‘What keeps me awake at night?’ responds Sean O’Neil, a Fraud and Security Advisor for Bedfordshire Police. ‘I have heartbreak for individuals’ losses,’ he says. ‘I’ve dealt with over sixty romance frauds over the last couple of years. The average cost to a vulnerable victim is usually all of their savings.’
Romance fraud, for the unfamiliar, sees a criminal befriend and seduce their victim, usually through an online dating site. The criminals - who are generally based in foreign countries - pose as engineers or military officers searching for love. After they’ve hooked a victim with honeyed stories, compliments and platitudes, they ask for money in ever-increasing quantities.
‘I’ve visited people who have lost all their ISAs,’ O’Neil says. ‘They are often in debt after the attack, after falling in love with somebody online. The average loss is around £70,000. The victim has no way of re-earning that money; these are life-changing events. That’s what keeps me awake at night.’
Members of the public, he says, are attuned to conventional risk: they understand twentieth-century crimes like burglary and assault. But few people, if any, are switched on to cyber risk. It gets worse, too: ‘If they were robbed or burgled, they would be covered by insurance or the government pays up,’ O’Neil explains. ‘But, if you are robbed of your savings, the banks can’t help you, the police can’t help you.’
Views, insights and patterns
O’Neil, a retired senior detective, now works for Bedfordshire police to provide cyber protection advice to businesses, people, organisations and charities. He’s also a fraud manager, which, he says, involves looking at all the incoming fraud data from across his patch and setting strategies to help.
This begs an initial question: what are the big cyber security trends that O’Neil sees across his territory?
‘Bedfordshire,’ he says, ‘is a small county area, so my data is a lot smaller than, say, London, Manchester and Essex. But, every month, I get 450 reports of cyber crime and fraud in my area. I can tell you the main area of concern is mandate fraud.’
Mandate fraud generally sees an operative inside an organisation change a direct debit, standing order or transfer instruction, such that money is directed away from the intended recipient and towards criminals’ bank accounts.
CEO fraud is a prime example. Here, criminals send an email to, say, the accounts department, asking it to amend a supplier’s bank details. The criminals add impetus, urgency and plausibility to their tale by impersonating the organisation’s CEO.
‘The biggest event I’ve dealt with in Bedfordshire is a £1.4 million loss. Most businesses I deal with lose between £35,000-£50,000,’ O’Neil explains.
We need to talk about ransomware
Elsewhere in Bedfordshire, ransomware is a big problem and one that O’Neil believes is underreported. Here, individuals and companies find their data encrypted and locked behind a password-protected wall; criminals then request money from the victim to release it.
Payment is usually demanded in cryptocurrencies such as Bitcoin, because they are harder for the authorities to trace. The criminals claim that when the payment arrives, they’ll give the victim a mathematical key that will enable them to recover their data.
For individuals, a ransomware attack is bad news. They may lose access to music, pictures and work files. For businesses, an attack of this nature can be utterly ruinous. Everything from logistics to PAYE, inventory and accounts information can be rendered inaccessible. Within moments, a whole business could be paralysed and set on an irrevocable course toward bankruptcy.
To pay or not to pay
Businesses should never pay the ransom, O’Neil says. ‘The National Cyber Security Centre takes that position and so does law enforcement. [Firstly], you’re giving money to organised crime - drug dealing, people trafficking and the like,’ he explains. ‘And, even if you do pay, there’s only a fifty-fifty chance of getting your data back.’
Despite this advice, businesses do pay the criminals. ‘If all your data - all your business - is encrypted and you’re asked to pay between £3,000 and £750,000, it’s a no brainer. Pay up and get your data back.’
There’s also a more devious side to the apparent easy solution of payment: reinfection. ‘You have to remember that it was malware on the servers that caused the problem. And, even if you pay, you’ve still got malware on your servers,’ O’Neil warns. ‘The servers haven’t been checked, they haven’t been cleared of malware, so the bad guys still have access and they’ll come back... They think the problem has gone away and it hasn’t,’ O’Neil warns.
‘The problem,’ he explains, ‘is that many insurance companies will think it’ll cost more to recover the data than the small amount demanded by the criminal. So, insurance will pay - but law enforcement says, “don’t pay.”’
‘It’s quite common for insurance companies to pay a ransom,’ he explains, ‘and they don’t disclose it to law enforcement, so ransomware attacks go unreported. It is very under-reported as a crime. I get maybe two or three reported a month, but I know businesses that are receiving [and repelling] ransomware attacks every day.’
Don’t keep it a secret
By keeping attacks and payments hushed up - or at least not disclosing them - organisations are making the ransom problem worse. Their silence means organisations like the National Cyber Security Centre can’t learn from what is happening. Through this learning, they could help protect other potential victims.
‘Also,’ O’Neil says, ‘if it is reported fast enough, we can possibly deploy staff to go to the scene and work with IT specialists and help recover. Law enforcement can also get copies of the logs, look at IP addresses and possibly learn about where these attacks are coming from - hopefully stopping other people from becoming victims. If they’re not being reported and we find out two months down line, all the logs are gone.’
Offering his advice on the base course of action, O’Neil says: ‘It’s far better to assume that you’ll one day be a victim and ensure that you have a proper plan in place to reformat, recover, restore and clean up.’
When it comes to a ransom attack, prevention, then, is far better than cure or payment. Organisations should keep regular backups of critical data - and store it away from the main network. Businesses should also have and rehearse their remediation plan.
‘Don’t be a victim,’ says Sean O’Neil. ‘Every company I visit believes it has structures in place that prevent them from becoming a victim and they believe this right up until they become just that - a victim of cyber crime.’
As he explores the reality of cyber crime - how it ruins lives and businesses - a recurring theme becomes apparent: social engineering.
The dark skills of the devious
Social engineering is best defined as the use of deception to manipulate individuals into divulging important information that could be used to commit a fraud. Phishing, CEO fraud and romance fraud all rely on social engineering.
A social engineer’s greatest skill isn’t apparent in their final act of deception, however; rather, O’Neil explains, it is in their ability to spot potential victims. The best (or worst) social engineers have a sixth sense for the vulnerable, as well as the patience to research prospective victims’ situations. When they’ve positively identified a vulnerable person or organisation, they’ll launch their socially engineered attack.
Central to this notion of pre-attack research is open source intelligence (OSINT) - data collected from publicly available sources that is used in an intelligence context. For a romance fraud attack, this might involve looking at the biographical information somebody shares about themselves: posts about illness, bereavement or loneliness.
When scoping out a company for CEO fraud, a hacker might scour staff social media accounts for intelligence, read blogs and IRC threads and harvest usernames and emails addresses - anything openly available that can give a handle on people, processes and relationships behind an organisation’s firewall.
‘With social engineering, these people can pick up on signals from pictures and background information. They target people. All the people I’ve visited over the years who have been victims of romance fraud - they’ve all had vulnerable written all over them,’ O’Neil laments.
Finishing with practical advice about staying safe, O’Neil recommends: ‘If you’re worried, contact your local constabulary and find the name of your local cyber protect officer. Get a meeting, it’s free. And, follow the bunch of fives: passwords, antivirus, backups, updates and encrypt sensitive data.’