Each year about four out of ten UK businesses have their computers, networks and smartphones attacked by cybercriminals.1 The first step towards making sure this doesn’t happen to you is to understand what cybercrime is and how it can hurt your business.
This guide explains how cybercrime works and the practical things you can do to keep your business safe.
This can mean complicated technical attacks on computers, networks and mobile devices – such as hacking, phishing, ransomware and DDoS (distributed denial of service) – or using computers and the internet to commit traditional crimes like harassment, bullying and fraud.
Cybercriminals can be novices, amateurs, opportunists, sophisticated professionals or even members of organised crime gangs. They might be attacking you from the other side of the world or they might be sitting at the desk next to yours.
Money is often the motive, but not always. Governments and political groups use cyberattacks to further their objectives. Individuals may want kudos, revenge or just some fun. Whatever the motive, the damage they do is real and significant, and it can be long lasting.
When a staff member clicked on a link in a dodgy email, chaos was unleashed for one fashion retailer. The ransomware attack by a sophisticated criminal gang locked the company out of its computer systems and put at risk the personal and financial details of customers and employees. After fraught negotiations, and with extensive systems damage already done, the company paid a ransom of £1.4m.
Many cybercrimes start with a phishing email designed to exploit your natural curiosity, fear, desire to help, or sense of urgency. Typically it will encourage you either to reveal confidential/sensitive information or to trigger malicious software (malware) by clicking on an innocent-looking attachment or link. The malware then wreaks havoc:
It is vital to remain alert to unusual emails (and phone calls and text messages) which make odd requests for sensitive information or for you to click on a link.
Be especially concerned if the message:
Criminals create a network of compromised computers (which could include yours) and then use it to flood an online service with bogus traffic, causing the server to crash and preparing the way for a blackmail demand.
Unauthorised use of, or access to, computers or networks, normally to steal information that they can sell or hold to ransom. Hackers exploit security weaknesses or bypass protections.
Hacking of social media and email accounts (business and personal) is common.
Emails, text messages or phone calls are used to trick victims into visiting a fraudulent website, downloading a virus or malware, or revealing bank details/personal information. Most hacks on business social media accounts start with phishing.
A special type of phishing targets business email systems. Criminals pretend to be a senior person (such as the finance director or chief executive) or a supplier, and trick staff into sending money or revealing confidential business information. They also trick customers and suppliers by posing as staff members or someone else connected with the business. Email and social media impersonations increasingly use deepfake technology, changing the cybercriminal’s voice and appearance to make them more convincing.
This kind of malware is designed to make the victim’s data or computer system unusable until a ransom is paid. If the data includes sensitive personal or business information the cybercriminal may threaten to make it public if the ransom isn’t paid.
Other types of cybercrime include identity fraud, cyber espionage, illegal gambling and the selling of illegal items.
A disgruntled employee was sentenced to eight years in prison for a large data theft at a national supermarket chain. Working as a senior IT auditor, he stole payroll data for almost 100,000 staff (simply by downloading it to a memory stick) and then published it online.
A few simple steps will make your business safer.
Use ‘walk throughs’ and dry runs to practise what will need to be done and who will need to do it in the event of a cyber attack. The National Cyber Security Centre’s ‘Exercise in a box’ (free online) can help you test and practise in safety.
If you are an SME it’s unlikely you’ll have all the skills you need in-house. Consider finding expert help: IT specialists to help with the technical aspects; legal advisers for your obligations to customers, clients and employees; and specialist investigators to build a picture of how and why the incident unfolded. It takes time to find experts you can rely on. Start looking now.
Action Fraud – the UK’s national reporting centre for fraud and cybercrime – can also provide advice and support if you are suffering a live cyber attack.
A lot of cybercrime can be prevented simply by keeping antivirus software up to date and applying security patches as soon as they become available. Don’t click the ignore button!
Get everyone involved. Make sure staff, contractors, suppliers and other stakeholders are made aware of the threats to your business and their own responsibility for improving cyber security. Train new staff well and provide regular refreshers for everyone else, starting with the common methods used by cybercriminals.
This is a safe and controlled way to find security vulnerabilities by simulating the technical and social engineering (phishing) methods used by criminals.
Follow the National Cyber Security Centre’s (NCSC) good practice advice (including its small business guide and cyber action plan) and you will significantly improve the cyber resilience of your business.
World-famous US recording artists were among the victims of a lone hacker operating from the back streets of Ipswich. Having illegally accessed musicians’ online accounts, he stole unreleased songs and made more than £130,000 selling them online. The hacker pleaded guilty and was sentenced to 18 months in prison.
This practical guide highlights some of the potential cybercrime risks to your business. But business fraud comes in many other guises. It makes good business sense to find out more.Go to lovebusiness-hatefraud.org.uk or follow the campaign on Twitter and LinkedIn.
Thanks to Edward Nkune and Paras Shah from Moore Kingston Smith for kindly writing this guide.
Published December 2022. © Fraud Advisory Panel and Barclays 2022.
Fraud Advisory Panel and Barclays will not be liable for any reliance you place on the information in this material. You should seek independent advice.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Licence.