Your money or your data? Four examples of real SME cyber attacks show what businesses must do to avoid this business-threatening risk
A ransom note suddenly flashes up on your computer screen demanding thousands of pounds or the loss of all your data. It’s a nightmare scenario and one happening right now to a frightening number of SMEs.
The cyber criminals, who are pursuing softer targets as bigger firms become harder to penetrate, have the power to put businesses, livelihoods and jobs at risk. In this digital age, even a beauty salon in a market town now has to be aware of the extortion threat posed by international gangs.
The Federation of Small Businesses says two-thirds of its members have fallen victim to cyber attacks in the past two years, costing the UK economy an estimated £5.3 billion and each business almost £3,000 in total.
Exploiting the fact that individuals are usually the weakest link in any security chain, the scammers will seize upon any misjudged click to lock computer systems and issue their demands.
But how does it feel to be on the receiving end? Here we reveal the inside story of an SME cyber attack.
Attack method: Ransomware. Malicious software, typically received via a phishing email that encrypts all the data on a company’s network.
SME target: Enterprise centre.
The case: Townsend Business Centre in Belfast was held to ransom when its computers were disabled by hackers who demanded three bitcoins — equal to about £13,000 — in return for a decryption key to remove the malware.
It’s increasingly common for criminals to demand payment in bitcoins in the belief that the crypto-currency is an anonymous way to be paid. The business centre refused to pay the demand and, having reported the attack to police, suffered three days of disruption before all information was recovered and its servers restored.
However, chief executive Margaret McMahon said the business had been fortunate: “We didn't have any specific vulnerabilities, but these criminals are incredibly intelligent. They could have been round the corner in Belfast or they could have been in Taiwan — we just don't know."
Thankfully, a lot of information was recovered quickly because the business centre regularly backed up its data.
Lessons learned: Backup your data regularly, and if this involves cloud storage, make sure the contents of the database are encrypted.
Attack method: Ransomware.
SME target: Hairdressing salon.
The case: Award-winning Cheltenham hair salon Stuart Holmes handed over £1,600 worth of bitcoins after scammers accessed its computer system and encrypted data.
With electronic diaries containing appointments and contact details, beauty salons are a lucrative ransom target for cyber criminals.
With a staff of nearly 50, Stuart Holmes was unable to email, text or call clients as the hackers had taken all the salon’s contact details. Owner Sara Holmes said: “We had no idea at all which clients were booked in for what services on what date.”
Anxious to recover the data, including appointments for the rest of the year, Sara paid the ransom demand despite police advice not to. The data was returned, but this SME cyber attack ended up costing the business thousands of pounds, taking into account the ransom itself and loss of business.
Lessons learned: The easiest way for hackers to gain access to databases is through employees opening email attachments. Salons need to ensure that staff are made aware of this, and that systems are secure at all times.
Attack method: Email spoofing
SME target: Web services company
The case: Worcester-based web services company PCA Predict had their branding plagiarised as part of a mass malicious email shot demanding payment from millions of random recipients.
Sometimes you don’t have to be a victim of hacking to come under attack, as staff at Worcester-based PCA Predict found out. Their brush with cyber criminals began one lunchtime when an email server started to struggle and its bandwidth usage surged. Phones were ringing non-stop from recipients of an email, apparently from the company, showing a payment receipt for £120.
An estimated 1.5 million emails had been sent by a botnet containing a malicious attachment designed to steal banking credentials from the recipient. The scammers had used the contents of an original email message from PCA, as well as copied headers and internal server names.
The company was deluged by 6,000 calls and 40,000 emails in a short period of time. These weren’t from PCA customers as the company’s own data hadn’t been compromised. PCA responded quickly by placing warnings on its phone system and website, and, crucially, adding “This is Spam” to the offending email when it realised that images in the fake message were still being hosted on its own infrastructure.
Lessons learned: PCA’s actions minimized the crisis, but would another company be so lucky without in-house tech skills, easy access to systems and the infrastructure to cope with a surge in bandwidth?
Attack method: Whaling attack, targeting one big fish rather than smaller fry
SME target: Tech start-up
The case: These attacks, also known as CEO fraud, often take place on a Friday afternoon, under the pretence of getting a wire payment done before the weekend. The hacker poses as a senior person within the team and convinces those in financial authority to make a payment.
London-based tech start-up Skimlinks has been on the receiving end of several SME cyber attacks. Alicia Navarro, Skimlink’s chief executive and founder, said one such incident asked her financial controller for the immediate payment of a five-figure sum to cover the invoice contained within the email.
The message from Alicia’s chief financial officer did not come from the company’s domain, but from a very similar one — sklmlinks.com — and included a false forwarded email that had been written in Ms Navarro’s name.
She said: “We regularly get emails spoofing employees. Nothing has come close to succeeding, but I’ve heard of other startups that were fooled and did wire money as per the email’s request.”
Lessons learned: Review internal procedures on how transactions are requested and approved. Always check email addresses, and if in doubt request clarification from an alternatively sourced address.
SMEs often think they are too insignificant to bother hackers, or that security measures will be too costly to implement. But as we’ve seen, many firms find out to their cost that they are a potential goldmine.
Educating employees about this SME cyber attack threat — only 22% do so at the moment — and carrying out regular reviews to spot vulnerabilities in IT systems and software are essential precautions.
Otherwise, firms may find they are in business one minute and out of it the next.
- SMEs are now a soft target as big firms tighten their defences.
- About half of SME cyber attacks involve phishing.
- Salon booking systems are a common ransomware target.
- Scammers know individuals are a security weak link.
- Educating staff is key to stopping cyber attacks.