The economy has taken a battering in recent times, and there’s much talk about the so-called ‘cost-of-living crisis’ we’re now experiencing. Whether there’s a full-blown recession ahead, or not, it looks like the economic outlook won’t improve any time soon. And experts agree this will spark a surge in cyberattacks. So, let’s take a look at why cybercrime increases with the looming threat of recession.

Why we can expect cybercrime to increase

The word among industry analysts is that the ongoing economic downturn will result in a significant rise in cyberattacks. Cybercriminals are already exploiting the financial situation, with an increase in social engineering attacks such as phishing emails offering rebates on energy bills to target vulnerable individuals and businesses. And, by all accounts, we can expect a great deal more of the same to come, as a distinct correlation exists between an uptick in cyberattacks and economic uncertainty.

Data shows that some types of cyberattacks are already rising considerably. According to Kaspersky Lab, the percentage of users affected by targeted ransomware doubled in the first 10 months of 2022. Phishing attacks also increased by 61% in 2022, according to the 2022 State of Phishing report from SlashNext. And, the Anti-Phishing Working Group (APWG) reported that there were a total of three million phishing attacks in the third quarter of the year – amounting to the worst quarter it had ever seen. 

Considering cyber insurance for your business? Check out our new guide for everything you need to know.

What role do businesses play? 

There are many reasons why cybercrime is increasing amid the current economic uncertainty. But most importantly, businesses are having to make difficult decisions to rein in costs. This is completely understandable in the climate. After all, we’re all trying to keep our heads above water, but this could have a direct effect on businesses’ online safety.

Although it’s ill-advised to reduce cybersecurity budgets, many business leaders underestimate the value of cybersecurity. The situation isn’t helped by the perceptions of cybersecurity within organisations. IT leaders can often find it difficult to justify spending on cybersecurity, which doesn’t often deliver visible benefits in the way other OPEX spending does. Think about it; you’re unlikely to hear much about your business’s cybersecurity unless something goes wrong. 

The result is often cuts in places they shouldn’t happen. Consequently, such companies are at higher risk of falling foul of cyberattacks.

Businesses may also decide to cut spending by letting staff go or not replacing those that leave. And this can also impact a company’s resilience to cybercrime. Cutting IT staff may mean you have fewer people to provide the necessary protection. 

This also increases the pressure on your remaining staff which can lead to mistakes and oversights, which weaken your defences further. For example, if they receive a phishing email they’re more likely to make an error of judgement and click on a link that could download malware into your network.

Cybercriminals aren’t immune to economic instability

If you’re still wondering why cybercrime is increasing, well, a recession hits cybercriminals as well as their victims. So, this can be a strong motivating factor for the bad guys to redouble their efforts and make more money. The hard fact is that a recession, or economic downturn, incentivises cybercriminals to invent new types of threats. This was demonstrated during the recession of 2008 when the FBI reported a 22.3% increase in online crime. 

More recently, a crisis of a different sort, the pandemic, sparked a similar surge in cybercrime. And there’s no reason to think the current hardships won’t create a similar spike. Companies will continue to lay off employees in the months ahead, and some may be tempted into cybercrime to make ends meet. Disgruntled employees who’ve been fired could also launch damaging attacks on businesses that have let them go, especially if they still have access to sensitive data.

Another repercussion of the recession is a possible rise in insider attacks from employees who are feeling the pinch. This is particularly likely in businesses that have been forced to freeze salaries. Cybercriminals can specifically target possible insiders to help with data breaches or cyberattacks, using social media and offering bribes. 

Fighting back on a budget

Cybersecurity isn’t a nice to have, it’s business critical. And this is never truer than in times of economic crisis. 

Small and medium-sized businesses often underestimate the danger they’re in. In part, due to the perception that only large corporates are targets. However, the truth is that cybercriminals don’t discriminate and the effects can be devastating. In fact, research has found that 43% of all data breaches involve small businesses.

However, you don’t need expensive tools, expert consultants, or an in-house technical team, to protect your business from cyber threats. It’s perfectly possible to build good defences on a sensible budget. Tools like CyberSmart Active Protect offer everything you need to get your cybersecurity in order, without huge investment. 

Active Protect provides secures all employee devices that touch your company data. Just send a downloadable link to staff, and Active Protect will check around the clock for the most common cyber threats and vulnerabilities It also includes our training academy, which provides your employees with the basic cyber skills to better protect themselves and your business. 

Want to know more? Then check out our guide to cybersecurity on a budget.

