The Mishcon Academy Digital Sessions
Conversations on the legal topics affecting businesses and individuals today
Joe Hancock
In this episode, what is cyber-fraud? Do we need to be worried about these issues with the pandemic still looming? And how should businesses engage with this complex area? Hello and welcome to Mishcon Academy Digital Sessions podcast. I’m Joe Hancock, a Partner and Head of MDR Cyber, the cyber-security investigations practice at Mishcon de Reya. I’m joined by my colleague Katy Ling, a Cyber-intelligence Analyst. As is common now in 2020, we’re rising to the challenge of social distancing rules. We’re recording this podcast over the internet, each of us speaking from our homes. So, Katy, tell me a bit more about yourself.
Katy Ling
Thanks Joe. I’m a Cyber-intelligence Analyst within MDR Cyber. I primarily work on digital investigations. So, I do a lot of work with social media and trying to find persons of interest. I have a background in threat intelligence, so I have worked alongside law enforcement to trace individuals that make threats online and also physical threats and I have an interest in cyber-fraud because I think it’s so prevalent right now and I’m very interested in how much more sophisticated it’s becoming.
Joe Hancock
Fantastic, definitely the person to speak to. So, should businesses and individuals worry about cyber-fraud? Is this over-blown? Are we panicking too much about it or are people not taking it seriously? Should we worry?
Katy Ling
I think we should definitely be worrying about this but it’s more on the individual level that I think people aren’t necessarily taking it seriously. Unfortunately, we’re all at risk from cyber-fraud and we’ve all got a lot of data on the internet. Unless we’ve been living completely off the grid for the last 30 years we will have some sort of personal information online and even if you are personally very careful, it’s other organisations that you have trusted with your data such as your email, your phone or your credit card and if they’re compromised then unfortunately so are you.
Joe Hancock
Thanks Katy. What are the main risks for businesses or other organisations as well as individuals?
Katy Ling
Well, I think the main risks are probably financial. Some of these attacks can lead to great financial losses, whether that be in the hundreds of pounds or even in the millions of pounds and also there are reputational risks if your client’s data is breached, as we saw with EasyJet and some other large companies, this can have a really negative impact on your reputation.
Joe Hancock
We talked about this affecting individuals. I always use my parents as a bit of a benchmark here and wonder whether I should worry about them being taken in by a scam or something targeting them, as they are from a different generation. Is there a difference across generations? Do people who are perhaps older deal with this differently than people who are younger or do we all deal with it the same?
Katy Ling
Everyone is definitely vulnerable to being a victim of cyber-fraud but there is also a generational gap and studies have shown that digital savviness does decrease with age and I think this is just you know, a consequence of the younger generation have grown up with these devices and with the internet and it’s sort of second nature to them and yet I’ve certainly seen family members share some questionable things on Facebook and I question how they could even think it’s true but I think that I take for granted that I have grown up with the internet and I think I’m certainly more aware of further red flags to look out for.
Joe Hancock
Katy, you mentioned Facebook posts, how does cyber-fraud occur? What do people need to look out for?
Katy Ling
Cyber-fraud can pretty much occur anywhere online whether this be in a phishing emails or social media or even through you know, WhatsApp messages. So, anyway that cyber criminals can get your personal data or your financial information, they’ll pretty much try any avenue.
Joe Hancock
That’s really interesting and I’d like to come back to WhatsApp messages later on as that’s not something we normally hear about. But you mentioned phishing emails. Are these emails easy to spot?
Katy Ling
Well, so phishing emails are very common and I think if anyone goes to check their spam emails they’ll be sure to have a couple in there but the problem I’ve seen especially over the last year is that they have become much more sophisticated. I think we’ve all seen the classic phishing email which is so easy to spot. There’s a spelling mistake in it or the format just doesn’t look right and you can straight away tell that it’s spam and it’s not real but I’ve definitely seen, even working in the industry, I’ve had to question over the last few months whether this is really an email from HMRC or really an Amazon confirmation and I think that that is the danger with cyber-fraud and where it’s heading is that it’s becoming a lot more sophisticated and for the general person it’s much harder to spot.
Joe Hancock
I grew up with these things being called Social Engineering. Back when cyber-security was information security and was nowhere near as interesting as it is now. Is phishing a type of social engineering? Has social engineering gone?
