Incidents of smishing (SMS phishing) increased by 700% in the first six months of 2021. As more people are working at home, scammers are looking for new vulnerabilities that they can exploit.
It’s often the simplest attacks that are the most effective. Phishing attacks make up 91% of attacks or breaches reported by large firms, and they make up 83% of all reports. Ransomware attacks have also increased three-fold during the pandemic, according to NCSC.
These threats tend to involve a couple of phases, explains Ian Brosnan, a Police Officer in the City of London Police’s Griffin Cyber Protect Team. The first is a research phase, where scammers use techniques such as social engineering to gather information on their target. During the pandemic, people are sharing more data online, which creates new weaknesses for them to exploit.
“People are putting more and more out on the internet, and if they don't lock that information down properly, it is available for criminals to use against them.”
The next phase is the delivery phase, where criminals use the information gathered to target people via email, phone or SMS. “They're not necessarily doing anything new; they’re still playing on people's vulnerabilities and fears,” he says. “It might be playing on financial need, for example. Around March and April, we tend to see a lot of HMRC scams, because it’s something that people worry about.”
This is what PC Brosnan calls the lure; the emotional hook that draws people into the scam. This is almost always either an attempt to scare people into giving away details or some kind of tempting financial incentive.
“They’re confidence tricksters. You've got to be careful not to give your information away. They use several techniques that they're very good at to gain people's trust. They will usually try to focus on more vulnerable people because they want an easy target.”
With the internet and social media, it’s now easier than ever for these con-artists to find the information that they need in order to be convincing. Public Facebook profiles and the like can provide a wealth of information that they can use to create a plausible, seemingly trustworthy front.
Brosnan will be running a briefing on cyber threats for ICAEW on 19th October. This will go through the current threats in more detail, and how to protect yourself and your organisation against them, including website account security. People have more online accounts with websites than they’ve ever had, with the numbers increasing over the pandemic.
“Password managers can be very useful and I’ll explain how they can improve security. Multi-factor authentication is also helpful. If you can add an extra layer of security in place, it can help.”
PC Brosnan says that SMEs could be particularly vulnerable to ransomware. Family-run businesses with a small number of staff are likely to have a less rigorous security system, so they need to be more aware and take the time to ensure that everyone in the organisation is up to speed on the potential threats. “If they want to improve their business’s security or workers’ home security, we can point them in the right direction.”
Accounting firms should be particularly careful of any ransomware attacks that might threaten to make clients’ personal data public. This is more likely where you have clients in the public eye, any well-known organisations or those with sensitive information.
“Most of the time, this happens because someone clicked on a link,” says PC Brosnan. “That's why you need to get the basics right. We can prevent a lot of this, we really have to be aware.”