Cyber crime case studies: how to stay safe

Cyber crime is running rampant. As the pandemic pushed more of our lives online and the cost-of-living crisis has started to bite, cyber attacks have surged.

Criminal organisations can hold data hostage for ransom and individual hackers can sell remote access to an individual’s computer to the highest bidder on the dark net. Some nation-states run far-reaching cyber espionage campaigns too. The effect on you is the same in each case: your digital assets, your data and your privacy are in danger.

Sometimes targets are chosen deliberately, and attacks painstakingly tailored to maximise the chances of success against a particular victim. Other times, attacks are sent out blindly, to as large a group of indiscriminate victims as possible. Unfortunately, a few of our clients have been targeted in recent attacks. We have included some tips to help keep you safe on a flyer in this magazine that you might like to keep by your computer as a reminder to those using it.

The first step towards reducing the risk is the same either way: observing good cyber hygiene. This means consistently getting the basics right, developing secure habits and getting rid of dangerous ones. Here are a few case studies from wealth management clients who have been caught off guard.

Case study one: always verify

"Never blindly trust anything that arrives via email, text message or social media."

After a lot of haggling, Mr and Mrs M finally had their offer accepted on a new home that they had made via their solicitor. When their solicitor emailed them the details of the bank account they needed to transfer the payment into, Mr M promptly logged into his online banking. He clicked past the warnings telling him that the bank does not assume any responsibility if he sends the money to the wrong account. “Once the money is gone out of your account, it is gone for good,” the bank reminded him. He doubled and triple-checked the email from his solicitor. When he was confident he had the account details right, Mr M made the payment.

The next day Mr M called his solicitor, telling him he had transferred the money over as requested. The solicitor was confused and maintained that she had not yet sent him the bank details. Mr M referred the solicitor to the email sent yesterday, but she could not find the email. Mr M sent the email back to the solicitor, and even on seeing it, she maintained that she had not sent it.

Attackers can compromise people’s private or professional email accounts to masquerade as trusted parties. The email had guided Mr M to send the money he and his wife had earmarked for a new house, to a bank account controlled by the attacker was sent from their solicitor’s real email address, which they trusted.

Never blindly trust anything that arrives via email, text or social media. Always double-check the sender’s identity by phoning them on a number that you already have or have found by searching the company website online. Ask them to read out their bank details before transferring any money.

Case study two: do not overshare

Helen was delighted to get away on a tropical holiday with her family. On their first night, she posted a photo of the whole family having dinner on the beach and then continued to post photos on social media for the rest of the ten-day holiday.

She returned home to find her house had been broken into. Her social media post had given a diligent attacker a large time window during which to plan and execute a robbery.

Never share concrete holiday plans on social media. Do not advertise when your home will be unguarded and easiest to break into.

Case study three: be careful what you click on

"He was told that the website he invested through, which was advertised on social media, was a scam. It was a fraudulent imitation, luring people in by masquerading as a well-known brand."

While browsing on social media, an advert caught Yosef’s eye: a financial services company that he knew and trusted was offering an investment account that guaranteed you cannot lose money in the first two years. If the funds his investments go into should go down in value, the company promises to reimburse him, to demonstrate confidence in their products. Not wanting to miss this opportunity, Yosef clicked on the link under the ad.

He recognised the company’s branding on the website he was directed through to and was asked to set up an account and create a password. He was then asked to transfer money from his bank account to the provider to invest. As he did this, Yosef realised that the name of the recipient bank account looked a little strange. He dismissed those doubts and sent the money.

A couple of days later, there were no changes to his investment account so Yosef reached out to the customer support details given on the page. Curiously, that number did not seem to be in service. Yosef did his own internet search to find the customer support contact details for the company and phoned them on the listed number. The person on the phone informed him that their company does not offer the investments he described. They escalated the problem internally, and after a couple of days, he was told that the website he invested through, which was advertised on social media, was a scam. It was a fraudulent imitation, luring people in by masquerading as a well-known brand.

The money Yosef transferred, unfortunately, was gone. His bank could not reimburse him, and neither would the company he thought he was investing with.

Be careful what you trust on the internet and do not follow ads or links. Instead, manually search for the company that is allegedly offering the service you are interested in on a search engine, such as Google.

What to do if you suffer a cyber incident

1. Verify the source of the breach notification

One of the most common ways hackers access sensitive data is by sending fake data breach notifications, usually via email. It is therefore essential that you verify where your data breach notification came from, just as you would with any other email you were not expecting. The best way is to contact the company in question by an email address or contact number listed on their official website.

Do not click on any links in emails. This could very well be how hackers get you to enter your data on a fake website. Instead, find the company’s website manually by typing its URL into your browser’s search bar or searching for it on Google.

2. Seek information about the data breach

Learn what you can about what happened. There are many ways for data breaches to occur, and it is worth trying to understand how it happened and what the impact is for you. Direct communications from the affected company, notices posted on their website and media reports can all be valuable sources. The following are some questions to try and answer to build a useful picture of the situation:

• How are they making improvements to their systems to avoid future breaches?
• Is the organisation offering complimentary security services to make sure customer data is safe, e.g. offering ongoing credit bureau monitoring?
• What do they feel the risk of harm is to those affected?

3. Log in to your account and change your login password immediately to a strong, unique password.

Do this as soon as possible after the breach to ensure nobody gains access to your account. As most breaches are mass data breaches, i.e. hackers gain access to thousands of accounts at once, rather than specifically targeted individual breaches, your own account should be safe if you change your login data in time. If you are using the same password for any other accounts — which really should not be the case — change those too. Remember, a combination of three random words, such as RocketPennyBook, ideally with some symbols or numbers thrown in, is a good place to start when choosing a new password.

Keeping you, your data and your money safe is paramount to us at Cazenove Capital. If you have any questions or concerns about cyber crime, please speak to your usual Cazenove Capital representative.