods or services.
  • Shopping scams – criminals deceive online buyers to pay upfront and then receive counterfeit items or nothing at all.
  • Romance scams – criminals create a false social media identity and build an emotional connection with a victim, with the aim of soliciting money or gaining access to personal accounts.
  • Tech support scams – criminals posing as representatives from technology companies offer technical assistance to gain access to users’ computers and extract valuable data such as passwords and financial information.
  • Cryptocurrency scams – criminals entice investors into buying fake currencies.
Banking trojans and stealers

These malicious software programs are spread through phishing emails and malicious websites to steal sensitive information such as usernames, passwords and financial data by capturing keystrokes or stealing login credentials from unsuspecting victims. Cybercriminals may use the information to steal money directly from the victim or sell the information on underground markets.

What are the risks?

According to the 2022 SHA Specialist Risk Review, cybersecurity ranks third on the list of top threats for local businesses, after power disruptions and labour matters.

The report says that not addressing cybersecurity opens companies to a range of risks, including:

  • the financial loss of payments made into incorrect accounts due to BEC;
  • the financial impact of business interruption due to a cyberattack;
  • the financial impact of having to pay a ransom;
  • the legal consequences that follow a breach of confidential or personal information;
  • the reputational consequences that may impact a company’s share price and brand.
How to prevent becoming a cybercrime victim 
  • Keep applications, software and operating systems (OSs) updated with the latest patches.
  • Use and keep updated preventative anti-virus and anti-malware protections, software and protocols, as well as data encryption, firewalls and email filters.
  • Use long, complicated passwords and change them often.
  • Always double check you’re really on the right website or app. Only download apps from trusted app stores.
  • Use YIMA, a website vulnerability scanner, to do website security checks for scams, known vulnerabilities and security headers.
  • Register for 3D Secure to secure your card details and use secure payment portals with two-factor authentication (2FA).
  • Backup your system and other important files, and store on a separate device not accessible from the network, like an external hard drive.
  • Beware of phishing emails. If an email looks suspicious, verify the email’s legitimacy by contacting the sender directly.
  • Do not click on links or icons in suspicious or unsolicited emails, and do not reply – delete immediately.
  • Be careful when clicking directly on links in emails or opening email attachments, even if the sender seems legitimate.
  • Don’t fall for any offer that seems to be too good to be true – it usually is.
  • Never provide your password, credit card or other financial information, or control of your computer, to a third party who calls unexpectedly.
  • If you suspect you are being targeted by a scammer, stop all communications immediately and report it.
  • If you click on a harmful link, immediately disconnect your device from the internet by unplugging your network cable or disconnecting from the Wi-Fi, then run a full anti-virus scan.
  • Regular, mandatory cybersecurity awareness training for all employees is crucial to keep everyone informed about the latest cybercrime techniques.

October is Cyber Security Awareness Month – Stay Alert!

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© CA(SA)DotNews