If you’re wondering ‘Is cybersecurity really worth it?’ The short answer to this question is unequivocally, ‘Yes!’. Especially now that the economic climate is taking a downturn. In this cost-of-living crisis, the threat to your business from rising cybercrime rates could be even higher. But let’s see why cybersecurity is worth spending some money on compared to the cost of cybercrime.

False economy

Rising costs for just about everything means businesses have to make cutbacks. The trick to riding out the storm is recognising what’s an essential and what’s a luxury to cut. Cybersecurity falls into the ‘essential’ category. 

Cybersecurity should be thought of as an investment, not an expense. It protects you from the much greater costs of cybercrime. For example, business disruption and financial losses. In fact, all you can do to protect yourself in preparation for a possible attack will save you money in future. Cutting back on such a necessity would only be a false economy.

If you run a small business, you could be forgiven for thinking that cybersecurity isn’t worth it. You may conclude that your business isn’t at risk if you’ve seen the media coverage of cyberattacks on large corporations. Unfortunately, this isn’t true. No business is too large or too small to be subjected to cybercrime. Research suggests that 43% of all data breaches involve small businesses. In fact, smaller businesses can be an attractive target as they may be less likely to have the necessary cybersecurity to keep their data safe.

Strong cybersecurity is always worth it. Beyond the immediate financial cost of cybercrime, which can be high, the damage to your business’s reputation if confidential data is exposed can be long-lasting. This may affect your ability to do business in future, especially if you’re in a sector that handles highly sensitive data, such as financial services and healthcare. Potential customers will think twice before handing over personal and financial details if they doubt that they’ll be protected.

The true cost of cybercrime to a business can be complex and far-reaching and may include:

• Significant monetary theft
• Substantial business downtime
• Damage to your business’s reputation
• An increase in your insurance premiums
• Loss of intellectual property
• Network repairs
• Public relation costs
• Compliance fines

Confused about Cyber Insurance? Check out our new guide for everything you need to know.

A good return on investment

Good cybersecurity delivers a good return on investment (ROI) by preventing or mitigating the impact of an attack. According to the UK Government’s Cyber Security Cyber Breaches Survey 2022, in the last 12 months, 39% of UK businesses identified a cyberattack. And, in the case of those organisations that reported a material outcome, such as loss of money or data, there was an average estimated cost of £4,200. However, where only medium and large businesses were considered, this figure rose to £19,400. Far worse, according to a study by TrendMicro, 60% of small businesses close within six months of a cyberattack. 

What’s more, another survey found that 83% of small and medium-sized businesses aren’t financially prepared to recover from a cyberattack. Indeed, a report by the European Union Agency for Cybersecurity (ENISA) revealed that 85% of surveyed small and medium-sized enterprises agreed that cybersecurity issues would seriously affect their businesses, and 57% admitted they would most likely go out of business.

Even if your company survives such an attack, the cost of cybercrime can be devastating. A study by Cisco found that 40% of small businesses that are hit by a severe cyberattack experienced at least eight hours of downtime, accounting for a large part of the overall cost of a security breach. 

So, a relatively small investment in cybersecurity today gives you a good ROI by saving you money in the long run.

The rising rate of cybercrime

The chances of being the victim of cybercrime are also growing fast, so the time is right to get your house in order and protect your business with reliable cybersecurity. 

Rates of cybercrime have been increasing for years, with a rapid rise in remote and hybrid working heightening companies’ vulnerability to attack. But over the last year, attacks have spiked. For example, the percentage of users impacted by targeted ransomware doubled in the first 10 months of 2022. And, according to the 2022 State of Phishing report from SlashNext, phishing attacks have also increased by 61% in 2022.

Experts warn that with the cost-of-living crisis, we should expect cybercrime to escalate even more and cyberattacks to increase in sophistication. Unfortunately, there is a correlation between tough economic times and a rise in cyberattacks. More people may be tempted to turn to cybercrime, and there could be an increase in social engineering attacks specifically designed to exploit the financial hardship of recipients, manipulating vulnerable victims into handing over valuable data.

So, now is not the time to cut back on cybersecurity, as the cost of cybercrime means it’s just not worth taking the risk.

Good cybersecurity needn’t be daunting

This may all sound worrying, but it really is easy to protect your business, and this doesn’t have to cost the earth. As the UK Government’s Small Business Guide: Cyber Security says: ‘Cyber security needn’t be a daunting challenge for small business owners’. 

