Imagine one day, you're rushing between meetings when you receive a text from your energy company telling you your bill is overdue.
You decide to quickly pay the bill so you don’t forget, but the login page doesn't seem to work. You make a mental note to go back to it later. A few days later, everyone in your business is suddenly unable to access your crucial files and a cybercriminal is demanding a ransom in order to unlock them.
You've been the victim of a very common scam known as Smishing – like phishing but over SMS. These scams are becoming increasingly likely to happen and involve sending texts that look so professional it’s almost impossible to distinguish them from the real thing. They trick you into entering personal details which they then steal.
These scams often prey on people’s instinct to quickly solve problems and react to things like requests for payment. A well-known recent example is the Australia Post scam, where people receive a legitimate-looking text about the shipment of their parcel, with a link that takes you to a website designed to gather your personal information.
And for smaller businesses, the risk is far bigger than they might think.
"What you have to remember is these people literally send out millions of texts or emails as bait and wait for people to react,” says Phil Parisis, general manager of products at My Business.
"Smaller businesses tend to think they're not worthy of being targeted by cybercrime, but they don’t realise that these scams are simply not targeted.”
Why you need to think beyond anti-virus to training
The IBM Cyber Security Index found more than 95% of all cyber incidents had human error as a contributing factor.
With such a high human error involved, Mr Parisis says the 'human firewall' needs to be at the forefront of every conversation about cyber security. In other words, businesses should invest in staff training to raise awareness of scams to prevent them from falling victim.
He adds that many businesses think that because they’ve got anti-virus software they will be safe, but it’s not the case as these types of cyber attacks do not rely on infecting your computer with a virus or other malware, but rather tricking someone into handing over details.
“They are relying on you accidentally giving them the keys to the front door, not a virus,” he explains.
Once they’ve got these keys, there are lots they can do. For example, someone can take over your email account and use it to send fake emails, sometimes asking for invoice payments to be made to a different account. One business that fell victim to this scam ended up paying out more than $2 million over several months to the wrong bank account (one owned by the cybercriminals, of course).
Another business had the IP for its new product stolen and sold to a competitor after the CEO’s login details got stolen.
What will training teach your staff?
The primary objective of any training program, Mr Parisis says, is to raise awareness about what can happen. Some areas to cover in a training program include:
1. How to be aware of scams. This involves teaching people to stop, look and think rather than reacting to the sense of urgency such scams induce.
2. Password best practices, including multi-factor authentication and using password phrases that are harder to crack.
3. Public Wi-Fi security. Almost every time you log onto public Wi-Fi, especially at busy places like the airport or McDonalds, you’ll probably notice there is more than one WiFi option – so some could be fakes. For example, you might see something like VIP_SydneyAirport and click on it because it looks legitimate, and have your information stolen. So, train staff to always check what the legitimate WiFi name and login is (if they must use public Wi-Fi in the first place).
Above all, Mr Parisis recommends training that is engaging, interactive, and based on real situations. That way, it sticks in people’s minds and helps them get a deeper understanding of the risks and how to avoid them.