South African businesses are increasingly being targeted by cybercriminals who assume the identities of the unwary – often making them pay dearly due to lack of diligence and governance, warns Standard Bank.
Although it is difficult to pinpoint how much cybercrime costs South African business, various authorities estimate corporate losses at more than R1-billion in the last three years. Indications are that it is a problem that is growing exponentially due to the increasing sophistication of the thieves and the techniques they use to initiate cyber-attacks, says Ethel Nyembe, head of transactional products and services business banking at Standard Bank.
“Identity theft is not a problem that is restricted to individuals, who may find that their personal details are being used to make transactions they are unaware of. It is also becoming an issue confronting companies that find their corporate information, both in the public domain and internally, being targeted and misused by cybercriminals. In these cases it is most common for a company’s identity to be compromised and used as a mechanism for perpetrating fraud.
“This becomes even more serious when the fraudsters have accomplices in key departments within a targeted company who advise them and actively assist with perpetrating fraud.”
Typically, says Nyembe, the most common techniques used by corporate identity thieves involve ‘phishing’ for, and then using information.
Examples of this are:
* People impersonating officers of the company by using information found in the public domain, namely the company’s brand and electronic letterheads.
* Criminals who operate in the e-commerce space who copy elements of a company’s identity. They then establish false websites and use these to defraud customers or suppliers.
* Those who register a company with a name that is almost identical to that of the targeted company. They then set up bank accounts in this name to funnel money into their own accounts after advising unwary suppliers about ‘a change’ in banking details.
* By altering a company’s correspondence, invoices or instructions after hacking a company’s records – generally, payment terms are changed and the recipient is requested to pay money into bogus accounts.
* By creating false invoices with fraudulent banking details so that funds can be easily diverted. For example, a clerk acting in good faith, accepts the invoice and issues a payment instruction – including the ‘new’ account details in the payment instruction.
* Thieves who pretend to be a company’s bankers and use disguised correspondence and sites to gather information on customer and supplier accounts.
* Criminals who access a company’s IT systems and infiltrate pathways, copy data and undertake transactions.
* Cybercriminals who recruit employees within a company to assist them as accomplices in undertaking fraud.
“With business’ growing reliance on technology, networks and the Internet, so the dangers of cybercrime will increase, with fraudsters and hackers adopting more sophisticated techniques for exploitation” says Nyembe, who stresses that South Africa is just one country facing what is a universal, global threat.
She says companies can reduce the risks associated with staff colluding with criminals to perpetrate fraud by:
* Regularly reviewing internal controls and tightening them where required.
* Recognising that it is often trusted senior employees who perpetrate fraud as they can bypass controls, and countering this through, informal audits and approval procedures that require more than a single authorisation is recommended.
* Creating a security-culture regarding the use of computers and policies to safeguard information.