As Cybersecurity Awareness Month comes to an end, it is worth remembering that cybersecurity is necessary because of cybercrime. And cybercrime is flourishing. More criminals than ever are lurking online, ready to exploit any technical or human weakness that offers a way into our data.
In fact, October might justly be called Cybercrime Awareness Month. The security protocols that protect us can seem tedious if we forget their purpose. Cybersecurity exists to shield us against unremitting attacks on our finances, workplaces, privacy and even our very identities. With awareness of these real and constant threats, we also gain the motivation to defend ourselves.
And the protocols of cybersecurity work—if they are followed. To give a physical-world analogy, imagine living in an area where cars are constantly being stolen, but many residents do not bother to lock their car doors. “What is the point?” they say. But if those residents become aware that car thieves routinely look for unlocked cars to steal, and ignore the locked ones, then the extra effort of locking up now seems worthwhile.
Two examples of today’s most rampant cybercrimes—business email compromise fraud and ransomware—underscore how cybersecurity fundamentals can prevent serious attacks. Just like with the car lock, the value of these security steps is better appreciated with some knowledge about how these crimes are carried out.
Business Email Compromise (BEC)
This cyberscam occurs when criminals gain access to the email account of a business employee. Criminals often target the email account of a high-level member of the organization, even the CEO or chief financial officer. Once they have access, criminals research the contents of previous emails to learn more about how the company communicates and makes payments. Then, they impersonate the employee, sending emails from the compromised account that direct others in the company to transfer money to a financial account for a seemingly legitimate business purpose, such as paying an invoice. The financial account receiving the money, of course, is controlled by the criminals. According to the Federal Bureau of Investigation, BEC fraud has rapidly increased since 2019 and has caused $43 billion in global actual and attempted losses.1
There are simple cybersecurity steps, however, that can prevent BEC fraud.
- Strong passwords: BEC fraud only works if criminals can gain access to an email account. A strong password—one that is more than eight characters and contains a hard-to-guess combination of letters, numbers and symbols—makes the account more difficult to compromise. Many users fail to reset default passwords (like “password” or “1234”) or create similar passwords that are easy to guess. Cybercriminals, either by using password-guessing programs or researching their targets, are very good at figuring out weak passwords.
- Multi-factor authentication: Email accounts are even better protected when the user must supply a strong password plus another unique identifier to gain access, a process called multi-factor authentication (MFA). The additional identifier might be the answer to a security question (“What was the name of your first pet?”), a code pinged to the user’s cellphone or a biometric like the user’s fingerprint. With MFA, criminals are blocked from the email account even when they can figure out the password.
- Limited login attempts: Another way to keep criminals from accessing an email account is to limit the number of times a user can try to log in. If the password is entered incorrectly more than five times, for example, the email system locks the account until the accountholder can verify their identity and reset their password. This simple security feature keeps criminals from endlessly guessing a password until they get it right. And lockouts can alert the true user or system manager that someone has been trying to get into their account.
- Avoiding public Wi-Fi: Free Wi-Fi at coffee shops and airports is highly convenient, especially for criminals. Many free Wi-Fi services are not secure or encrypted, meaning whatever internet traffic flows through them can be easily intercepted. So, if an employee logs into his business email account using the free Wi-Fi at the airport, there is an excellent chance a criminal is capturing the username, password and other identifiers needed to compromise that account. Knowing that so many people use free Wi-Fi to log into accounts or conduct online transactions, some criminals even set up bogus “free Wi-Fi” access points to steal login credentials, as well as personal identifying and financial account information. Using the internet through your own cellphone hotspot or a virtual private network (VPN) are safer methods in public places.
- BEC awareness and training: Easy cybersecurity steps such as these are only effective if users are actually implementing them. Training all employees on how BEC fraud works gives them the criminal context for why strong passwords and other safety measures are so important. Understanding the “why” can both motivate users to safeguard their accounts and be on alert for fraudulent communications with instructions to transfer money out of the company.
Ransomware is a form of malicious software (malware)that infects computers and other devices. Devices become infected when criminals send emails that trick the recipients into clicking on a link or opening an attachment that will download the ransomware. Some infections occur when a user unknowingly clicks on a ransomware-compromised website. Once infected, criminals deploy the ransomware to encrypt files in the device, or even its entire operating system (such as Windows), making any encrypted data inaccessible. Then, the criminals demand a monetary ransom in exchange for the code or “key” needed to decrypt the data. In some cases, criminals publish sensitive hijacked data online to pressure victims into paying the ransom. During the first six months of 2021, financial institutions in the U.S. reported $590 million in ransomware-related suspicious activity to the Financial Crimes Enforcement Network (FinCEN).2 Global ransomware damages, including recovery costs, were projected to reach $20 billion in 2021.3
There are simple cybersecurity steps, however, that can prevent ransomware infections and protect data.
- Phishing and spoofing awareness: Teaching everyone how to identify suspicious emails that may be spreading ransomware is essential to stopping this crime. Criminals often use “phishing” emails that appear to come from reputable organizations, inducing recipients to open links or attachments that will download ransomware. Criminals also will “spoof” the sender’s information on their fake emails so it looks like they came from a legitimate source. Examining emails critically, avoiding links and attachments, and checking email headers to verify the real sender are some of the many techniques that any user can learn so as not to fall for the criminals’ tricks.
- Email filtering: Filtering out emails that may contain ransomware before they ever get to the recipients prevents people from inadvertently opening malicious links and attachments. Email filtering can be performed directly through email service providers and/or by using separate filtering software. The fewer ransomware emails that get through, the lower the chance of becoming infected.
- Data backups: The best defense against ransomware is keeping backup copies of data. A ransomware victim does not need the hijacked data back if they have a separate, clean copy readily available. Businesses with IT departments likely backup company data on a routine basis. Smaller businesses and individuals may have to do this crucial but easily learned task themselves. As long as someone is responsible for making regular data backups, ransomware is far less of a threat.
- Anti-malware software—with updates: Ransomware downloads can be blocked by anti-malware and anti-virus software and also by security protections built into operating systems and various software applications. Making sure all devices have anti-malware software installed can greatly reduce the chance of infection. Updates and “patches” are frequently issued for software and operating systems to counter evolving forms of ransomware and other criminal threats. Installing updates is critical to keeping devices safe from new cybercrime attacks.
While cybersecurity strategies for large computer networks can be technologically complex, there are many simple measures that any computer or cellphone user can take to be more cyber secure. But the first step—the step that inspires the necessary discipline for effective self-protection—comes from a realistic confrontation of the threats we face. It is only by understanding that cybercrime is escalating at an exponential pace that we appreciate the urgency of our situation and become motivated to take the actions needed to make ourselves secure.
Antonia Merzon, Esq., CO, USA, consultant and author, firstname.lastname@example.org,
- “Business Email Compromise: The $43 Billion Scam,” Federal Bureau of Investigation, May 4, 2022, https://www.ic3.gov/Media/Y2022/PSA220504
“Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021,” Financial Crimes Enforcement Network, October 15, 2021, https://www.fincen.gov/sites/default/files/2021-10/Financial%20Trend%20Analysis_Ransomware%20508%20FINAL.pdf
David Braue, “Global Ransomware Damage Costs Predicted to Exceed $265 Billion by 2031,” Cybercrime Magazine, June 3, 2021, https://cybersecurityventures.com/ransomware-report-2021/