Count to three, says cyber crime inspector in advice to companies on how to protect against fraud

Cyber crime cases have been rising over the last years, the 870 reported in 2017 becoming 1,500 by 2020. This is set to increase again this year, with over 1,100 cases coming in during the first five months of the year, as fraudsters mimic banks, the Government, postal companies, suppliers and even CEOs in their efforts to part people from their money.

Leading the charge against this substantial increase in crime is the Malta Police Force Cyber Crime Unit’s Inspector Timothy Zammit, who also chairs the EU’s Cyber Crime Taskforce, which brings together representatives of the cyber crime units of all Member States, supported by Europol.

According to Insp. Zammit, businesses are mostly impacted by two kinds of scams, known as the ‘CEO scam’ and the ‘invoice (or business correspondence) scam’.

For the CEO scam, fraudsters might create an email account that is very similar to that of the CEO (if they haven’t managed to obtain access to the legitimate one, which is not unheard of), before sending the urgent request for payment.

“What the scammers are doing here is exploiting our lack of attention caused by the sense of urgency,” explains Insp. Zammit.

That sense of urgency caused by the communication, he advises, is the first red flag that should be raised.

“Why the urgency? Would the CEO normally send such requests?”

He likens the scam to another one, more commonly targeted at consumers, which advertises a sale that will end in hours, if not minutes.

“People are attracted by the offer, their critical thinking is temporarily shut off by the sense of urgency created by the short deadline, and they pull out their card and make a purchase before thinking properly about it.”

“The thing is,” he continues, “that most people, after giving this website their card details, would then look it up to make sure it’s safe. Obviously, this is like looking both ways after crossing the road. It’s basically useless.”

“I need to check if there is oncoming traffic before I step down from the pavement. We’re talking about the same principle here.”

This common-sense approach to preventing fraud is central to Insp. Zammit’s philosophy, which sees the challenge as a matter of mindset that requires a change in the sequence we do things, rather than the transmission of any particular technical know-how to businesses.

In fact, another type of scam which involves the compromise of business email and which leads to the so-called ‘invoice scams’, can at first sight seem difficult to spot, but Insp. Zammit contends that it can also easily be identified by simple attentiveness.

“The perpetrators,” explains Insp. Zammit, “would have gained access to the company’s email account and would be interacting with the company’s clients or suppliers.”

“Usually, you would have a company which is expecting an invoice, and they receive one with the same information – same contact details, same bill of quantities, same description of product. But the IBAN would have changed.”

When the person receiving the email notices the change in IBAN, Insp. Zammit recommends picking up the phone and avoiding further communication by email, as “you could be communicating with the fraudsters”.

He also advises accounting departments to avoid simply copying an IBAN number from an invoice, saying that where possible clients should have a list of IBAN numbers of their different suppliers.

He opines that the risks arising from the lack of checks by individuals and by organisations should not simply be transferred to organisations like those in the financial services industry.

“Obviously when it comes to these things, prevention is better than cure,” says Insp. Zammit, making clear his belief that “it is always up to the individual to ensure that the request is done in good faith and that the money is actually being sent to the correct person.”

He says requests to banks and financial intermediaries to reverse transactions, or to police to investigate, should be seen as additional safeguards, but he is adamant that business should not expect the financial services industry or law enforcement to make up for the lack of control present in their organisations.

“We’re trying to change the mindset,” he says. “Before clicking on something, question it. Don’t click and think about it later. Think before you click.”

“It’s just a question of applying the same precautions we are taking in everyday life, when we are walking down the road, when we are communicating with someone face to face, and applying those to our communications through technology,” he says.

He likens it to replying to a negative comment or review.

“When you react to something in the heat of the moment, your emotions can take over and you’re liable to do something you will regret later.”

“So when you are responding to anything online – whether that’s an invitation to click a link, posting a comment, or sending money, always stop and count to three before doing it. Think about it, then act upon it.”

Even though the unit has been involved in a number of training initiatives addressed to the business community, he believes that more prevention and awareness campaigns needs to be undertaken to make sure individuals are equipped with the right tools to become a first line of defence against cyber crime.

Turning to the aftermath of situations where a company ends up a victim of online crime, Insp. Zammit says the reporting mechanisms for organisations hit by cyber security incidents can “definitely be improved” so that the victims can address the issues at hand and get on with their business, not get bogged down with their reporting obligations.

“For example, you might have an organisation that needs to lodge a report with the police because they are victims of crime, with the Information and Data Protection Commissioner if there has been a breach of personal data, and of course they might be obliged to lodge a report with their regulator – with the MFSA if it’s a bank, with the MGA if it’s a gaming company.

This deviation of resources can lead to a a lack of business continuity, which Insp. Zammit say is is “one of the biggest losses, often larger than the amount defrauded in itself.”

Talks are being undertaken at European level to streamline the process, he says.

Asked why the number of reports of cyber crime has increased so much, Insp. Zammit explains that what is being reported locally reflects a global shift to digital forms of crime, with fraud that up to a few years ago required personal contact now taking place through online interaction.

Such interaction has increased drastically in the last decade, and thanks to the COVID-19 pandemic and the transition to remote work, the business world has been forced to shift much of its correspondence to online means.

This unprecedented increase, Insp. Zammit believes, is bound to bring a number of issues with it.

In fact, he says that even though the number of reports sounds alarming when taken at face value, one needs to take into consideration the unprecedented ubiquity of online communication.

“When you look at the hundreds of thousands of people who are connecting to the internet every day, all the time, the number of issues we are coming across in themselves are not alarming.”

However, he warns against complacency, saying that as a society we need to be aware that this increase in use of technology is not going to slow down.

“It will continue to increase,” he says. “That is why, even in our crime prevention, we are addressing the change in mindset, the change in sequence, the change in attitudes. Because the use of technology is here to stay, and it is up to us to use it responsibly in order to safeguard ourselves and the persons around us.”