This is the age-old problem and one borne of ignorance. In the past 30 days, we have been contacted either directly or through friends by three individuals and 2 companies with detailed cybersecurity incidents. These are only the ones that we know about. One story, in particular, involved a detailed phishing scam that unfolded like this:
An individual, Mr X, was travelling in Italy and dropped their phone. They dropped into in for repair and received the phone back within a few hours.
1. One week later Mister X receives an email from a work colleague to review a contract document, opens it and thinks nothing more of this. That is until the following sequence of events occurs.
2. Mister X is contacted by a client to say that they are receiving emails for changes to their money transfer routines.
3. Mister X’s phone ceases to work.
4. Money is transferred directly from Mister X’s business account to an unknown recipient.
5. In effect, Mister X’s identity had been compromised, stolen and used against him. His phone lay at the centre of the attack.
Using the phone the cybercriminals were able to impersonate Mister X, change the SIM card on his phone, make direct contact with the bank to download and alter his banking details and certs and make what looked like a legitimate payment.
If Mister X had not lost access to his phone this would have gone unnoticed. A complicated and in-depth attack.
There are so many issues at work here:
We find that attacks like this really wobble the people it affects, but they feel unable to deal with something as complex as IT security. In our minds education is key. There is no single security product that offers a 100% complete guarantee for protecting users and your technology investment. One of our security supplier companies, Heimdal Security, in conjunction with the London Digital Security Centre released a really good drip fed guide for individuals and businesses – Cyber Security. It is delivered over 30 days, but it is well worth the effort in signing up for if you sit at the board or C level of a company that takes cybersecurity seriously. If you have an interest we encourage you to sign up here.