If you operate a bank account that has some money, you could be a target by cybercriminals. Many times, cybercriminals work closely with people who work in your company. Others could exploit your poor cyber hygiene and weak computer security measures in place. Either way, once your network and system security are compromised, there are many ways a hacker has to get money from you. We call it ‘monetizing the cyber breach.’ This is achieved in several ways:
- Ransom payment request. Hackers could access your mobile phone or laptop, and by chance find confidential information like private photos, or personal medical and family information which you would never want to appear in any public domain. They then show you evidence that they have access to such information and ask you to pay money so that they do not publish it. Based on the over 20 cases of this nature that I have helped partake, I recommend that YOU DO NOT pay such people. Your best bet is to accept the consequences. Many hackers do not have the time and motivation to continue publishing and circulating your private data and information. Unless they were your true enemies and spoiling your name is their motivation, in which case any payment would never solve anything.
- In another scheme, hackers use sophisticated spyware -the ransomware attacks, to encrypt the contents of all your computers, thereby denying you access to your information UNLESS after paying a ransom. Again, never give in to such demands and send payment. Do not. Now is the time to anticipate and plan for such eventualities by practicing better cyber hygiene and practices like backing up of critical files daily or every time you update the files. It is also advisable to install a PGP – pretty good privacy – encryption on your machine.
- Email, social media, website, and video phishing – where hackers send to your messages about subjects of your interest which prompts you to click, thereby exposing you to security risks. As you click, spyware or ransomware could be installed silently in the background on your phone or computer. You are strongly advised NOT to click on email links from addresses you do not know. Do not click on click in emails as they could take you to websites that are owned by the hackers. And at the workplace, implement information classification policy such that people access company data on a need to know and use basis. that way you can know who could have accessed your information.
There are many schemes to mention but three.
Now if you are a trader or company with business accounts in a bank or someone with some good bank balance, stay alert. Banks rarely compensate their customers for losses that are a result of the negligence of the customer.
On February 25th, 2020, an Accountant of one of the manufacturing companies, ZY Ltd (I have used a fictitious name for confidentiality) received a daily bank statement, for early reconciliations and noticed a debit of US $80,540.
The transaction did not make sense. No such instruction had been processed.
The accountant brought the transaction to the attention of the chief finance officer (CFO), who on further investigation, noted that the money had been wired to a company, AB Ltd (I have used a fictitious name for confidentiality). AB Ltd is a supplier of materials to ZY Ltd, with offices in the UK. The same bank has in the past processed payments upon instructions from ZY Ltd to AB Construction Ltd.
This time around, hackers found a way of using the same email of the ZY Ltd to make instructions to the bank to pay AB Constructors Ltd, in their bank account in a London bank. Considering that the bank had been processing transactions in US $300,000 value, just US $80,540 was expedited considering the lockdown and the need to ease the supplier’s cash flow.
The CFO protested having given the instructions to send money, to which the bank replied with full details of the instructions from his exact email address, with the same email signature! The fraudsters only changed the bank account number and the name. However, it was not easy to see the difference.
If you are the CFO, what would you do? Does the company deserve a refund from the bank? What is your take?
In part 2, we answer these questions.
Copyright Mustapha B Mugisa, 2020. All rights reserved.