Technology

Inside the mind of a hacker

Recent government figures revealed that nearly half of all UK businesses suffered a cyber breach or attack in the last year.

20 Nov 2019 . 6 min read

What steps can SMEs take to protect themselves?

Many people will recognise the following scenario: you’re sent an email purporting to be from a Nigerian prince. He’s having a spot of bother with his bank and would like you to place around £10,000 of his money into your bank account, in return you will receive 10 times that amount for your help.

Of course, the prince is really a cyber hacker hoping to trick you into sending him or her your bank account details, so they can steal your cash. This type of process, known as social engineering phishing, is a big risk for SMEs.

According to Edward Whittingham, former police officer and now managing director of online security firm Business Fraud Prevention Partnership (BFPP), around 95% of attacks begin with phishing.

How can hackers get in?

“Hackers use emails or phone calls to prise your personal and company’s financial details or IT passwords to directly commit fraud,” says Whittingham. “This type of attacks are now more sophisticated than the prince emails, with hackers looking at business and industry trends to catch you out. For example, we’ve seen hackers sending fake emails purporting to be from a company getting in touch with their customers about updating privacy policies around General Data Protection Regulation. You click on the link provided, enter your personal details and a hacker is in to your system.”

There’re also spear-phishing attacks, which are personalised and targeted to a specific individual. They’re often based on social media activity, finding out personal details on families, interests and real-time activities from Facebook or Instagram. “Hackers research your online activity, such as looking on LinkedIn to find details about you and who you work with. Maybe the MD will tweet that they’re at a conference that day, which could spur a hacker to send a fraudulent email to the accounts team and take advantage of their absence,” he says.

“The best defence starts with making cyber security an everyday discipline for everyone in the company”

Mårten Mickos, chief executive, HackerOne

SME owners and employees using their company emails to answer personal messages, bringing their own devices into work or logging on to social media on the work’s computer significantly add to the risk from phishing.

A hacker can use a phishing email or a telephone call claiming to be a customer, client or your bank to access confidential information, such as account details or to trick you into a money transfer. They also use phishing to get into your network to spread malware or ransomware viruses.

“Malicious hackers are criminals,” says Mårten Mickos, chief executive of white-hat hacking group HackerOne. “They seek the path of least resistance with the maximum reward. That can be anything from money through credit cards or banking information, to identities that can be used to gain additional access to a myriad of personal data. Criminals do this through a variety of methods including phishing scams, finding vulnerabilities in web applications, and social engineering.”

How can businesses defend themselves?

“The best defence starts with making cyber security an everyday discipline for everyone in the company,” says Mickos. “When employees get training and help in identifying social engineering and phishing attempts, they learn to reject them.

“Computer systems need to be upgraded to the latest products and versions, with strong protection and multifactor authentication. It may be a little more burdensome for the users, but the benefits are worth it.”

SMEs can also invest in security products that can locate spam emails before they reach an employee and highlight web pages as potentially suspicious to discourage employees from clicking on malicious links.

When it comes to phishing, Whittingham says common sense is key; employees are encouraged to check each email sender’s details, such as name and misspellings, and view any urgent calls for action as suspicious. “With something like Facebook, have it securely locked down and ensure it’s private,” he says.

Security Testing

Whittingham’s company BFPP also provides simulated phishing campaigns for clients. “We may send a fake Amazon order or pretend to be the IT manager. We track whether an employee clicks on a link to a fake landing page and puts in their password,” he says. “We want to give people a better understanding of the threats and get used to dealing with them in a positive way. Since GDPR we’re seeing increased interest from SMEs.”

Ethical hacking group First Base Technologies is also seeing more demand for its services. Rob Shapland, principal cyber-security consultant, says: “We can take one part of a system in isolation or simulate a full-spectrum attack.”

Before an ‘ethical hack’, First Base undertakes research on a company to see possible ways it could be attacked, such as weaknesses in passwords, external internet infrastructure, and vulnerabilities in the physical security of buildings.

“We think about who would be interested in the data and why. We map out the main threats and come up with likely attack scenarios,” says Shapland.

The tests are called red teaming. “We can do anything a criminal hacker would do but do it ethically, so no blackmailing or threats to staff. We test their people, procedures and physical security,” he says. “Methods can include social engineering – so phishing emails and phone calls to get security information. We can even use employee’s Facebook posts or Instagram photos to help create personalised emails, which they will click on and let us into their system. We can even tailgate, which means following people from the office car park and through security into a building and then darting off to steal a hard drive from the server.”

HackerOne has created a community of 200,000 white-hat ethical hackers who find bugs and vulnerabilities in companies before the black-hat malicious hackers do.

“We call it hacker-powered security and it is the fastest and most effective way of identifying security vulnerabilities,” says Mickos. “SMEs have for too long relied on technology and third-party vendors for their digital security. But we continue to see breach after breach because the security products are not perfect and digital criminals are sophisticated. Ethical hacking can fix a vulnerability before a criminal might exploit it.”

Five things to know about hackers

Hackers prey on human nature and our willingness to want to help and trust people.
They like to stay ahead of trends and new security measures.
Hackers see IT and bank details as gold dust. These are the keys to a company’s IT network.
Hacking can also involve physically trailing you as you use a laptop in a café or walk into your office building.
Hacking could be carried out by current or ex-colleagues exacting revenge. Be careful who you share details with.

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.