In the last three months the RCMP has warned Canadians about telephone scams allegedly involving Revenue Canada and the Immigration departments demanding money from residents.
There are also ongoing ransomware stings (which cost victims $3.1 million last year) and attempts to trick business executives into wiring money to fraudsters (which cost victims just over $3 million last year).
In fact in 2015 authorities across the country received over 18,000 extortion-related complaints which cost 1,113 people over $3 million.
According to the Canadian Anti-Fraud Centre the biggest dollar loss was suffered by 990 people who fell victim to what are called romance scams –usually Internet dating — and lost over $16 million. That was followed by 268 victims of investment fraud ($8 million lost), extortion scams ($3.1 million), prizes ($7.1 million) and spear phishing ($6 million lost). Just over 5,700 residents fell for what the centre calls service scams, which include phoney online warnings and phone calls that a computer has been infected ($2.8 million lost).
Which is why this is a good time to remind CISOs that March is Fraud Prevention Month in Canada. And while it’s largely an annual consumer awareness project, enterprises of all size shouldn’t forget they also have a role in being vigilant.
As part of the campaign KMPG Canada has released a guide to threat-related trends. “These key trends are what we’re seeing in the Canadian market that organizations need to be aware of to protect themselves against cyber threats, including fraud-related threats,” Kevvie Fowler, the consulting company’s national cyber response leader, said in an interview. They include:
— Extortion-driven attacks and ransomware attempts will increase.
WHAT TO DO: First, know where valuable data is stored, Fowler said, then ensure IT has a safe data backup and recovery strategy that is tested. Second, limit access to sensitive data to privileged accounts.
Ransomware often spreads by email with malicious attachments, after which the attacker encrypts systems and then demands money to unlock the data, so keep up regular employee security awareness campaigns.
Fowler also notes there’s a new ransomware strategy: A phone or email before an attack threatening to break into a corporate system unless money is paid in advance.
–Organizations will face increasing pressure from govenrments, privacy commissioners, courts and consumers to be more transparent about their cyber security readiness and breach notification.
CISOs and privacy officers are still waiting for the federal government to put forward suggested regulations for the new Digital Privacy Act, passed last year, which will detail their obligations to notify customers and partners about breaches that pose a risk of significant harm.
WHAT DO TO: KPMG says organizations have to say on top of this ever-changing environment. Rules may vary not only from province to province, but also — for those operating internationally — by country.
— The continually increasing number of mobile and IoT devices means increasing risk. The number of mobile-related vulnerabilities continues to increase, and the lack of generally-accepted security standards for IoT devices doesn’t help.
WHAT TO DO: Organizations that write their own software have to ensure developers follow good application security procedures to protect data and define who can use it, said Fowler.
At the other end enterprises have to restrict user access or warn employees of free mobile software — from flashlights to games — that often leak data or contains malware. Employees also have to be reminded to check the reputation of the software publisher before downloading any mobile apps.
–Organizations will make greater use of real-time threat intelligence tools.
Improving threat detection is replacing prevention as a basic strategy. Adding behavioral analytics is increasingly important. But threat intelligence — either created internally or subscribed to — is also becoming part of a CISO’s strategies to keep ahead of attacks.
WHAT TO DO: It’s important for CISOs to identify what they want to get out of public or commercial threat intelligence before subscribing to a feed, Fowler said.
“Understand what sensitive information you have, understand the security program you currently have in place, identify the areas where additional intelligence would be able to allow you to do a better job identifying, mitigating and responding to threats.”
–In addition to securing their enterprise CISOs will increasingly look at the risks posed by partners and suppliers — including cloud services.
Most readers already know that the 2014 breach of Target stores in the U.S. was accomplished by hacking a heating and ventilation supplier. Outside suppliers that link to enterprises are a known vulnerability that attackers will try to exploit.
WHAT TO DO: A full security audit which may include penetration testing or remote process monitoring can expose these gaps, says KPMG.
As part of Fraud Prevention Month there are a number of events. The Canadian Federation of Independent Businesses is running an online Webinar today and Thursday on preventing fraud in small businesses starting at 1 p.m. Eastern. There’s a French version available on Wednesday.
Also today the Competition Bureau is hosting a Twitter chat as part of the annual ‘Too Good to Be True’ Day to help Canadians understand how to avoid becoming a victim of fraud. The chat runs from noon to 1 p.m. Eastern with the hashtag #2G2BT.
The Financial Services Commission of Ontario is running a Twitterchat Wednesday from 1 to 2 pm Eastern to help residents recognize fraud. The hashtag is #Fraudchat. It will be repeated March 31.
The Better Business Bureau has declared March 15 password reset day to remind people to regularly change all their passwords for basic security. (And if you have trouble remembering all your passwords, use a password manager.)
The Competition Bureau is also offering a free Canadian version of The Little Black Book of Scams.