Cyber security month recap

ICAEW kicked off Global Cyber Security Awareness Month with its annual cyber lecture, where Ben Owen, an expert in covert operations, surveillance and online investigations who worked on the British, US and Australian versions of the TV show ‘Hunted’, demonstrated how cyber criminals can use an individual’s online digital footprint to exploit them and, in turn, target their businesses. Owen explained that attackers often look for the easiest ways to get into business systems, which often involves people. 

A report published in March this year found that 74% of all cyber breaches, including stolen credentials and unauthorised access to accounts, are caused by human risks. For businesses, this often means employees falling victim to social engineering or phishing attacks. Karen Morral ACA, CEO of West Midlands-based Lockdown Cyber Security, added that for SMEs and accounting practices awareness training is key at every level. To further combat this, Alex Bomberg, Group Chairman of cyber risk specialists International Intelligence, suggests that employees should develop a strong understanding of the risks, and training sessions should focus on case studies of real-life breaches. 

The people threat isn’t just limited to employees falling victim to scams. Another emerging issue is insider threat, where people may steal information or intellectual property through employment with the firm or organisation. Earlier this month, the BBC reported that a company’s data was stolen by a North Korean cyber criminal who was hired by the multi-national firm unknowingly as a remote IT worker. 

Cyber risk also lies in a company’s supply chains. Most organisations rely on a range of suppliers for products, systems and services. It’s also becoming increasingly difficult to ascertain if all suppliers in the chain are engaging in adequate cyber-security practices. Asam Malik, Partner, Technology and Digital Consulting at Forvis Mazars, suggests that accountants can use their expertise in risk assessment and financial analysis to evaluate and navigate supply chain risks, especially where this is concentrated, as businesses may depend on a few key suppliers.

Businesses should also review their cyber insurance policies for exclusions and limitations that could leave them exposed. It’s important to consider this insurance as a vital part of a company’s broader risk management strategy. 

Enhancing security when sharing data is vital. It’s important that multi-layered policies are in place, where every data access request is validated and authorised, reducing the risk of unauthorised access. Organisations can reduce the impact of unauthorised access and therefore data breaches by maintaining multi-factor authentication (MFA), as opposed to solely relying on passwords. The National Cyber Security Centre (NCSC) has updated its guidance on MFA, with more information on techniques that can be used against cyber attacks. 

Push payment scams

This month, the BBC reported that Revolut was named in more fraud cases in the past financial year than any of the major High Street banks. One case involves a victim who lost around £165,000 from his Revolut business account. Scammers pretended to be from Revolut, contacted the victim and were able to set up access to the victim’s account on another device. Using information from previous transactions, they convinced the victim to authorise payments to a fake account. 

When seeking help, the victim found no dedicated helpline to notify Revolut of the fraud. Within the time it took to report the fraud, the victim had lost £67,000. Revolut was unable to explain to the victim how his account was set up on another device without facial recognition, and why the unusual activity on his account was not picked up. At the time of this report, Revolut refused to refund the victim’s stolen money. 

In a separate incident, members of a well-known accountancy body were also targeted by a scam that used a phishing email to ask members to pay a mandatory fee of £47.50 to avoid delays in membership renewal through a payment application GoCardless. 

Under new mandatory rules announced by the Payment Systems Regulator (PSR), from 7 October, UK banks must refund Authorised Push Payment (APP) fraud victims up to £85,000 within five days. APP fraud involves scams where cyber criminals extort money from victims by pretending to be legitimate organisations or individuals as demonstrated by the cases discussed above. 

Earlier this month, the government also announced plans for new laws that give banks the power to delay and investigate payments for up to 72 hours if they are suspected of being fraudulent. Currently, banks must process or refuse a payment by the end of the next business day. The new laws are expected to protect individuals and businesses from fraud by allowing banks the additional time needed to investigate suspicious activity and payments.

Personal data attacks continue

The Internet Archive, a non-profit digital library known for its Wayback Machine, has been victim to a series of cyber attacks that have exposed the details of an estimated 31m people. Cyber criminals took advantage of a previously exposed GitLab token to access The Internet Archive’s source code to steal data including encrypted passwords, email addresses and other sensitive information. 

At the same time, SN_BlackMeta, a pro-Palestinian hacking group, launched a Distributed Denial of Service (DDoS) attack, to overwhelm the servers with excessive traffic, disrupting the service and making the archive unavailable to users. Another attack later this month used exposed tokens from the previous hacks to access the Archive’s Zendesk support platform, where user support tickets containing personal identifying information were stored.

Users of the site have been advised to monitor their email addresses and update passwords where possible to avoid the risk of further phishing or cyber theft. It’s also advisable to avoid using the site until more information is available. 

AI-driven attacks on Gmail accounts trick users into providing hackers with access information to their accounts. Methods have included emails for account recovery that lead users to a fake login portal, and AI-generated calls from supposed Google support workers. Using AI to create deepfakes is becoming increasingly easier, as demonstrated by Ian Pay, Head of Data Analytics and Tech at ICAEW. These techniques are not only being used for high-profile attacks, but also to gain access to accounts of regular users. AI cybercrime was also covered in an ICAEW podcast.

Stay cyber aware

The NCSC has recently launched new guidance for cyber-security leaders of larger organisations, offering guidance on engaging the board in cyber-security discussions. 

For small businesses, addressing cyber security can often seem like a challenge. The NCSC has tailored guidance that outlines five steps smaller businesses can take to reduce their risk of a cyber attack. 

A range of resources and guidance exploring the latest cyber issues and how to protect yourself and your business can be found on ICAEW’s Cyber Security Awareness Month hub.

Got an interesting cyber story for us? Email techfac@icaew.com