Lessons from a breached email and inheritance theft

Breached email

We all spend almost every day plugged into our emails. For most of us, this is our primary source of communication with the rest of the world – whether for work or our personal lives.

However, despite its utility, email communications can have a darker side. This blog will help answer what threats exist, why email security matters, and, most importantly, what can be done to defend against these threats. Plus, we will look at a real-life case in which email was used to steal hundreds of thousands of pounds.

What vulnerabilities could exist in my email security?

So, what vulnerabilities could exist when using your email? The first and greatest threat is phishing, I won’t discuss this further as there is already lots of good information available about phishing, including this blog post.

Phishing also has a close cousin. We’ve all received an email at some point from what appears, on first look, to be a legitimate sender. For instance, you might receive an email from an address at ‘arnazon.com’ asking you to update your card details. It looks legitimate if you just glance at it (which is what cybercriminals are banking on) but leads to a fake corporate website which cybercriminals will use to steal your financial information. This is known as ‘spoofing’. 

Another vulnerability which extends beyond email is weak authentication. In layman’s terms, this is having a poor password. A password that is either short or one that is easily guessable, such as a piece of information that is known by you. For example, your pet’s name or your birth date. 

This information can be used to launch further threats, such as man-in-the-middle attacks. This involves intercepting and potentially altering email communication between two parties to deceive or scam one or both parties.

Of course, these are only a few of the many vulnerabilities that exist, but they give us an idea of what is out there.

Did you know that 49% of SME leaders feel more at risk of cyberattack since the beginning of the cost of living crisis? Read our new report to find out why.

What are the possible impacts of these vulnerabilities?

It’s easy to assume that email security is not your greatest concern. Why would anyone want to attack you? Well, there are many reasons, whether using your personal email or work email, these are some of the possible impacts you could experience:

Identity Theft

Identity theft can lead to financial losses for you or your business, reputational damage and even legal issues.

Malware Infections

A successful malware attack could lead to the loss of important proprietary or customer data. This could prevent your business from being able to operate.

Data Breach

Sensitive information could be stolen and used against you. This could be intellectual property that could disadvantage your business. And this could see your business breach regulations and face legal consequences and receive fines.

The breached email and inheritance theft

Whilst working as a cybercrime detective in the police, I dealt with many cases that involved email as the attack method.

One such case involved a solicitor. As you can imagine, security is a top priority considering the sensitive data solicitors process. And, this solicitor had done almost everything right. They had a business-owned domain and an IT team to look after it and ensure security. 

The firm’s security measures included IP whitelisting (which will be key in a minute). ‘Whitelisting’ is a security strategy that prevents users from logging into internal company platforms from anywhere other than ‘trusted locations’. For example, a ‘trusted location’ could be your head office or coworking space. In this case, there was only one trusted location, the solicitors’ office. 

What went wrong? 

Due to the pressures of the job, one solicitor in the firm decided to work outside of the office in the evenings and on weekends. To do this, they created a new email using the solicitors’ business name.

Here’s where things go wrong.

Unfortunately, this account was discovered by a cybercriminal and a weak password allowed them access to the inbox. The cybercriminal noticed one conversation that piqued their interest. The solicitor was dealing with an inheritance case and was working with the deceased’s family to distribute assets and money from the deceased’s will. 

The cybercriminals hijacked this conversation. Adding a forwarding rule so that any responses would be forwarded into a concealed folder. Preventing the solicitor from seeing them as well as allowing the messages to be altered and dropped back into the solicitor’s inbox.

The cybercriminals intercepted an email from one of the family members containing a document which detailed the bank account the inheritance money was supposed to be transferred to. Seeing this, the bad guys pounced, changing the bank details to their own.

The solicitor logged this information and continued with the formalities. A few days later, the money was transferred and the cybercriminals found themselves hundreds of thousands of pounds richer.

How to protect yourself when using email

So, what can you do to protect yourself? 

The good news is, by reading this blog you’ve taken the first step by improving your awareness. Understanding what types of threats exist and being alive to this ever-present danger will ensure that you start from the best possible place.

But it doesn’t stop there. Education is an ongoing process and if we truly want to protect ourselves, learning shouldn’t be something we do once a year. So keep working on your cybersecurity knowledge. This could be through security training or simply through reading blogs like this. 

As we saw in the case above, weak authentication was the gateway to this attack. Using strong passwords is crucial. This can be achieved by using the three random words principle, as recommended by the NCSC.

