Cybercrime is the 3rd Largest Global Economy

person in black hoodie typing at keyboard

We recently attended Barracuda’s Discovery24 Americas conference in Austin, Texas and heard this statistic: 

Cybercrime is the third largest global economy behind the United States (#1) and China (#2). And it is a $7.9 trillion industry.

It shouldn’t surprise us. As a business-to-business company serving small business, it’s one of the biggest battles we fight. And we’ve seen a significant increase in these types of crimes just within our small segment of the industry. 

More Statistics

Digging deeper, we found these additional statistics from 2024 cybercrime statistics reports:

  • Cybercrime costs US companies over half a billion dollars annually. (FinancesOnline)
  • The leading carrier of malware is email at 92.4%. The web is second at 6.3%. (Verizon)
  • 1 in 2 American Internet users had their accounts breached in 2021. (AAG)
  • The most common cyber threat facing businesses and individuals is phishing. (AAG) (Phishing is where the criminal encourages someone to follow a link to a spoof website and enter credentials or download malware.)
  • Malware attacks increased 358% in from 2019 to 2020 as criminals took advantage of security gaps during business transition to working remotely. (AAG)
  • In North America, the main attack type was ransomware (33%), ahead of business email compromise (12%) and server access attacks (9%). (AAG)

Let’s take a minute to look deeper into the story here. The landscape of business shifted with the COVID-19 pandemic. For a while, most of us were working from home. And today, four years later? A large population of employees are still working remotely.

In 2020, many companies had to scramble to enable their employees to function from home. And scrambling made everyone vulnerable. Getting laptops to people was easy. And companies like Zoom made it easy to connect. But what about security? Much of the work from network engineers to secure the workplace infrastructure became irrelevant when companies had to depend on the home networks of their employees. Or, for that matter, the habits of their employees while at home. (Personally, I’m less likely to watch cat videos at the office than I am at home.)

Data Breaches

What about data breaches? It’s becoming more common to turn on your morning news and hear about a new data breach. Often we hear about large corporations or even companies we don’t recognize. But what about small businesses? (Keep in mind, these statistics are from 2020. They’ve grown dramatically in the last four years.)

  • 28% of victims of data breaches are small enterprises.(Verizon, 2020)
  • Often, external actors (70%) and organized criminal groups (55%) are behind a data breach. (Verizon, 2020)
  • 98% of Internet-of-Things (IoT) devices are unencrypted, which exposes confidential data to attacks. (SecurityBrief, 2020) (IoT devices include “smart” devices that connect to the Internet. All those appliances you can control from your phone fall into this category.)
  • 82% of breaches against businesses involved a human element through issues like error and social engineering. (AAG)

Solutions?

So what can we do about it? The two standout statistics are that most breaches involved a human element and were initiated through email. These are things we can mitigate. Behind the scenes, we can use network security tools to filter emails and websites from known bad actors. And that helps minimize the risk, but it doesn’t eliminate it.

The best action we can take is to educate ourselves and our employees. The two main areas to focus on are teaching employees how to spot obvious phishing attempts and upgrading our processes for handling money to catch the more sophisticated efforts.

Phishing Attempts

Identifying Phishing Attempts

These are most common things to watch for in avoiding phishing attempts:

  • Unexpected email. If you receive an email you didn’t expect or one referencing an action you don’t remember doing, chances are high it’s spam. A common tactic is to scare people into action by telling them to “log in here” to confirm the changes you made to your account.
  • Requests for personal information or an urgent problem. Legitimate companies will never ask for your personal information via email. And these requests often come with a sense of urgency in the message. Example: Your account has been breached. Please confirm your information here to make sure this is you.
  • Verify the email address. For any email asking you for anything (click this link, change the way you pay me, etc.), always check the actual email address domain to verify it is valid. Sometimes spammers don’t even bother and just use a Gmail or other free account. But the more insidious spammers will use a domain that looks like the one you think you’re responding to.
    • Example: someone@micresoft.com rather than someone@microsoft.com 
    • Another example: irs.com instead of irs.gov
  • On behalf of. Emails that come “on behalf of” of someone else can be legitimate. Typically, when you see this, it’s because the sender is using a service to distribute their newsletter or other information. But spammers are using this method as well, so carefully check the email address and domains for both the sender and the person/organization they are sending on behalf of before taking any action.
  • Misspellings and bad grammar. Bad actors often come from outside your country, so the language they use may be incorrect. If the language in the email makes little sense, check the email address.
  • Single or blank image. If the email is a screenshot of an email or a blank box with no actual text, the image could contain malware code. Do not click on it.