However, many enterprises still need to protect themselves sufficiently. According to a report from Kaspersky, as many as a quarter of UK companies admit to underfunding cybersecurity, even though 82% have suffered cyberattacks. Another study also found that one-third of companies with 50 or fewer employees were using free, consumer-grade cybersecurity, leaving themselves more vulnerable to attacks.

A big reason for this could be that protecting your business on a budget can be tricky – employing experts or investing in the latest tools can be costly. However, reliable cybersecurity does not have to be prohibitively expensive or complicated. CyberSmart Active Protect provides robust protection with no need for pricey tools, consultants, or an in-house team. It’s a cost-effective and easy way to secure all employee devices that touch your company data. Simply send a downloadable link to your staff and Active Protect will do the rest, checking 24/7 for the most common cyber threats and vulnerabilities.

So, when you consider the cost of cybercrime and the rising number of attacks, cybersecurity is undoubtedly worth it.

It’s easy to feel overwhelmed by the threat of cybercrime. Last year, cybercriminals stole more than £4 billion from businesses in the UK, which is 63% more than in 2021. 

And unfortunately, small and medium-sized businesses are three times more likely to be targeted than larger companies. They’re generally less equipped to deal with attacks and absorb the associated costs, so 60% are forced to close within six months of an attack.

These numbers, the rising cost of living, and predictions that the UK economy will shrink is a perfect storm for businesses. And with an ever-growing threat, there’s an ever-shrinking contingency fund.

But don’t let this get the better of you. It’s important to understand the most common types of cybercrime and take action to mitigate the risk of an attack.

What are the most common types of cybercrime?

1. Hacking

Hackers break into your computers and networks to access data. This unauthorised access can be via brute force to guess your passwords or software like spyware. 

Example

T-Mobile suffered an attack which affected 37 million customer accounts. The hacker stole personal data, like names, birth dates, and phone numbers, through an application programming interface (API) for a month before being detected and stopped. 

Confused about Cyber Insurance? Check out our new guide for everything you need to know.

2. Phishing

Phishing is a type of social engineering attack often used to steal data, such as login details or credit card numbers. Criminals ask recipients to share sensitive information via email or by visiting fake websites that look legitimate but aren’t. A recent State of Phishing report revealed that there were 250 million phishing attacks in 2022. Fortunately, there are some simple ways to avoid an attack.

Example

Developers at DropBox were recently targeted by a phishing campaign that successfully accessed some code stored in GitHub, an internal hosting service for software development and version control. The criminal impersonated another platform and sent emails encouraging developers to log in so they could steal their credentials. Most emails were quarantined by DropBox security systems, but some made it through, and one employee entered their details. The threat actor stole data including API keys and a few thousand names and email addresses of DropBox employees, customers, and leads.

3. Malicious software

Malicious software, or malware, is a type of computer program designed to steal data or damage computers and computer networks. This includes viruses, trojans and worms. Ransomware is also a type of malware, and this kind of attack is on the rise. In 2022, ransomware accounted for 25% of all data breaches. One way attackers can successfully steal data is through unpatched systems with known vulnerabilities.

Example

The Guardian newspaper suffered a ransomware attack in December 2022. It was likely triggered by a phishing email that meant the attacker could access the internal network. Its IT infrastructure was affected but publishing and printing continued with staff being sent to work from home. No customer data was stolen, but the attacker accessed staff data in the incident. 

4. Distributed denial of service (DDoS)

A DDoS attack is designed to stop legitimate users of a website or service from accessing them. An attacker will overload the website with traffic so that it cannot cope or accommodate any more visitors. A hacker will call on hacktivist groups to help them do this or infect innocent users with malware so the hacker can force devices to contribute to the attack.  

Example

A Google Cloud Armor customer recently faced the biggest DDoS attack on record. At its height, there were 46 million requests per second and the attack lasted for just over an hour. Fortunately, Google was able to block the attack.

What can you do to protect your business?

Budgets are certainly stretched at the moment, but the last thing you should skimp on is cybersecurity. Fortunately, there are some straightforward and reasonably priced ways to protect your business from the most common threats. For example, getting a Cyber Essentials or Cyber Essentials Plus accreditation reduces your cyber risk by 98.5%.

The certifications are designed by the UK government and give businesses a standardised level of protection. There are five security controls to help you address cybersecurity effectively. These are:

• Firewalls
• Secure configuration
• User access control
• Malware protection
• Security update management

Its easy-to-follow steps make it simple to secure your business against the most harmful threats. And it costs a fraction of what it would to deal with an attack. You’ll get a great return on investment (ROI) and peace of mind, so it’s a reliable way to protect your business for the future.

