Five things to do if your business is the victim of cybercrime

Businesses face more threats in their cyber environment than ever. This guide outlines types of cybercrime and practical steps to take if your business is the victim of a cyber attack.

29 June 2018

Types of cybercrime

There is a multitude of types of cybercrime, also known as cyberfraud. Here are some of the main types:

  • Phishing: Fraudsters send bogus communications, typically by email or text message, that purport to be from a well-known and trusted source and give an illusion of authenticity. The message will often make a request that the recipient provides sensitive and confidential information, for example bank account details, passwords etc.
  • Spear phishing: Whereas phishing often takes place against a large and indiscriminate range of targets, spear-phishing focuses on specific individual targets. Again, the attack usually takes the form of a communication seeking access to sensitive and confidential information, often with a sense of urgency. Spear-phishing attackers will typically have a deeper knowledge of the recipient’s digital footprint – for example, the websites they use or the organisation’s key clients. Fraudsters will use this information to carefully select and target recipients and to add credibility to these attacks.
  • Whaling: This consists of a spear-phishing attack sent by a fraudster impersonating an organisation’s “big fish” – typically the CEO or CFO. For instance, the fraudster might send a message to a member of staff, posing as the organisation’s CEO, requesting the urgent execution of a financial transaction. Fraudsters will also scour social media to understand when the “whale” is out of the office for an extended period, presenting the fraudster with an opportunity to launch an attack.
  • Crimeware/Malware: Another example of the increasing sophistication of phishing attacks is the use of “Crimeware” (sometimes called “Malware” – malicious software). A typical example is where a recipient receives an email from an apparently trusted source, and clicks on an embedded link. This then automatically infects a victim’s computer/smartphone with a piece of software that monitors activity and captures information, either by “key-logging” (where criminals record what you type) or “screenshot-ing” (where an image of your computer screen is captured).
  • Pharming: Crimeware is also associated with “pharming”, a form of online fraud in which the victim, upon entering a legitimate website, is diverted automatically to a bogus site of, for example, a bank, and asked to enter account information.
  • Hacking: This is the primary method of infiltrating networks. Through the injection of specialist software, hackers seek to gain unauthorised access to and take administrative control of computer networks and systems.

Five practical steps to take following a cyber-attack

Here are five key considerations if you discover that your business has fallen victim to cybercrime.

1. Investigation

As a preliminary step, the business will need to calmly assess precisely what has happened:

  • Investigation team and plan: Assemble a suitably qualified and experienced investigation team. Typically, this will include members of senior management, legal, IT and public relations teams. The team should devise an investigation plan setting out issues, work-streams, responsibilities and deadlines.
  • Understanding the facts: The team should establish, as clearly as possible, what has happened. What is the nature of the attack? Who was involved? How much money has been lost? Is it clear that the incident is not simply due to a technological failure?
  • Imaging: It will often be prudent to make a forensic image of the affected computers and servers. Two copies should be made: a "control" image that can be preserved, for legal purposes if required, and a "working" image that can be interrogated.

2. Damage limitation

It is critical to ensure that, whatever cybercrime has been perpetrated against your business, and whatever loss has been suffered, the problem is immediately and successfully contained:

  • Immediate steps: Consider what, if anything, needs to be done in order to stop the attack from spreading or being repeated. Of crucial importance is denying the transmission of further data from the perpetrator. Measures can include network isolation and traffic blocking, filtering and rerouting.
  • Records: Ensure that a full record is kept of all damage suffered, financial loss incurred and all responsive measures taken.

3. Get help

Cybercrime matters are often highly complex as well as resource and time intensive. Consider obtaining IT and legal expertise to support your business's efforts in dealing with the problem:

  • IT forensics: IT forensics experts can review your IT systems to identify compromised information and can preserve and handle digital evidence to assist with legal remedies and recover losses.
  • Legal assistance: All forms of cybercrime can result in substantial losses, reputational damage, business disruption, aggressive creditors and criminal actions. We can help to plan and manage the investigation, protect your company's rights, especially if the cyber-attack may leave your business vulnerable to legal or regulatory penalties and seek to trace and recover funds where possible.

4. Report the attack

Consider who you may need to report the attack to, and at what stage:

  • Action Fraud: All cases of cybercrime should be reported to Action Fraud, who will in turn inform the National Fraud Intelligence Bureau and provide a police crime reference number.
  • Bank: In the case of financial loss from bank accounts, consult your account provider to immediately protect your cash accounts and start a fraud investigation.
  • Insurers: Check whether you have any insurance cover in respect of losses resulting from cybercrime and, if so, notify the insurer accordingly.
  • CIFAS: If you are worried that your personal details have been stolen, it is possible to apply to CIFAS for protective registration, notifying others that you have been at risk ensuring more checks are undertaken should any applications be received in your name.
  • Regulator: Consider whether you are under a legal or regulatory obligation to inform your industry regulator.

5. Conduct a post-incident review

Once the matter has been dealt with, do not simply move on. Carefully consider the following:

  • IT protections: Consider if the business’s IT network and cyber-protection measures were sufficient and up to date. Have specific weaknesses been identified? How were they exploited by the fraudsters? How can this be prevented from occurring again? Have wider weaknesses been identified? If IT is outsourced, ensure that there is an open dialogue with the provider to understand how the system works, and demand change if necessary.
  • Incident response: How well did the business deal with the incident? Did the business have an incident response plan for such a scenario? How could the conduct of the investigation be improved in the future?
  • Training: Look at your internal training programme to ensure all staff remain vigilant to the different types of cybercrime threats faced by the business and that they are clear on their obligations to report suspicious activity internally.
  • Intelligence: Consider how best to arm your business with appropriate counter-cybercrime intelligence. For example, consider signing up to the Cyber Information Sharing Partnership (CiSP) to stay up to date with threat information.
  • Record: It is vital to ensure that you keep a record of all the actions you have taken and of the bodies and organisations you have contacted and when you have done so.

How can Burges Salmon help?

If you would like help or advice, please contact our fraud and white collar crime team.

Key contact

David Hall

David Hall Partner

  • Head of Dispute Resolution
  • Banking Disputes
  • Business Crime and Regulatory Investigations

Subscribe to news and insight

Fraud and White Collar Crime

Our fraud and white collar crime team combines criminal, regulatory and civil fraud expertise to provide corporates and directors with a complete service in this challenging area.
View expertise