Our latest research* revealed that only 36% of small & medium sized businesses are prioritising cyber risk, yet at the same time, SME’s are the victims of cyber-attacks by criminals using increasingly sophisticated impersonation fraud techniques to exploit their staff.
What is Impersonation Fraud?
Cyber criminals target the employees of a business, aiming to exploit human habits and weaknesses into breaking standard security policies in order to gain access to personal data, funds or install ransomware. According to Ponemon SME research, 79% of SMEs state that ransomware was released as a result of a social engineering attack.**
Once a business has been exposed by the initial fraud, the cyber-criminal has access to carry out further breaches such as spreading viruses to customers or suppliers via email, accessing personal data or placing fake invoices for payment.
Common Ways Employees are Manipulated:
Spear Phishing
A targeted attack focusing on a specific employee and uses their personal information and background to gain trust and legitimacy. Spear phishing has a high success rate for tricking victims into passing over sensitive information, trade secrets, personal or financial data. Criminals will research social media accounts and other online activity.
Fake President:
An employee is contacted over phone or email by someone pretending to be a director or the CEO and instructed to make an emergency payment for a debt, an invoice or a deposit.
The cyber-criminal will have researched the market, the business structure, customers and staff giving them detailed, convincing arguments to manipulate the employee.
Baiting
The cyber-criminal leaves a malware-infected USB stick or CD in a place where employees will find it. The success relies on the employee plugging the device in and unknowingly installing the malware.
Tailgating
Criminals follow employees and monitor their moves and activities. They may gain unauthorised access to buildings by pretending to forgot access cards or borrow a mobile phone to make a quick call and installing a virus instead.
How to avoid Falling Victim To Impersonation Fraud:
SME’s need to understand their cyber exposures. Whilst they may not have the same scale of personal data as larger businesses, they still hold valuable information that cyber criminals want, and also have the same exposures and weaknesses that must be addressed.
Staff training is critical
A thorough, ongoing cyber awareness programme and training will embed best practice into a company’s culture.
For advice on Business Continuity Planning read Stuart Kenyon’s blog here.
At CNA Hardy, we’ve dedicated a lot of time and resource into better understanding these types of attacks and have built our findings into our product offering and services.
For more information on what our Cyber Policy provides, click here.
|
Martyn Janes
Underwriter, Cyber & Tech
UK Regions – Birmingham & SW England
[email protected]
|
* Ponemon 2017 sme cyber report.
** CNA Hardy Risk & Confidence Survey Autumn 2018 Report.