On top of this, use multi-factor authentication (MFA). This attack, and others like it, could have been foiled with this extra layer of protection. 

Finally, it is worth speaking with your IT teams to make sure that they implemented technical controls. This includes email filtering, to identify and block malicious content before it reaches you. As well as technologies like SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to authenticate email sources.

Want to know more about the threats faced by small businesses like yours? Then check out our latest research report on how the cost of living crisis is impacting SMEs.

SME cost of living crisis

6 key takeaways from the DCMS Cyber Security Breaches Survey 2023

DCMS cyber security breaches survey

Each year, the Department for Digital, Culture, Media & Sport (DCMS) releases its hotly anticipated Cyber Security Breaches Survey. It’s a key source of data on how businesses across the UK approach cybersecurity, the threats they face, and issues that need to be addressed in the coming year.

But for all its usefulness, the report is also very long – usually stretching to thousands of words in length. So, to save you from reading the whole thing, we’ve put together a handy list of the key takeaways from the report. Here’s the stuff you need to know. 

1. Assessing supply chain risk is rare for small businesses

We’ve talked about the danger supply chains pose to businesses a lot. Happily, it appears that larger businesses have begun to wake up to the risk. 63% of large businesses undertook a cybersecurity risk assessment in the last year, alongside 51% of medium-sized firms.

However, the practice remains rare among smaller businesses. When the sample size is broadened to include businesses of every size, just 3 in 10 have undergone a risk assessment.

Why is this happening? Well, it’s possible many businesses don’t have the resources to sanction regular risk assessments but, just as likely, is that many SMEs are simply unaware of the need. 

Worried about rising IT costs? Check out our guide to protecting your business on a budget.

2. A small number of businesses are taking cyber accreditations

The good news is that the proportion of UK organisations seeking extra guidance or information on cybersecurity is stable at 49% for businesses and 44% for charities. But, this does mean that a large proportion of organisations either aren’t aware of or aren’t using guidance like the NCSC’s 10 Steps to Cyber Security or the government-backed Cyber Essentials accreditation

According to the DCMS’s findings, just 14% of businesses and 15% of charities are aware of the Cyber Essentials scheme – rising to 50% of medium businesses and 59% of large businesses. And it’s a similar story with ISO 27001 certification with just 9% of businesses and 5% of charities adhering to the standard. Again, this is higher among large businesses (27%).

Although these figures might look alarming, there are a couple of caveats to bear in mind. First of all, the Cyber Essentials scheme was always going to take some time to bear fruit, it’s worth remembering the extremely limited cyber awareness across UK businesses before its launch. What’s more, the number of certified businesses is still growing steadily, up from 500 per month in January 2017 to just under 3500 in January 2023.

Added to this, the scheme was always likely to need to evolve to meet the needs of businesses. Given recent calls from UK companies for a new and improved Cyber Essentials certification, perhaps the time has come for the scheme to take the next step in its evolution.

3. Formal incident response plans aren’t widespread

The survey reveals that most organisations agree that they’d take several actions following a breach or cyber incident. However, the reality appears somewhat different. Only a minority of businesses (21%) have a formal incident response plan in place. This figure does rise amongst medium (47%) and large businesses (64%), indicating that it’s SMEs who are going without.

Perhaps this isn’t surprising, SMEs are often time and resource-poor and creating a thorough incident response plan isn’t a small undertaking. Nevertheless, it represents an area that both government bodies and companies like CyberSmart need to focus on in the coming year.

4. The number of identified breaches has declined 

At the risk of stating the obvious, cybercrime hasn’t decreased in the last year. But the number of breaches being reported by smaller businesses has declined. Just 32% of businesses and 24% of charities reported a breach or attack in the last 12 months – down from 39% of businesses and 30% of charities in the 2022 edition of the survey.

What’s going on? Are SMEs simply being attacked less? Unfortunately, no. 54% of SMEs in the UK experienced some form of cyber-attack in 2022. And, if we look at the figures for large businesses (69%) and high-income charities (56%) the numbers have remained stable from the 2022 report.

This seems to indicate that the drop is being driven by SMEs, which also suggests that they are undertaking less monitoring and logging of breaches than in previous years. Why? That brings us to our next key takeaway.

5. Cybersecurity is less of a priority for smaller businesses

It’s no secret that it’s a tricky time to be a small business. Economic uncertainty and a cost of living crisis have left many SMEs looking to reduce expenditure, particularly in areas like cybersecurity. This is borne out by the DCMS’s survey, with 68% of micro-businesses (10 employees or less) saying cyber security is a high priority, down from 80% last year.

