Don't click bait from cyber criminals

20 Oct 15

Online criminals are becoming ever more sophisticated, and are targeting public sector organisations, with fraud and identity theft in mind

Online security threats


I have just received an email from a man in Hong Kong who generously wants to share a “discreet business” proposal concerning an account containing $8.75m with my name on it.

Cybercrime and daily online life are closely intertwined. About 85% of online fraud and cybercrime goes unreported, and fewer than 1% of reported crimes are investigated. In 2013/14, reported cybercrimes in England and Wales accounted for losses of £2.2bn, but police estimate that further losses of £12.1bn went unreported.

Not surprisingly, online crime is growing, much of it operating internationally, so it is difficult for domestic police forces to pursue. Cybercrime has become an industry in its own right, with supply chains, markets and trading systems. There are websites where you can download attack and hacking kits, purchase services such as translation, and buy thousands of credit card and contact details. I am reliably informed that you can become a hacker within 24 hours, with very little prior knowledge or skill.

Cyber gangs are increasingly targeting government and healthcare as well as financial institutions. Public sector organisations are attractive repositories of large personal datasets that can be used in identity theft and procurement fraud. In addition, information is usually easier to extract than cash.

The US Office of Personnel Management recently revealed two breaches, one affecting 4.2 million people and the other affecting 21.5 million federal staff, which together represent the biggest cyber attack in history. The losses are believed to have included files on tens of thousands of staff who had applied for top-secret security clearances and about 1.1 million employee fingerprints.

Recently, there has been a rise in attempts to extort money from banks and others with high volumes of financial transactions and confidential data by threatening them with distributed denial of service (DDOS) attacks or ‘ransomware’. It is thought that, as commercial targets harden their defences, gangs are likely to attack more public sector targets.

In DDOS attacks, botnets (networks of compromised computers, under the control of an attacker) are used to direct large volumes of internet traffic at a target website, with the aim of knocking it offline or making it inaccessible. These attacks prevent access and can cause significant reputational damage and financial loss.

Ransomware is where attackers trick users into installing malware by email (phishing) or via infected websites. These emails are usually much more targeted and sophisticated than the one from my new friend in Hong Kong. The malware encrypts data and prevents access; it then demands payment within a relatively short time scale, or the data is destroyed. Industry experts suggest that nine out of ten organisations pay up – even though there is no guarantee that their data will be unlocked.

Phishing campaigns have become very sophisticated and targeted. In most cases, one in ten employees will click on an infected attachment and, even in the best-trained organisations, one in a hundred will do this.

I think I might put my new friend in Hong Kong in touch with a man in Lagos who also claims to have a sizeable amount of money that he can help me access. Perhaps they might infect each other.

  • John Thornton
    John Thornton

    John Thornton is the Director of e-ssential Resources and an independent adviser on business transformation, financial management and innovation.

Did you enjoy this article?