You’ve probably heard of phishing scams, have a decent handle on what they look like, and know how to avoid them. But just when you thought it was safe to log back onto your devices, there’s a new threat in town. ‘Smishing’.

Silly name aside, smishing is a pretty potent cyber threat and has fooled thousands of victims to date. So, to arm your business against this new breed of scam here’s everything you need to know.

How does Smishing work?

Smishing attacks are a mutation of a classic phishing scam. They typically use SMS (hence the ‘smish’ part of ‘smishing’) to target victims and usually work much the same way as a typical phishing scam. A cybercriminal will impersonate a legitimate company to solicit personal data or financial information.

Like most social engineering attacks, smishing relies on creating a sense of urgency to trick victims into giving away their details before thinking too much about whether the message is legitimate. For example, a textbook smishing message often looks something like this: 

“Hi,

Your Parcel Service package has extra shipping charges of £1.45 that must be paid before we can deliver your parcel.

Please click parcelsevice-17374330.com to pay.”

Notice that this text message doesn’t feel quite right. The language isn’t quite what you’d expect from a professional courier, the link looks dodgy, and there’s lots of slightly shonky bold text everywhere. And on top of this, few couriers or postal services would notify you of extra charges via an SMS.

However, if you’re in a hurry or are expecting a parcel, you might just hit the link without thinking too much about it. And it’s exactly that scenario that the bad guys are counting on.

Want to know more about the threats facing UK businesses? Download our guide.

Why are smishing attacks on the rise? 

First of all, let’s state the slightly obvious. Smishing attacks are becoming a big cybersecurity problem. Reports of malicious text messages tripled in just a year from 2019 to 2020, skyrocketing from 107,663 in 2019 to 305,241 in 2020. 

What’s more, Ofcom research revealed that 82% of UK adults (or 45m people) received a suspicious text or email during the summer of 2021. It’s got so serious that the UK government was forced to relaunch its Joint Fraud Taskforce in October of last year.

But what’s driving this?

Of course, some of this is down to the pandemic, we saw cyberattacks of all kinds increase dramatically in the wake of COVID-19. However, that’s not the whole story. In smishing, cybercriminals have hit upon a low-effort, high-reward way to target just about anyone who owns a phone. 

It’s substantially easier for cybercriminals to find your phone number than your email. Even if your number hasn’t been in a data leak, attackers can simply try random combinations of numbers until they hit upon one that’s a real phone number. After all, there’s a finite set of options for a mobile telephone number (UK numbers are 11 digits).

On top of this, smishing has become increasingly popular because people are more likely to trust a text message than an email. This is partly an educational issue. By this point, most of us are aware of the threat of email phishing scams (even if we still fall for them). Smishing is a newer phenomenon and, as a result, we tend to be more trusting. 

Are there any famous examples?

There are plenty of examples of famous brands being spoofed for smishing purposes, from Banks to parcel services to government departments. But perhaps the most famous UK examples are Royal Mail and HMRC. 

The Royal Mail scam looked a lot like our smishing example above. Victims were sent fake messages purporting to be from Royal Mail asking them to pay extra fees for parcels to be released. Once victims had entered their card details to pay these ‘fees’, cybercriminals used this information to drain their bank accounts or go on lavish spending sprees.

Sadly, a staggering number of people were hoodwinked by the scam. According to Wired, 2020 saw a 1,077% increase in incidents related to Royal Mail.

The HMRC scam performed a similar dirty trick. Victims received SMS messages notifying them of a bogus tax rebate. And, after victims submitted their information, you guessed it, money suddenly started disappearing from their bank accounts.

Both scams had devasting effects, particularly at the height of a pandemic with many people on furlough, with victims losing savings or money they needed to pay bills.

What can you do to protect your business? 

Education, education, education 

Smishing attacks rely solely on human error. If your people can recognise the signs of a smishing scam, they simply won’t fall for it. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in smishing attacks such as impersonating a supplier, creating a sense of urgency, or offering bogus services. It can also help give them a good nose for what looks or sounds like a scam, identifying things like strange syntax, simple spelling mistakes and weird URLs or phone numbers.

Create clear cybersecurity policies

If your staff aren’t aware of what safe online behaviour looks like, they’re unlikely to adopt it. So, you need easy-to-follow cybersecurity policies to make it clear what safe and unsafe look like. 

Also, make sure they know where to find them. The most thorough cybersecurity policy in the world is useless if no one reads it. For more on why cybersecurity policies are so important and how CyberSmart can help, read this. 

