There are three certainties in life. Death and taxes are two. The third is hacking on companies and spying on their employees. The third certainty comes from Jonathan Evans, former head of cyber security at the British intelligence agency, MI5, from an interviewed in the Telegraph.
The days where corporate and government espionage meant bugging a room to listen in on a private conversation are gone. Today, cybercrime happens in cyberspace though phones, computers and any device or thing connected to the Internet. The devices we think work only for us are often being snooped on to steal information and secrets.
Last week, an economic cyber security agreement was reached between the presidents of China and the United States. Both countries agree to deter direct and supported hacking of data from companies and state agencies for economic benefit. The pact covers cyber theft, with the intent to provide advantage to a country’s companies or commercial sectors.
Cyber espionage experts, like the US Director of National Intelligence, James Clapper, say the pact is a good first step but are skeptical because it lacks teeth since there are no penalties for violations. The agreement comes following one of the largest cyber attacks in the US government. The Office of Personnel Management in the US was hacked earlier this year. The hack compromised private records for approximately 22.1 million current and former federal employees and job applicants. Many in the US government believe the attack, was supported by the Chinese government.
Costs of Cybercrime Globally
According to a 2013 report by the Center for Strategic and International Studies, the global cost of cyber crime ranges from $375 billion to $575 billion annually. The human toll puts more than 800 million individual records compromised in 2013. According to the World Bank, the bulk of global costs from cyber crime happens in G20 countries like the US, China, Japan, Germany and France.
The biggest cyber risks responsible for a company’s economic loss are loss of reputation, business interruption, damages paid, loss of IP/trade secrets, subsequent regulatory requirements, website downtime, notification costs and extortion. It is estimated Target, the US retailer, experienced losses up to $420 million.
Cybercrime Cost to Small Businesses
As cyber theft becomes more sophisticated, the situation is more problematic for small businesses, which are unprepared because they lack resources and expertise. The consequences of a hack to a small firm can extend beyond predictable cyber risks mentioned above to also include the theft of private intercompany communications, vendor contract details, confidential business information and proprietary systems. Hackers possessing such information often resort to blackmail.
Statistics for cyber crime data breaches for small companies is limited. According to a 2013 cyber crime report of UK businesses, 93% large corporations and 87% of small businesses reported a cyber breach in 2012. The estimated cost of a breach to large companies was as high as $1.4 million and more than $100,000 for small companies.
Why should you care about Phishing?
Phishing is a term we hear often in the news and one of the most popular scams on the Internet. According to Marc Goodman, author of Future Crimes, phishing is a technique criminals use to masquerade as a legitimate website in order to steal personal information such as passwords and credit card numbers. Phishing messages arrive by email, SMS, tweets, instant messages and Facebook updates. Organized crime groups want you to click on a link that takes you to a website, where your personal information is requested. Another option is that criminals want you to click on a link that installs malware on the user’s computer or device. Legitimate organizations never request such information by clicking on a link.
A popular example of a phishing email is below.
Some things to look for in a phishing email are:
1. Generic greeting. Criminals often use generic names like “First Generic Bank Customer” to avoid the time it takes to send customized emails. If you don’t see your name, it is likely a phishing email. In other cases, the sender may look authentic with the same font, color and logo, but this is not the case. For example, you may notice www.ciitibank.com (two i’s is fake) instead of www.citibank.com. You may spot bankofamerica.accountupdates.com is fake (accountupdates.com is the real website operated by criminals). Get into the habit of examining message headers of emails for fake emails with incorrect spelling.
2. Forged link. Scroll your mouse over the name of the organization to see if it matches the organization’s name. Also check that the link begins with “https” — the “s” stands for secure. Legitimate websites start with https.
3. Requesting personal information. Legitimate organizations never request personal information by clicking on a link.
4. Sense of urgency. Criminals have a sense of urgency to get you to provide personal information. They often include deadlines in the message and negative consequences that may follow if you do not act quickly. These are phishing emails.
Is Phishing Worth It for Criminals?
Phishing is a first step to provide criminals with the basic information required to commit more serious crimes against you like identity theft and financial, tax and insurance fraud. The cost of carrying out phishing for a criminal is very low. Goodman writes in Future Crimes that an automated phishing kit that sends 500,000 scam messages costs about $65 USD. More than 100 million phishing messages are sent daily or 36 billion annually. According to a 2011 study by Cisco, approximately eight people out of every million become victims with an average loss of $2,000 per victim. For a criminal, spending about $130 nets them $16,000 or a 12,000 percent return on investment.
The Rise of Spear Phishing
According to Goodman, phishing is much less lucrative compared to ‘spear phishing’, which is where the real money is for organized crime. According to Kaspersky Lab, spear phishing is a “targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. Unlike phishing scams, which cast broad, scatter-shot attacks, spear phishing hones in on a specific group or organization. The intent is to steal intellectual property, financial data, trade or military secrets and other confidential data.”
One of the largest industrial cyber-espionage cases occurred when Coca Cola was hacked by Chinese state-sponsored hackers in 2009. The incident involved an acquisition deal where Coca-Cola was in the final stages to purchase China’s Huiyuan Juice Group. Acquisition talks were progressing smoothly until the deal fell apart unexpectedly. Coca-Cola’s internal investigation showed the Chinese government was monitoring the deal closely.
Chinese hackers were able to penetrate network by fooling Paul Etchells, the deputy president of Coca-Cola’s Pacific Group, to click on a malicious link in a targeted email campaign. The subject line of the email, which supposedly came from the CEO was “Save power is save money!” Clicking on the link gave the hackers remote access to Etchell’s computer. It allowed the hackers to install a keystroke logger that captured anything the executive typed. The hackers targeted other executives and installed other programs, allowing them to pilfer emails and gain access to almost any workstation or laptop on the network with full remote access.
The single spear phishing attack on a Coca-Cola executive cost the company the $2.4 billion acquisition of the Huiyuan Juice Group. Goodman says spear phishing is the most popular method for criminals today. It accounts for 91 percent of targeted cyber attacks.
It remains to be seen whether state-sponsored hacking for economic gain will result in appropriate and enforceable penalties and damages for hackers.
Governments are behind and at a disadvantage in protecting their citizens against cyber crime. Individuals and companies need to invest time and money to become informed and take necessary precautions to minimize and prevent threats from online hackers and spies.