Katy Ling
Phishing is a type of social engineering and that is essentially just the art of manipulating people and influencing them to do things such as give out their data or their credit card information. I actually wrote a thesis on why people believe disinformation and I think there are a lot of parallels here with cyber-fraud in that cyber-fraud will normally contain an element of truth and whether the phishing email, it won’t be outlandish, it will be very believable and those are the ones that are the most successful. They will also normally play on humans’ emotions and they will exploit people’s fears. You know, we’ve definitely seen that during the pandemic that there’s been a lot of Covid-19 related phishing emails and you know, that’s exploiting people during this uncertain time.
Joe Hancock
Interesting, that’s definitely something we should come back to as Covid’s still very much in everyone’s minds. You mentioned WhatsApp. I’m surprised by that, to me phishing emails are just emails. This is something everyone does that way. Are we seeing fraud via WhatsApp? Is it happening via text message? Do people call people? What kind of stuff’s happening in that area?
Katy Ling
If someone’s WhatsApp account has been compromised then essentially that malicious actor has access to all of your contacts and coming from your personal phone number you’re much more likely to trust it. So, if someone is messaging you as someone that you think is your friend, then the kind of personal data you could be giving away is great because they could be having very normal conversations with you and you would have no idea and there has definitely been a few WhatsApp scams going around that I have seen and even a few of my friends have been compromised so it can just be anywhere really and it’s all about vigilance and knowing what to look out for.
Joe Hancock
Thank you, a really useful message. So, what do these cyber-fraudsters actually want? Why are they doing this?
Katy Ling
Most cyber-fraudsters are motivated by financial gain and it can be a pretty easy way to make a quick buck by, if you send out thousands of emails and one or two people reply then, or click on the malicious link then you’ve got, however, a couple hundred quid and it can be pretty easy.
Joe Hancock
That’s very interesting. I think often we all focus on the cyber aspects of this. These are the things that are interesting. We all think it’s about spies and criminals doing things in cyber space but actually there’s a very real financial cost to this, both for individuals and for businesses, sometimes in the hundreds of pounds, sometimes in the millions. So, given what happens and why people do this, how do we go about protecting our organisations? How do we go about protecting ourselves as individuals?
Katy Ling
I think that the main thing is to be proactive and not reactive. We’ve seen a lot of people will respond once they’ve been hit by a cyber-attack but in many ways you know, you’ve lost your data or you’ve lost a lot of money by doing that. Whereas is you have these systems in place beforehand then that’s going to be much better practice.
Joe Hancock
So, as you said there Katy, being proactive not reactive. Preparing and doing these things first. What can you do to prevent this stuff? Is there anything that… can technology help us here? Is it worth building the walls around our organisations higher? Any particular tools or techniques you’d recommend for people?
Katy Ling
Yep, definitely and I think that this comes back to the basics you know, I’ve urged so many people I know to just not use the same password everywhere and on every online service. Use a secure password and it sounds simple but so many people don’t do it because if one password is breached then a criminal has access to anywhere that you’ve been online. But I think that also introducing two-factor authentication is really important and just these general security check-ups that people sort of normally ignore, they can be really helpful in protecting yourself.
Joe Hancock
You mentioned two-factor authentication there which I see often as multi-factor authentication you see kind of recommended now by a lot of security professionals. Could you just tell us a bit more about that?
Katy Ling?
Sure, so this is just aside from having your password, it’s having your phone number linked as well so that you can get a text message sent to you when you’re trying to log in so that the service that you’re trying to log in to can know that it is you and it’s just another layer in security that is really important and can help protect you from unknown sign-ins.
Joe Hancock
Perfect thank you Katy. And then what happens if this all goes wrong? We’ve all seen the kind of, the Muller quotes which says that cyber-attacks are not a matter of if they’re a matter of when and we often when working with clients say, this is something that people need to plan for and is going to happen to them. What do you do if things do go wrong? How do you respond?
Katy Ling
So, I think what you just said about having a plan in place is the most important thing. It’s having a procedure and knowing who to call so that you don’t wait because a lot of stuff in cyber-attacks is not waiting and having an immediate response and that is the way that you’ll have the least damage done to your organisation. So, I think just having a plan is the most important.