Create a positive cybersecurity culture

Your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes. Anything else risks security mistakes being swept under the rug, only to resurface ten times worse when they’re discovered later on.

So encourage your people to ask questions, report security issues and, most importantly, learn. There was never a truer cliche than ‘your people are your greatest cybersecurity asset’.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

There’s no disputing that cybercrime is on the rise. According to data from RiskIQ, $2,900,000 is lost to criminals every minute and companies pay out an average of $25 dollars every 60 seconds due to breaches. So it’s hardly surprising cybercrime is set to cost the world $10.5 trillion annually by 2025.

But what is it about the internet that encourages cybercrime? In the second part of our series on cyberpsychology, we delve into how the internet nurtures cybercrime and why we often fall for scams we wouldn’t in the physical world.

Let’s start with the bad guys.

How does the internet enable cybercriminals? 

We’re not always aware of it, but all of us can be guilty of losing our inhibitions online. The internet can encourage us to be more confident and open. However, it can also have toxic side effects.

Some of us are more likely to be manipulative and deceptive online as we are less concerned about our peer’s judgement. When interacting with each other using technology, communication has limited physical features. Often we can’t see or hear the person we’re talking to, offering perfect conditions for misleading messages and false identities.

$2,900,000 is lost to cybercriminals every minute

Online interactions can seem less tangible than our offline lives. And, because the online world feels less ‘real’, harmful behaviour can also feel more acceptable. Without the victim’s physical presence, attackers feel distant and detached from their target and are less afraid of being caught. This makes lying and misleading behaviour much easier. Criminals also feel safer due to the anonymity offered by the internet and the lack of regulation of online behaviour.  

Criminology theory suggests that the three key ingredients for more crime are a motivated attacker, a suitable target and a lack of ways to protect them. Let’s apply this framework to cyberspace. The motivation for cybercriminals is the belief they’re unlikely to be punished for cybercrime. The target can be just about anyone, such is the range of available victims. And, the lack of protection is provided by the way we conduct ourselves online. 

How do cybercriminals use the internet against us?  

There is a wide variety of methods cybercriminals use to ensnare victims. For example, phishing attacks create a sense of urgency and exploit it. It could be by creating a bogus ’emergency’ in which the cybercriminals poses as a friend in need of help. Or, it could be something less altruistic, like the chance to win prizes.

Criminals can also mislead us by presenting themselves as an authority or trustworthy institution –  sometimes even using familiar names and logos. This could trigger us to be less critical when facing a request and respond out of habit, familiarity, or respect for authority.  To give an example, during the COVID-19 pandemic we’ve seen a huge increase in bogus vaccination emails. The threat has become so widespread that the NCSC has launched an awareness campaign, encouraging anyone who’s been targeted to use its scam reporting services.

Online communication can often appear hyperpersonal. And this is especially true if we don’t know the person we’re communicating with. Online interactions can make us idealise the person behind the avatar or email address. Without a physical appearance, body language or other non-verbal cues, we struggle to determine someone’s intentions. The result is we often default to our better nature and develop a sense of having a close relationship very quickly. 

This can lead to us disclosing personal details without actually knowing the person we’re communicating with. Cybercriminals know this and are quick to exploit it. 

The situation is made worse by the ready availability of personal information on the internet. Take social media, for example. Through a person’s profile, you can often see friends or connections lists, recent locations, their interests, and any events they’ve been part of. This information is a great resource for attackers in making communication more targeted and personal. 

What can cyberpsychology do to help us improve our cybersecurity? 

Although it might sound like a slightly dusty academic concept, cyberpsychology has plenty of practical uses. For one, it can help us better understand our vulnerabilities online. And knowing that we’re prone to hyperpersonal communication and letting our guard down is the first step towards correcting that behaviour. 

It also helps us understand the methods cybercriminals use to trick us and the behaviours that make us an easy target. This understanding can make us think more critically the next time we’re faced with a potential scam. What’s more, it gives us the tools to avoid falling for scams in the first place and better strategies for protecting ourselves. After all, to defeat your enemies you must first understand them. 

Knowledge of how and why cybercriminals target us is important. However, knowledge alone isn’t enough to protect your business.  You also need an understanding of the fundamentals of good cybersecurity. Fortunately, this isn’t nearly as difficult as it sounds. A great place to start is by getting certified in Cyber Essentials, the UK government scheme that covers all the basics of good cyber hygiene. It doesn’t require any cyber expertise and can help protect your business against 98.5% of the most common cyber threats.