Cybercrime is always in the news and it now seems to be a matter of not if you get attacked, but when.
Someone who deals in insurance was telling us that insurance policies will soon take this into account — not the level of protection a business has, but its disaster recovery. Getting hacked is unavoidable, the question is how well you’re prepared for it.
Our IT expert went to a police seminar recently and watched as a security expert took control of a laptop after executing a simple code that can be sent via email. Click on the email and he’s got control of your computer, because the program accesses your encrypted passwords and gives them to the hacker.
And don’t believe your Mac is immune. The Chronicle recently received a copyright warning because someone had used our router to download a Jason Bourne movie; we now think the culprit was someone accessing the router via dodgy code running on an Apple laptop.
We once caught someone dialling into our server from the Ukraine; most home routers will show evidence of people (or at least bots) trying to gain access from places like Russia.
The police seminar was on various types of fraud — mandate fraud, ransomware and so on — and Financial Fraud Action UK recently organised Take Five Day on Thursday, “a day of action” during which staff in more than 6,800 bank branches talked to customers about simple ways to protect against fraud.
It’s clearly a serious problem — though when the Chronicle was recently hit by a fraudster (using the more old fashioned technique of a forged signature, though obtained on-line), we couldn’t get anyone to investigate.
Someone managed to withdraw £500 from our account but even after being told that a theft/fraud had taken place the police didn’t or couldn’t do anything, possibly because the bank never reported it to them or its own internal fraud unit.
To be fair, subsequent attempts to rent a fictitious warehouse in our name and an attempt to use the company credit card to spend £1,000 were picked up by the bank, so it’s not totally supine about fraud.
We decided that, for £500, the bank (owned by the taxpayer) didn’t figure it was worth its while doing anything.
How far this goes we don’t know: Financial Fraud Action UK reckons that around £2m was lost to financial fraud each day of last year, with the overall scale of financial fraud £768.8m, an increase on the £755m lost in 2015. These losses include payment card and cheque fraud as well as remote banking fraud, which covers internet banking, telephone banking and mobile banking.
The most common fraud against the average punter is the deluge of spam emails and texts people get. We know of people who’ve followed up the fake “tax rebate” messages, at least until warned; but whoever heard of the HMRC making tax refunds easy? We never get fooled, but some are very convincing.
These various approaches have different names: email deception is phishing, phone-based scams are vishing and scams are smishing, but it all basically falls into the age-old saying — if it looks too good to be true, it is.
Old fashioned conmen still operate, of course, going door to door, and old people who don’t know a vish from a smish also don’t know the water board no longer exists, but we suspect that most people who are scammed online either don’t know or don’t admit it and are scammed in far greater numbers.
The worrying thing about our fraud was that the signature was (we think) obtained from a form with Companies House, which means that every director of every company in the land could be at risk — your signatures are there for the world to see. You now need different signatures for different uses, it would appear.
It’s true that, as happened with us, you’ve got to be a skilled conman to walk into a bank and con staff into handing over £500 from a company 150 miles away that requires two signatories on cheques while avoiding cctv, but still — hundreds of thousands of signatures are there online to see.
Of course, the biggest threat to most of us is Facebook. You don’t need to con people into giving away details, because they give them voluntarily to social media — name, age, family members (how many companies ask for mother’s maiden name as a security check?), job, birth date, age — which, given what other information is available, means a reasonably competent conman could assemble considerable information without doing anything remotely dodgy.
Do you use your date of birth and mother’s maiden name as security anywhere? “Happy birthday!” says your mum on Facebook and that’s your security practically blown.
Worse, many people put their children online and who knows what information will be collated on them? It’s not out of the bounds of possibility that as soon as they turn 16 or 18 and apply for a piece of plastic from a bank, a hacker’s computer pings and all the information gathered over a decade is brought into use.
The Chronicle is a small company in a small town in a quiet corner of England yet in these 800 words, we’ve mentioned four attempted frauds, one attempted hack and one illegal use of a router, and that’s what we know about — clearly this is a serious problem.