Joe Hancock
And that comes right back to your point about being proactive not reactive. You can tell from the incidents that we deal with that actually having a plan in advance really makes things go more smoothly, every pound you spend on preparation pays off exponentially when you’re trying to react to something especially as attacks always happen at four o’clock on a Friday or a Saturday afternoon in my experience which is definitely not the time to be scratching around working out who to call. So, the elephant in the room at the moment, locked in the room with us actually. Has the Covid pandemic changed the level of cyber-fraud? Are things different because of where we find ourselves?
Katy Ling
Yes, we’ve definitely seen a huge increase in cyber-fraud over the last few months and this has been for a number of reasons. Firstly everything has moved online you know, we are working from home, we are doing more online shopping, online banking and I think more generally, being stuck at home, we’re just spending more time on our devices. We’re socialising online, we are doing Zoom calls and I think just by being online more, the risk of cyber-fraud is greater.
Joe Hancock
Do you think this changes, as you’ve said, we’re online more but when we’re working from home or working remotely, does that have an impact for organisations and their risk?
Katy Ling
Definitely because… so, we are all now on our home Wi-Fi networks and corporate networks do have more security and I think that there’s less of a distinction between work and home now and so the other challenges of lockdown life you know, whether that be looking after your children and just the general stress of it can make us less vigilant when we’re online. I’ve seen a lot of phishing emails which are trying to prey on our worries and fears about the pandemic and try and get us to click to see about more information and people are definitely craving more information in this time of uncertainty.
Joe Hancock
I can definitely see how after you’ve been locked in with your kids for six months the temptation to stick something on the corporate iPad and pop them in front of it, maybe including stuff that you wouldn’t normally use on there, definitely kind of resonates in people’s minds so, I think you’re definitely right, people are changing things and we are having a blurring between home and work life which probably then means that the level of vigilance changes too. So, does this affect everyone equally? Is there a generational difference here as well in how the kind of Covid pandemic has affected cyber-fraud for individuals? We touched on this earlier, it would be great to revisit it again.
Katy Ling
Yeah so, this does speak to the generational differences that I spoke about earlier. Whereas the younger generations have been online you know, already, a lot of people have had to adjust to it I think in the older generations. This could be online banking or online shopping and I think they don’t necessarily know the red flags to look out for. I’ve seen a few online scams of shops that are pretending to sell hand sanitiser and face masks and things like that and you go and you put them in your shopping cart, enter in your credit card information and that’s actually leading to cyber-fraud.
Joe Hancock
Interesting. So, what’s the future of fraud then, against this background of the kind of lockdown world? Is cyber-fraud going to increase? Is it going to reduce? What do you think’s going to happen?
Katy Ling
So, what with all the things that I just mentioned with Coronavirus, I think we all now understand that we’re not going to go back to normal anytime soon and we are in this new normal. So, there’ll be a lot more remote working which again on these home Wi-Fi networks that aren’t as secure, is going to continue to be a problem and also I think that we’re going to see more sophisticated work from the cyber-criminals you know, whether that be phishing emails or some other way that they are going to try and target us and use our data against us.
Joe Hancock
Thank you Katy. Do you have any thoughts on whether this is going to be dealt with by law enforcement? Do you think law enforcement are on top of cyber-fraud at the moment?
Katy Ling
I think it’s definitely being pushed to the forefront of their mind. Definitely with the recent increase due to the Coronavirus.
Joe Hancock
Okay. It’s interesting because the police response to fraud sometimes has been difficult unless it’s a very large fraud and it affects a business, I think or you know, policing especially when they’re stretched trying to deal with the variety of protests that we’ve seen at the moment, trying to deal with lockdown and the reduced staffing numbers due to Coronavirus. It’s definitely an interesting area. Well, thank you very much Katy, it’s been an absolute pleasure chatting to you so lets wrap it up there.
I’d like to say thanks to Katy for joining me for this Mishcon Academy Digital Sessions podcast. I’m Joe Hancock and in the next episode my colleagues Suresh Patel and Will Winch will be talking about flexible furlough and the return to work. Definitely an interesting topic as we now start to come out of lockdown and hopefully the world returns to normal. The Digital Sessions are a new series of online events, videos and podcasts, all available at mishcon.com. And if you have questions you’d like answered or suggestions of what you’d like us to cover, do let us know at coronavirus@mishcon.com. Until next time, take care.
The Mishcon Academy Digital Sessions.
To access advice for businesses that is regularly updated, please visit Mishcon.com.