Don't Click that Link! Cyber-extortion in 2018

Online innovation is something of a double-edged sword. While the internet affords businesses countless opportunities to make a tidy profit, it can afford those same opportunities to enterprising cyber-criminals. Criminals are often described as some of the most innovative people in the world, as exemplified by their enthusiastic adoption of new technologies, and a profound increase in the scope and variety of cyber-crimes. One such crime is cyber-extortion, broadly defined as “the actual or threat of an attack on computer systems, coupled with a demand for money, often payable in cryptocurrencies, to avert,stop, or mitigate the impact of the attack”. Cyber-extortion increased dramatically in 2017; although the exact scale is difficult to measure, as the rise is a global phenomenon,making comprehensive data collection difficult. Victims are also reluctant to report incidents, further hindering data collection efforts. Cyber-extortionists, which can include criminals and hackers employed by governments, have not demonstrated any target preference, having attacked businesses from multiple sectors, as well as governments and private individuals throughout the year. 2018 will continue to see an increase in such attacks,as many of the malicious technologies required for cyber-extortion attacks, such as malware, can be easily purchased on the dark web, a part of the internet not indexed by web search engines. 

While cyber-extortion can come in many forms, one of the dominant trends in 2017 was a noticeable increase in the number of ransomware attacks. Ransomware is a type of malware designed to encrypt a computer system’s data,leaving users unable to access it. Attacks include a ransom demand in exchange for the decryption key. Most attacks involve fraudulent emails in which victims are tricked into clicking on suspicious links, or downloading attachments with embedded malicious software, a technique known as “phishing”. Phishing attacks are often disguised as emails from legitimate sources, such as LinkedIn, banks, the tax authorities, prominent businesspersons, or even friends and family members. They are only recognisable due to suspicious domain names (if you are unsure about a link you receive in an email, hover your mouse over it and if the link text doesn’t match the link address, do not click it), poor spelling and grammar, and a false sense of urgency with statements like “Urgent action required!”, “Your account will be closed!” or “Your account has been compromised!” being used to get victims to panic and click the link.

Reputational and regulatory issues compound the threat of cyber-extortion. Many companies store extensive amounts of data on customers and employees. News of successful hacks therefore raises significant concerns,as customers are unlikely to trust a firm with a poor cyber-security record and a history of data breaches.This may pressure firms to quickly capitulate to a cyber-extortionist’s demands; however, this can backfire because capitulation will incentivise further incidents, as companies gain a reputation for paying up. Additionally, attempts to hide previous breaches can also have a negative impact. Notably, in November 2017, media reports revealed that ride-sharing company Uber had paid cyber-extortionists USD 100,000 to keep quiet about a hack the previous year, in which the details of 57 million customers and employees were stolen. With cases like this in mind, the EU will introduce the General Data Protection Regulation(GDPR) in May 2018. The GDPR will extend the scope of EU data protection laws to all foreign companies processing the data of EU residents. Penalties for firms which fail to adequately protect the data of EU residents, and which fail to report any breaches to regulators, could face fines of up to four percent of their annual turnover.

Given the upcoming introduction of the GDPR, firms will have to actively improve their cyber-security capabilities. In order to avoid being compromised, potential victims should install up-to-date antivirus software and firewalls,keep abreast of software updates, avoid clicking on links, or opening email attachments, from unknown people or companies, keep a pop-up blocker running on web browsers, regularly back up important files, and make use of smart screen when using web browsers, which helps identify suspicious websites and downloads. Furthermore,victims are advised not to pay ransom demands, as they incentivise further attacks by cyber-criminals in the short term,and have longer term reputational and regularity implications.