In practice, this can mean less tracking and reporting of breaches, weaker defences, and greater reluctance to update tools, putting small businesses at a real disadvantage. But it doesn’t have to be this way. There are methods for budget-conscious businesses to reduce costs responsibly – we’ve outlined a few here.

6. Is cyber hygiene going backwards? 

Finally, cyber hygiene has long been a useful concept in helping businesses think about their security. The rationale behind it is simple. Most cyberattacks are pretty unsophisticated – think your common-or-garden phishing attack or a breach due to an unpatched vulnerability. 

This means businesses can avoid falling foul of most of them by using a set of basic “cyber hygiene” measures.

The most common of these hygiene measures are updated malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls. However, all of these measures have seen a gradual decline over the last few editions of the DCMS report. For example: 

  • use of password policies (79% in 2021, vs. 70% in 2023)
  • use of network firewalls (78% in 2021 vs. 66% in 2023)
  • restricting admin rights (75% in 2021, vs. 67% in 2023)
  • policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023).

DCMS analysis suggests that these trends appear to reflect shifts in the SME population, as figures across larger organisations have remained stable. As we mentioned earlier, it’s possible that, as many smaller businesses feel the pinch and place less importance on cybersecurity, cyber hygiene has begun to fall by the wayside. Whatever the reason, it’s a worrying development that could make some SMEs extremely vulnerable.

What have we learned from the DCMS Cyber Security Breaches Survey 2023?

Time to draw some broad-brush conclusions from the DCMS’s findings. First of all, the common theme running throughout the report is that the cost of living crisis is having a real impact on SMEs’ ability to protect themselves. Whether it’s the decline in breach reporting, so many businesses lacking incident response plans, or the fall in cyber hygiene standards, it’s clear SMEs need real assistance to bolster their defences.

Second, Cyber Essentials could be due for a revamp. The number of organisations who are aware of the accreditation, let alone completing it, remains too low.

Finally, although this piece may have made for a fairly grim read, there is an upside. These findings provide everyone within the UK cybersecurity industry a clear picture of where the problems lie and what we all need to do over the next 12 months to tackle them.

Want to know more about how to reduce cybersecurity costs responsibly? Check out our free guide to cybersecurity on a budget.

Cost of living CTA 2

7 key takeaways from the DCMS Cybersecurity Breaches Survey 2022

Each year, the Department for Culture, Media and Sport releases its Cybersecurity Breaches Survey. It’s fast become one of the most influential cybersecurity reports around, driving government policy and the National Cyber Strategy.

The Cybersecurity Breaches Survey covers everything from threats to the processes businesses use to protect themselves and takes in everything from schools to start-ups. However, it’s also a very long report, with lots of tables, graphs and references – not something that’s easily digestible during your lunch hour.

So, to save you the trouble, we’ve pulled together the key takeaways for SMEs.

1. The number of cyberattacks stays stable

It’s no secret that during the first year of the COVID-19 pandemic the number of attacks on UK businesses skyrocketed. DCMS figures from 2020 show that 46% of UK businesses reported a cyberattack, up from 32% the previous year.

However, the number declined in 2021 to 39% and it’s stayed stable at the same figure this year. That might sound like great news, but there are some caveats. First of all, 39% is still too many; that’s more than a third of all UK businesses being attacked in any given year.

On top of this, there’s a chance that the figures, while accurate, don’t tell the whole story. As the report states, the better your cyber defences, the more likely you are to detect and report an attack. This suggests that smaller organisations and those with less sophisticated defences might be underreporting attacks.

2. Phishing remains the most common type of attack 

One of the most important findings of the Cybersecurity Breaches Survey is just how common social engineering attacks, particularly phishing scams, have become. 83% of all organisations surveyed said they’d experienced some form of phishing attack in the last 12 months. And this was followed, some way behind, by impersonation-style social engineering attacks with 67%.

What does this tell us?

Well, it tells us that cybercriminals have hit upon a formula that works for targeting businesses big and small. But that’s not all. It also teaches us that security training for staff has never been more important. With most cybercriminals using some form of social engineering attack, your people need to be able to spot the signs and recognise threats when they see them.

3. Few businesses are taking the supply-chain threat seriously

We’ve covered the risk posed by supply chains at length (if you haven’t already, read this). According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself.

Big corporate enterprises often have the best in cybersecurity tools and processes, so breaching their defences is difficult. However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it.

