By David Sexton
As we continue to openly embrace the benefits of these technological capabilities, we are also beginning to understand some of the real costs associated with this progress. Criminals who exploit these avenues for illegal purposes have been very successful in the deployment of cybercrimes against unsuspecting consumers and businesses. The more we learn about these crimes, however, the better we can prepare to mitigate potential losses.
What is the cost?
Unfortunately, the measurement of the total loss of cybercrime is difficult to determine. The lack of reliable data and resulting insufficient analysis can be attributed to many different factors. For one, if a breach does not affect customer security or compromise employee information, companies are not necessarily required to report these occurrences. To further complicate things, the impact of a reported breach is less apparent for those companies that are not publicly traded. Finally, often companies, especially smaller ones, might not even realize they have been breached.
A study from the Center for Strategic and International Studies (CSIS) determined that Canadian businesses lose an estimated $3 billion per year to cybercrime. These incidents are not exclusively attributed to technologically savvy security experts who are launching targeted attacks; anyone with a computer and an Internet connection is able to disrupt services and/or hold data for ransom. Further, the economic impact of cybercrime in Canada shows no signs of slowing down.
How does cybercrime take place?
As the familiar adage goes, “A chain is only as strong as its weakest link.” As such, there are two primary tactics criminals will use in the exploitation of online social networks (note that it is not uncommon for these strategies to be combined):
- Sophisticated hackers conversant in writing and manipulating code who access and/or successfully install unwanted software on a user’s computer or phone.
- ‘Social hackers’ (or ‘social engineers’) who manipulate and exploit individuals via social media through interactions that take place in person, over the phone, or through written communications.
Idiomatic expressions aside, when it comes to effective cyber security, human beings are the weakest link; social engineers exploit this knowledge to trick people into helping them get through security walls. These criminals are very good at designing their actions to be perceived as harmless, or even legitimate.
The potential damage done when an individual succumbs to an online scam or computer hack is shared by the individual and their employer. The risks include, and are not limited to: brand hijacking, damaged business reputation, intellectual property theft, data theft, identity theft, impersonation, loss of employment, damaged career or personal reputation, damaged data or networks, malware and virus dissemination, and lost revenue or income.
Many individuals are eager to share their personal information on social networking sites; however, once something has been posted, it is no longer private. As such, the more information someone posts, the more vulnerable they become to cybercrime. Criminals around the world troll social networking sites looking for exactly this kind of personal information to exploit.
How can cybercrime be prevented?
There are a variety of tactics criminals use to trick individuals into providing them with confidential information, or otherwise gain access to sensitive information via social networking channels. Being aware of these schemes can better protect you from these attacks.
This occurs when someone provides you with a USB or other electronic storage device that is pre-loaded with malware in hopes you will use the device and enable them to hack your computer.
- Do not use any electronic storage device unless you know its origin is safe and legitimate.
- Scan all electronic media before use.
Often cybercriminals will conceal hyperlinks beneath legitimate clickable content which, when clicked, causes the user to unknowingly perform actions (i.e. download malware, steal your information, etc.). Many such scams have employed ‘like’ and ‘share’ buttons on social networking sites.
- Disable scripting in your Internet browser and explore other ways within your options to further maximize security.
This refers to when an attacker publicly releases personal information (e.g. picture, full name, address, etc.) retrieved from your social networking profiles.
- Be selective with what information you share about yourself, your family, and your friends, whether it is online, in print, or in person.
This strategy refers to the act of cybercriminals extracting personal information from their targets through seemingly casual conversation.
- Remain aware of these tactics and of the ways ‘social engineers’ try to obtain personal information.
Situations when a cybercriminal will redirect a user from a legitimate website to a fraudulent one with the intent of extracting confidential data.
- Be vigilant of website URLs that use variations in spellings or include domains that appear unusual (i.e. a supposed government website that ends with ‘.com’ instead of ‘.gov’).
- Type out a website’s address instead of clicking a link.
This occurs when a user receives an e-mail that appears legitimate, but contains a link or file with malware. Also within this category are ‘spear phishing’ attacks, which target a specific individual or organization as their intended victim.
- Do not open e-mails, attachments, or click on links sent to you from people you do not know. Should you receive a suspicious message from someone you know, ask them about it before opening it.
Situations when users are sent fake deals designed to trick them into providing money, information, or services.
- Criminals often use popular events or news stories as incentive for users to open infected e-mails, visit dangerous websites, or donate money to bogus charities. Be sure to remain hyper-vigilant as to who is sending you e-mails and links and how they may have accessed your information.
Often cybercriminals will hide or fake their identity by using a sham e-mail address that simulates an authentic one. Likewise, IP spoofing hides or masks a computer’s IP address.
- Remain familiar with your co-workers and clients; beware of those who impersonate an associate or service provider to gain company or personal information.
There are several resources available online (e.g. OnGuardOnline.gov) that offer further details on how to best protect your workplace from social networking threats.
For added security, you can also protect your business with a cyber liability insurance policy. This covers the loss of money incurred due to financial fraud, as well as liability claims where there is a duty to defend lawsuits or regulatory penalties are incurred. These policies are an important piece in the risk management puzzle for small businesses like jewellers, especially as more and more criminals turn to social engineering tactics to steal and disrupt.
David J. Sexton, CPCU, is vice-president of loss prevention consulting at Jewelers Mutual Insurance Group in the United States. A graduate of the University of Wisconsin, Sexton serves on the Underwriters Laboratories (UL) Security Systems Council, where he is a corporate member of the insurance category. He also sits on the board of directors for Jewellers Vigilance Canada (JVC) and worked on the Central Station Alarm Association’s (CSAA’s) Insurance Liaison Committee, which assisted in the development of the UL burglar alarm modular certificate program and revised UL standard. Comments and questions can be sent to firstname.lastname@example.org.
For resources regarding safety and security when carrying or working with jewellery, visit JewelersMutual.com. Jewelers Mutual Insurance Group is the only company specializing exclusively in jewellery insurance in Canada and the United States. It is licensed in Canada and all 50 states.