As online crime continues to evolve, phishing, credential harvesting and unauthorised access remain the most significant threats to New Zealand businesses. To understand these risks better and learn how to defend against them, ASB information security consultant Joseph McClane shares key insights and advice.
Phishing is one of the most common forms of online attacks impacting businesses and individuals. It involves fraudulent communications, such as emails, text messages or social media posts, that appear to be from legitimate sources but are not. "Phishing is something we have all been exposed to whether it be delivered by email or text message. Falling victim to a phishing attack can be incredibly stressful and fixing it can be time consuming, which no business owner wants," says McClane.
The danger of phishing lies in the instructions these messages carry. "The message often includes a request such as 'An unusual login attempt has been made. If this wasn't you, click here.' If you follow through, you might end up sharing sensitive information, or even downloading malicious software onto your device," he says. This can allow cybercriminals to access critical data or even take control of systems, leading to further crimes.
The type of information sought in phishing attacks can vary. It might be personal details like your name, address, or driver's licence, which can be used for identity theft. In more severe cases, attackers may be after financial information, such as credit card or bank account numbers, or login credentials to access other systems. McClane says: "User credentials such as a username and password could be all a criminal needs to break into a system or hijack a social media account for example".
Credential harvesting is closely related to this. It's where attackers collect login details or other key information for future misuse. This can lead to unauthorised access, which is the next stage of cybercrime. "Unauthorised access happens when someone uses user credentials they have obtained without permission to access a service. When they access this service they generally look to take control, often to commit further crimes or cause disruption," McClane says. Credentials may be obtained through phishing, data dumps on the dark web, or even educated guesses using other information gathered about the victim.
Once attackers gain access to a business email account, they often wait for the right moment to strike. "They may observe an email conversation about an invoice payment, then intercept the message and alter the bank details to redirect the funds to their own account," McClane says.
Recognising the red flags can help prevent significant damage. McClane advises businesses to always be on the lookout for unusual or suspicious behaviour, especially when it involves financial transactions. "If there's a sudden rush of orders from a customer or urgency to complete transactions, you should investigate further." Scammers often create a sense of urgency to pressure businesses into acting without thinking. "We know clients want to offer good customer service, but this pressure is a red flag," McClane warns.
Another typical scam pattern involves a customer who makes a series of small, reliable orders, gaining the business's trust, then placing a large order they have no intention of paying for.
McClane believes that education is the best defence against business fraud. "Make sure your team, including employees and business partners, are aware of the different types of fraud. Also, ensure they are familiar with the systems and protocols the business has established that are to be followed should suspicious activity be spotted."
Information awareness is critical: "Businesses need to understand which pieces of information they hold are valuable to the business and potentially to fraudsters." This includes credit card information as well as personal details that can be used to verify an identity.
Take extra care with financial transactions. McClane says: "Double-check bank account numbers when making payments to suppliers or service providers. Cross-reference the numbers on an invoice with those on earlier invoices from the same company."
It's also essential to control access to IT systems. McClane recommends setting up employees with individual profiles that only allow them to access information they need for their role. "If you change any default settings, always increase security. Use strong passwords or pass phrases and implement multifactor authentication to add another layer of protection."
In addition, avoid storing credit card details in external apps or websites. "Make sure you never share credit card information," McClane says.
McClane advises to conduct regular checks on both banking transactions and system logs. "It's not enough to check your bank statements. You should also review your system audit logs to ensure there isn't any unauthorised activity, such as unusual log ins or changes made during off hours."
McClane's final piece of advice is to have a plan. "Sometimes the unexpected happens. Having a pre-prepared plan, that is well understood by everyone in the business, on how to respond to these unexpected events is important. It can remove a lot of uncertainty and help you and your employees feel more empowered."
Start by contacting your financial organisation, they will take you through the process and may be able to help. If you think your technology has been compromised, contact your service provider or technology partner, again they will have set procedures to help minimise damage.
Cybercrime is everywhere and the threat is growing. For more information that can help you keep your business safe from scams, head to ASB Scam Hub.