My identity has been hacked by cybercriminals

A cyberattack could not happen to me, you or anyone else I know!

This is the age-old problem and one borne of ignorance. In the past 30 days, we have been contacted either directly or through friends by three individuals and 2 companies with detailed cybersecurity incidents. These are only the ones that we know about. One story, in particular, involved a detailed phishing scam that unfolded like this:

So what happened?

An individual, Mr X, was travelling in Italy and dropped their phone. They dropped into in for repair and received the phone back within a few hours.
1.  One week later Mister X receives an email from a work colleague to review a contract document, opens it and thinks nothing more of this. That is until the following sequence of events occurs.
2.  Mister X is contacted by a client to say that they are receiving emails for changes to their money transfer routines.
3.  Mister X’s phone ceases to work.
4.  Money is transferred directly from Mister X’s business account to an unknown recipient.
5.  In effect, Mister X’s identity had been compromised, stolen and used against him. His phone lay at the centre of the attack.

Using the phone the cybercriminals were able to impersonate Mister X, change the SIM card on his phone, make direct contact with the bank to download and alter his banking details and certs and make what looked like a legitimate payment.

If Mister X had not lost access to his phone this would have gone unnoticed. A complicated and in-depth attack.

So many things wrong

There are so many issues at work here:

1. Starting with using a passphrase and encrypting your mobile devices. This would not have allowed the cybercriminals to scrape detailed personal information from your phone.
2. Limiting use of mobile banking applications to known secure wireless networks or preferably not at all. While mobile banking is convenient, the ability to impersonate based on simple security questions should really mean limiting its use to locked down devices within your own network.
3. Installing proper email and endpoint security to prevent malware taking control of your PC. This would have addressed the trojan transferred by the hoax email sent by a colleague and opening the PC to remote control by the cybercriminals.
4. Using multifactor authentication for banking apps and an additional layer of security that defies keyloggers.
5. Reviewing of policies and raising the general levels of awareness in terms of personal and business security and cybercrime. Most important of all is to provide education on the dos and donts of user behaviour. In over 90% of cases social engineering and user error cause these incidents. Knowledge is power.

We find that attacks like this really wobble the people it affects, but they feel unable to deal with something as complex as IT security. In our minds education is key. There is no single security product that offers a 100% complete guarantee for protecting users and your technology investment. One of our security supplier companies, Heimdal Security, in conjunction with the London Digital Security Centre released a really good drip fed guide for individuals and businesses – Cyber Security. It is delivered over 30 days, but it is well worth the effort in signing up for if you sit at the board or C level of a company that takes cybersecurity seriously. If you have an interest we encourage you to sign up here.