Something ‘phishy’: Why Irish organisations are a plum target for hackers

24 Jul 2017

Image: Groundback Atelier/Shutterstock

Human link is still the weakest online defence as more organisations fall victim to socially engineered cyber fraud and phishing attacks.

It has emerged that University College Cork (UCC) had €110,000 stolen from it by hackers in 2015.

The revelation follows on the heels of a major cyberattack on Trinity College Dublin (TCD) in April, in which up to €1m was reportedly scammed by thieves.

The Sunday Independent reported that UCC is currently under sustained attack by fraudsters, with at least three attempted incidents per week.

It said that in 2015, online criminals successfully penetrated its security network, laundering €110,000 to an offshore account after gaining access to the accounts payable department.

The revelations show just how vulnerable Irish institutions are to scams by sophisticated fraudsters.

After WannaCry devastated systems around the world, it is understood that a number of Irish businesses fell victim to the Petya attack last month.

Ransomware attacks are on the rise and usually block organisations from their systems in return for a sum of money. In the case of WannaCry and Petya, the hackers appeared to be more interested in simply destroying systems.

But other, more elaborate schemes simply find ways to manipulate users into making mistakes.

The weakest link? You

What is worrying is how managers in organisations are susceptible to socially engineered attacks.

In the case of TCD and the theft from the Trinity Foundation, the money was allegedly siphoned off by thieves who sent emails asking college officials to change bank account details for payees. The foundation was alerted by its bank to suspicious activity in its accounts and some of the funds were recovered.

But it isn’t just academic institutions that are prey to these sophisticated attacks.

In recent weeks, Meath County Council confirmed that around €4.3m in funds – which were the subject of cyber theft in October last year – were safely returned to the council’s bank account. The money was frozen in a bank account in Hong Kong after Gardaí interrupted attempts to steal the money.

The council was the victim of what is known as ‘CEO fraud’, in which large sums of money are transferred by criminals on foot of an instruction in the name of a company chief executive.

In the case of UCC, it is understood that about €73,000 of the money was recovered through its insurance policy. The attack prompted the university to invest more than €100,000 in stronger firewall technology and software to identify fraudulent emails and malware.

The truth is that any organisation, big or small, can fall victim to sophisticated social engineering attacks that often begin with a phishing attack, whereby a user clicks on a link within an email or volunteers information.

No matter how much an organisation invests in its security, the weakest link will always be human.

The key is to educate and train staff in how to recognise suspicious emails and other communications, and not to be hoodwinked.

The reason Irish organisations are a plum target for socially engineered cyber attacks is because they aren’t putting enough effort into training staff to be wary.

More needs to be done.

The price isn’t just financial, it is reputational.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years