How to Handle Email

  • Don’t click any links, buttons, or images. If the email is from a familiar entity (your bank, credit card, etc.), use the login you normally use rather than any link sent to you in an email. Logos are shockingly easy to lift from a public website, and a correct logo within the email doesn’t mean the email is from the company it’s purporting to be. (This is a good security habit to develop for all emails, spam or not.)
  • Don’t open attachments. Never open attachments from someone you don’t know. Never open attachments you weren’t expecting, even if it came from someone you do know. It’s worth reaching out via another method (phone call, instant message, etc.) to ask if they sent you something. (They themselves could be compromised and not even know it.)
  • Never reply/call a number from an unexpected email. Always reach out to your known contact when presented with an information request or a proposed change to how you normally do business. Example: If you get a fraud alert on a credit card, call the number on the back of that card, not the one in the email. Let the company confirm if it’s real or not. (We’ve seen customers defrauded when they updated wiring instructions received via email from what looked like a known vendor without confirming with their regular contact.)
  • Never give out confidential information. Legitimate companies do not contact you out of the blue for password changes, verification of private information, etc. Do not reset passwords through an email link. Always go to the website. Do not give out your user name, birth date, phone number, address, or any banking information solicited via email. Always contact the person/company directly to ask if the request is legitimate (and if so, why they need it!). 
  • Trust your gut. If you have the slightest suspicion, it’s better to ignore the email. If it’s legitimate, they’ll follow up with you. Or if you think it’s important, follow up separately with a phone call or login to the company’s website.

Establishing Controls Around Money Handling

You might have heard the phrase “checks and balances.” Another term you might hear from the accounting team is “controls.” It’s important to have processes in place for handling money so that something doesn’t slip through.

We’ve witnessed a few heartbreaking incidents over the years that could’ve been prevented if someone had just double-checked before taking action. First, check all the things above to make sure the email is valid. Then, if the email is requesting payment, go a little further.

Here are some basic controls that should be in place to help prevent losses:

  • Verify all payment method change requests. If you receive an email to change how you pay a vendor, pick up the phone and call the vendor to confirm. Regardless if the email is valid, it’s possible that they have been comprised on their end and a bad actor is redirecting your payments to them. It hurts less to make a phone call than to lose several hundred thousand dollars because of fraud.
  • Do penny testing. Have you ever set up an account and the bank deposited a few cents, then removed them just to make sure your account was valid? It’s called a penny test. It’s another tool to validate the money is going to the proper place. You send the minor amount over, then have the vendor confirm the deposit. If they don’t see it, you have further proof that the request wasn’t legitimate.
  • Designate two approvals for large amounts. Set a policy that any cash outlays over a certain amount (relative to your business) requires multiple approvals. This gets more eyes on a transaction and reduces the risk that a costly illegitimate payment will make it through. 
  • Segregation of duties. It’s common in small businesses to have one person in charge of the money. If you can separate the tasks around handling money, the idea of having more eyes on it can help catch mistakes or—in a worst-case scenario—collusion. A common control is to have the person who approves a bill differ from the person who pays it. Another control is to reconcile the bank account monthly, and ideally, this should be done by someone other than the person who writes the checks.

Further Education

Fighting criminals from gaining access to your company’s assets is an ongoing battle. The best defense we have is to educate ourselves and our employees on how to identify suspicious emails, links, and activity. You can find many training courses to educate your staff. 

And since cyber criminals evolve with the latest technology advances, education needs to be an ongoing endeavor. Rather than doing a onetime course, set up a training system that updates employees on the latest cybercrime trends and the new thing to watch out for.

One of our favorites is KnowBe4 Security Awareness Training. This training system engages your employees with interesting and informative training courses and uses test phishing emails to gauge their comprehension of the material. You can monitor responses to the phishing tests to identify which employees are doing a great job and those who need further training to recognize suspicious emails.

Conclusion

Cybercrime is now a condition of doing business in the modern world. It’s not a matter of if you will be attacked. You are already a target every day. It’s a matter of when they will be successful in breaching your security.

Bottom line: Educate your employees to reduce the risk of falling victim to their schemes.

Leave a Reply

Your email address will not be published. Required fields are marked *