Size doesn’t matter to hackers

Hackers aren’t just targeting large companies and major retailers, according to “white-hat hacker” David Kennedy. Anyone with valuable information, including even the smallest accounting firm, is worth their time.

“We just had an accounting firm lose $15 million through a wire fraud scheme — someone sent an email claiming to be a CEO, saying, ‘I’m working on a very important merger, and I need you to send me some funds,’” he told an audience of accountants gathered for his opening keynote for the Accountex 2018 technology expo, held in Boston this week.

“Accountants won’t be targeted by nation states,” acknowledged Kennedy, a security expert who is the founder of Trusted Sec and Binary Defense, but bad hackers will use the same tactics as Russian and Chinese intelligence agencies to target both businesses and individuals.

For instance, spearphishing attacks that are tailored to the individual — appearing to come from a trusted vendor or a person the target would know — are powering the kinds of schemes that lead to the $15 million loss he mentioned.

Wire frauds like that, where individuals or companies are convinced to wire money by criminals pretending to be a friend, boss or client, have increased over 300 percent this year alone, Kennedy warned. If you find yourself the subject of such an attack, he suggested contacting the FBI immediately, “within seconds,” he said, as the authorities may be able to recover wired money if they learn of it within 48 hours.

Ransomware attacks are also becoming more common, as hackers move away from trying to attack large businesses with strong security and focus on softer targets.

“Hacking into a large corporation is hard, but hacking an individual is easy. They don’t have the training or expertise to protect themselves,” said Kennedy. “And size doesn’t matter to hackers who may target you. What matters is, can they make money off of you? Can I get $100 or $500 from holding your data to ransom?”

Some hackers are also willing to play a longer game, using phishing, spearphishing and malware to gain access to an individual’s personal or business accounts, and then lurking there to gather more information.

“Hackers may breach one of your suppliers and start sending invoices, or emails demanding payment for invoices,” said Kennedy. “Or they’ll hack you, get to know your billing process, and then start sending you appropriate-looking invoices on the right letterhead.”

David Kennedy speaking at Accountex 2018

Overall, the world of digital fraud is becoming more like, well, a business. “Hackers can be very professional,” Kennedy explained. “‘Sorry we’re hacking you, we know it’s illegal — is there anything we can do to facilitate the payment of the ransom? Let me connect you with our support team.’”

With the threat growing, he offered these five top ways that people can protect themselves and their businesses:

1. Use two-factor authentication – everywhere. This form of security is available on most applications, from Facebook and Twitter to your bank accounts, smartphones, accounting software and more.

2. Don’t use the same password everywhere. “This is one of the easiest ways hackers break in,” Kennedy noted. He recommended using passphrases or password vaults.

3. Stay up to date with Windows patches. Those updates are usually fixing a known hack, Kennedy pointed out, so it’s important to implement them immediately.

4. Be very careful about sharing information on social media. Mentioning that you go to the same Starbucks at the same time every day, for instance, or that you’re going on vacation or have just made a large purchase, can be a mistake.

5. Don’t give out personal information. “Whenever you get a call that’s too good to be true — from a fraud department at your credit card company, say — call them back,” Kennedy advised. “Go to the website and get the number there to call back.”

For reprint and licensing requests for this article, click here.