It’s that time of the year again and it couldn’t be soon enough for Canadians to be reminded to “Recognize, Reject and Report” Fraud. On the rise across most categories, fraud certainly should be on the radar all year round, but the Competition Bureau’s dedicated month provides a great opportunity to get familiar with the latest threats and see how well we are doing in combatting it. Unfortunately, the answer is “not too well”, according to the Canadian Federation of Independent Businesses (CFIB). Today some 1-in-5 Canadian small businesses fall prey to fraud. Although the total costs are difficult to track all reports indicate that fraud is growing to become an unmanageably large problem. According to credit check company Equifax, Fraud costs Canadians between $15 and $30 Billion annually. Writ large Forbes magazine pegged the total cost in the US at nearly $200B, but that was back in 2011. Since then BI Intelligence estimates that credit card fraud will increase by some 20%. It’s no wonder then that fraud is being cited as “the last great unreduced business cost”, by analysts including PFK Littlejohn LLP.
Of course there’s no better way to buck the trend that by staying on top of the latest threats. The Competition Bureau does a great job by keeping us informed, and we’re happy to provide a snapshot of tips from them and other sources.
The Internet and Malicious Software
Although malicious software used to hack into and hijack user’s computers is nothing new, it’s targeting has become more sophisticated. Of course it’s no wonder given the incredibly lucrative criminal opportunity that is identity theft, that personal data has become the primary target. The good news is that most of these breaches are avoidable and don’t happen in the background. Most often they are caused by the user themselves clicking on the wrong link, pressing the wrong button or opening an attachment with a malicious payload. In the case of email attachments, as innocuous as some may seem, simply clicking an attachment can execute a malicious firestorm in the computer that may or may not be obvious to the user. These are most often found as Trojan viruses that provide the authors backdoor access to the machine, its data and systems.
Once hijacked an individual computer may suffer any number of fates from mere data theft, device activation and controls including cameras and microphones and even farm multiple machines together into what’s known as a botnet. This is a kind of zombie army of infected machines.
Any good IT administrators should keep filters on Internet activity, monitor unusual web traffic, and educate network users on downloading software from untrusted vendors.
Phishing Attacks
Phishing attacks are more prevalent than ever. Hackers even target specific people within an organization with high-level access. This kind of attack is known as spear phishing, and it was the primary exploit that gave hackers access in the Sony Entertainment attack some years back.
Phishing attacks are accomplished through email combining publicly available information pulled from social networks or search engines to find their targets. The email could contain a link to a malicious website or an attachment that runs malware directly on the machine, similar to what is described in the previous section.
Phishing also includes tricking users into entering private credentials on the malware site. The attacker creates a site that looks similar to a popular site or may even mimic the company website. The attacker then tricks the user into “logging in” when really the user sends his credentials to the attacker. With this information, the attacker can log in to the network.
Email filters mainly stop phishing emails, but hackers occasionally get through them. Educating users to identify phishing scams and the common warning signs greatly improves risk prevention.
Social Media Scams
As more users integrate their lives with social media, hackers are able to gain access to more specific details. Hackers use social media to get specific information about a user such as birth date, interests, hobbies, friends, current employment and email addresses. Some hackers even blackmail victims through social media.
Hackers will create fake profiles to connect with users to find out more about their private data. Users should be made aware of these types of scams and never accept requests from people they don’t know.
You can’t control a user’s social media account, but you should educate them on the importance of social media and how attackers use it to gain access to corporate systems.
Educate Users
You can set up email filters and help reduce the chance that these scams reach inboxes, but the best advice is to educate users. If they understand the risks and red flags behind these scams, they can identify an attack when it happens. Education for users, email filters, and good security are the keys to protecting your organization from these attacks.
Need more tips on how to protect yourself against fraud? Visit the Competition Bureau for some more information about Fraud Prevention Month.
Leave a Comment