THE TRAVELEX BUG

When Travelex decided to take its currency exchange services offline after discovering its systems had been compromised by an ‘REvil’ ransomware attack on 31 December, cybercrime again became headline news.

More disturbing perhaps than the $6m (£4.6m) ransom, is the cybercriminals’ claim to have downloaded sensitive customer data, after accessing the Travelex network six months ago, apparently without anyone noticing.

It’s highly likely the hackers will have gained access to Travelex by targeting some of the more than 7000 people who work across the organisation globally, with a range of attack methods, including phishing.

This is why we make no apology for focusing again on cybersecurity. You will have mapped your digital transformation strategy, but unless everyone in your firm lives and breathes cybersecurity, you could face a crippling attack you never recover from, financially or on reputation.

What are some security tips for 2020? Let’s start with passwords. Never reuse passwords. Create unique ones every time for every application. Criminals now use automated bots to brute force attack systems using passwords revealed from past data breaches.

If you reuse passwords, there’s a risk that the compromised password will be used to test other systems – a great reason to use password managers to ensure unique passwords for every system. And never reuse the password you use to log onto your firm’s network.

Any good password manager will work, but only if you and everyone in the firm uses one. Remember, you and your colleagues have to protect your futures, every minute of every day – the criminals only need to be lucky once and it could be game over.

Phishing is still the major problem. The Verizon data breach investigations report cites hacking as the most common threat, with 81% of the hackers using stolen credentials, typically surrendered unwittingly during a successful phishing attack.

Spotting a phishing attack for what it is remains the best defence. And educating everyone within your firm about them – how to identify one and what to do – is the least you should do.
Typical signs of an email phishing attack to watch out for are:
• The sender is unknown to the recipient
• The sender is known, but on closer examination the address is a letter or two wrong – a very common approach
• Nothing in the email seems personal to the recipient
• The email was not expected – parcel status notices, tax refunds and so on
• The email refers to a bank/product/service the recipient does not use
• Words are misspelled, the grammar is poor, or the layout looks wrong for a large corporate
• The email body copy doesn’t address the recipient by name
• The message asks for personal information – it may request a single piece that appears innocuous, but when combined with info from previous requests causes a problem.

Importantly, your people must be extremely careful with emails that show any of the above characteristics when combined with a suspicious attachment or a link to a website. Above all, everyone must treat every email with caution and not become click-happy.

And remember, the closer you get to your clients, the greater the risk of cross-infection, which could end a beautiful relationship before it has started!

This article can be found in LPM February: Connecting clients