I got a strange WhatsApp message last week that came out of the blue. Though I didn’t recognise the sender, he certainly knew who I was, because he addressed me by name.
The next question was a head-scratching one. I was asked if I was a “comms machine”. What wasn’t so puzzling was the fact that my e-mail had been hacked and locked from me.
The WhatsApp message came about the same time this happened. And the hacker had dived into my account details to get a response from me on the phone, to possibly ask for payment in return for access to my digital life.
Last week was also when a friend’s laptop froze. She told me a message popped up at the same time, providing a telephone number to call to solve the issue.
Naive about security, she called and was given instructions to unlock the laptop. Fortunately, she stopped at giving credit card information and passwords.
In the end, I had to give up the e-mail address that was compromised and change the passwords for other accounts. Fortunately, I had my data backed up. When you become a victim yourself, the much-reported menace of ransomware really hits home.
Over the weekend, Fortune magazine reported that Google and Facebook in the United States lost about US$100 million to online fraud. Last week, an Interpol survey revealed about 9,000 pieces of malware are residing in the servers of various organisations including public sector agencies in Southeast Asia.
But the unlikely headline grabbers are the attacks on individuals, namely the consultants, entrepreneurs, startup founders, third-party vendors, the small guys who are part of the sharing economy and even retirees. High net worth individuals also fall into this category. Their losses generally go unreported.
According to Hackmageddon, a security website that tracks online threats, attacks on individuals are going up. In February this year, 9.2 per cent of attacks were aimed at individuals. This is a worrying trend because attacks on individuals were almost negligible in past months.
A common method for cyber attackers to besiege individuals is ransomware. This malware locks up a computer, preventing access to e-mail and data stored in the machine. Paying a ransom could unlock the access but there is no guarantee that the bad guys will do so.
Last week, security firm Symantec reported a 36 per cent worldwide hike in ransomware attacks in 2016. Over 100 new malware ransomware families had been released into the wild, more than triple the amount seen previously, it added in its latest threat intelligence report.
Symantec said ransomware victims in the US were more willing to pay a higher ransom to “unlock” their computers. In 2016, the average ransom paid was US$1,077, up from US$294. It also added that not all the locked computers were unlocked even if the ransom was paid.
Closer to home, in the Asia-Pacific region, Australian telecom operator Telstra identified in its security report last month that ransomware was the number one type of malware unknowingly downloaded.
The spotlight on individuals is worrying because people are often the weakest link in any cyber defence. E-mail is the most common weapon of choice for the cyber criminals and they are all aimed at individuals.
Indeed, Symantec found one in 131 emails contained a malicious link or attachment, the highest rate in five years. Spear-phishing e-mails aimed at businesses are targeting over 400 businesses every day. Such e-mails have helped scam more than US$3 billion from businesses over the last three years,
The danger is amplified when individuals are third-party vendors to larger corporations. Cyber attackers go through them because their security is often weaker.
Big organisations have the resources that allow them to keep up with security developments. They will have the security basics in place that will enable them to defend and detect malware, then remove them and manage the loss of data or money.
Individuals however, do not have the resources to do this. Often they are also less tech literate. Perhaps it’s time sole proprietors and small businesses with less than five employees attended a basic security course to get up to speed.
Government, security firms and telcos can come together to offer such courses. There is a need to educate individuals, especially the sole proprietors providing services to larger organisations, before the problem gets larger.
Grace Chng is a veteran tech writer.