Despite this, only 13% of businesses assessed the risks posed by their immediate suppliers. In fact, few considered cybersecurity an important factor in the procurement process. 

4. Getting hacked costs a lot

This might not come as surprise but a successful cyber breach can really hit your business in the pocket. The average cost of a breach across businesses of all sizes is £4,200, with a figure of £3,080 for SMEs. The news is even worse if you’re a medium or large-sized business. The average figure for firms of this size stands at an eye-watering £19,400.

It’s worth noting that only one in five businesses suffer any negative consequences as a result of a breach. But, with 31% of businesses reporting that they’re attacked at least once a week, the chances of being part of that one in five is high.

5. Most small businesses don’t have a cybersecurity strategy

To be clear, the lack of a formal cybersecurity policy isn’t just a problem for small businesses; just 23% of all businesses have one. Nevertheless, the trend is much more severe among smaller businesses. While 57% of large firms have a formal strategy, just 20% of micro firms and 37% of small firms have one.

And it’s not just an overarching strategy that’s missing. Most businesses don’t have a clear plan in place for what to do if the worst happens. Just 19% of businesses surveyed said they had a formal incident response plan. 

This makes for worrying reading. It suggests that, in those crucial first few minutes and hours after an incident, too many businesses aren’t dealing with the threat in an organised way, handing a huge advantage to the bad guys. 

6. Ransomware confusion reigns

One of the worst questions any business has to answer is what to do in the event of a successful ransomware attack. Do you pay out? Or do you play hardball with the ransomers?

Although it’s a tricky question, it’s crucial to have a policy one way or another. However, one in five businesses (19%) stated they weren’t sure what they would do. On top of this, many small businesses still believe that ransomware isn’t a threat, either because they are ‘too small’ or have ‘nothing of value’ to steal.

7. Cyber Essentials uptake is still low

Unless this is your first CyberSmart blog, you’ll know we talk about Cyber Essentials certification constantly. It’s the single most important thing a small business can do to improve its cybersecurity.

But, unfortunately, the uptake of Cyber Essentials is still very low. Only 6% of businesses have the Cyber Essentials certification and just 1% have Cyber Essentials Plus. Unfortunately, this is likely a problem of awareness. Although every business could benefit from taking the certification, too few are aware of its existence. This needs to change, and fast.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of cybersecurity.

CTA button

Cyber attacks already adding up for 2020

The number of cyber attacks have been increasing year on year. So far, 2020 doesn’t look much better.

January proved ominous, with a series of successful cyber attacks on organisations across the globe. Here are just some of the attacks over the first month of 2020:

Royal Yachting Association (RYA)

The UK’s national organisation for the yachting community became aware of a digital attack on 17th January. Online user account data was compromised and as a result, all members of the organisation had to change their passwords immediately.

A statement issued by the RYA said: “On 17 January 2020 we became aware that an unauthorised party accessed and may have acquired a database created in 2015 containing personal data associated with a number of RYA user accounts.

“Our investigation into this matter is ongoing and we have engaged leading data security firms, including forensic specialists, to assist in our investigation.”

Mitsubishi Electric targeted by Chinese hackers

One of Japan’s largest defence and infrastructure groups, Mitsubishi Electric, was also hit by a colossal cyber attack in the first month of this year. The attack was blamed on a Chinese group, who may have gained access to information on government agencies and business partners, as well as the personal data of 8,000 employees and job applicants.

Chief Cabinet Secretary of the group, Yoshihide Suga said in a statement that the Japanese Government was informed, while also confirming that “there is no leak of sensitive information regarding defense equipment and electricity.”

Detroit data breach exposes workers and residents

The email system of Detroit City Government was breached on 16th January. Although less than 10 email accounts were affected, some of the accounts contained sensitive information that could be exploited by cyber criminals. Luckily, most of the email data was encrypted.

The city’s Chief Information Officer, Beth Niblock said: “At this time, there is no evidence – and it is highly unlikely – that any of this personal data was accessed. However, out of an abundance of caution for privacy and security of our employees, the city will be offering credit monitoring services for a period of one year.”

Make a cyber security New Year’s resolution

If your company’s New Years resolutions didn’t include improving cyber security, then these attacks should provide a wake-up call. Being cyber resilient is critical to company health.

A surefire way to prove your house is in order is by achieving cyber security accreditation. The UK National Cyber Security Centre’s cyber essentials or cyber essentials plus accreditation schemes are the best way to do this.