Below are three common but still little-known cyber scams that are somewhat more vicious than simply unlocking a password.

In recent years, so-called BEC (business e-mail compromise) has become common. The criminal usually embodies the co-operation partner of a large company and, by imitating the co-operation partner, orders goods from the victim or has the victim pay for the service provided by the co-operation partner to a bank account in his or her possession.

What makes this fraud remarkable is the fact that it is often preceded by long-term monitoring of the victim. In many cases, the criminal has had access to the victim’s e-mails or server for some time before the fraud was committed. The criminal knows exactly when, from whom and to what extent the victim receives invoices or to whom the victim agrees to issue the goods without advance payment. The following creation of fictitious orders or invoices is already easy.

At least in theory, falling victim to such fraud can be easily avoided if all employees of the company critically evaluate every incoming e-mail, order and invoice. The cornerstone of the BEC scam is the fact that people fail to analyse transactions that are ordinary for them. Outside Estonia, cases have been brought to court where a criminal pretending to be a company’s lawyer calls at the end of the working week to request an immediate and prompt bank transfer. Paradoxically, such unexpected and immediate requests should especially be examined with care and thoroughness.

The so-called salami slicing attack has also begun to gain popularity. The name follows from the logic that if you cut a very thin slice of salami, no one will notice that there is less salami left. At some point, however, you run out of salami without anyone noticing its decline.

In the easiest version of this attack the criminal who has accessed the victim’s bank account makes transfers in small amounts, usually measured in cents, from the victim’s account to own bank account. The transfer of such sums may not be noticed by the victim at all, or even if noticed often no one will make the alarm. Thus, the criminal can maintain access to the victim’s bank account for a long period. The salami slicing attack will only become purposeful if the criminal has access to a large number of compromised bank accounts.

In practice, however, it is more popular to attack large companies. Often the criminal distorts the code of the billing software used in the company and each time the transactions are rounded, a small surplus is created for the criminal. The most vulnerable are companies that settle in more than one currency. Thus, it is possible that the billing software converts EUR 66.648 to EUR 66.64 and at first glance a small difference of EUR 0.008 is still noticeable in the long run. For example, in the United States, an employee of a company was convicted of stealing about $ 200,000 with such a method from a company over eight years.

Considerable prevention work can be done by contributing to the company’s cyber security in such a manner that changes to the company’s computer programmes cannot take place unnoticed. It is also important to periodically review the company’s cash flows and inform the bank if even a few cents have been removed from the account under suspicious circumstances. In the worst case, such a transaction could mean that there is a parasite in the company’s systems.

Another questionable fraudulent that is worth highlighting is data diddling. In essence, this is the simplest form of data corruption before or after it is entered into a computer system. This type of fraud has its roots already in decades. At that time, there was a popular scam where the company’s employees increased the number of working hours in the system in order for the system to generate a higher salary scale. Nowadays, it is more common for a company’s server to be accessed by an unauthorized person who is beginning to distort the data. For example, a Russian hacker hacked into the server of a local electricity company and changed the system so that he no longer received bills for electricity.

All of the described frauds become possible if a person or entrepreneur has been sloppy with their cyber hygiene. Cyber ​​hygiene is an issue that deserves a separate article, but I can briefly make a few recommendations that do not guarantee complete protection but highly increase the security of a computer system.

Firstly, review your passwords (hopefully none of them are qwerty, 123456, etc.). A good password is long, uppercase and lowercase, and contains also numbers. For starters, even using good passwords in key locations like email, social media, and bank accounts (ideally with 2-step authentication) helps.

For companies, the situation is somewhat more complicated. It is recommended to consult an IT security specialist whose proposal is almost always to spend the company’s resources on countering the theoretical threat to the future. Such a proposal is easy to ignore, as the resource (be it money or working time) must be spent immediately and the threat to the future may never come. However, I have never met an entrepreneur who, after becoming a victim of cybercrime, would still be satisfied with the choice not to contribute to cyber security.

In conclusion, it is true that the weakest link in any security system is the person using it. Even the most expensive safe box in the world cannot protect if its user constantly forgets to close the door of the safe box.

Gregori Palm
Attorney of Law Firm LINDEBERG