Meath council ‘cyberattack’ was just old-fashioned fraud

Tagging €4.3m scam with the word ‘cyber’ and calling it ‘sophisticated’ is plain wrong

The FBI sent out an alert last spring warning about a massive increase in these so-called CEO scams.

The FBI sent out an alert last spring warning about a massive increase in these so-called CEO scams.

 

We need to talk about that €4.3 million Meath County Council “sophisticated” so-called “cyberattack” that emerged into the light of day last week like Donald Trump’s 400lb hacker from his bedroom lair.

In brief, Meath County Council was the victim of a particularly popular type of scam in which, typically, an employee who has control of accounts is sent a spoof message purporting to be from, say, the company chief executive. That person is asked to transfer a large sum of money into an account. The money is duly wired to the scammers. Oops.

If the whole thing comes to light fast enough, the money can perhaps be retrieved or frozen, as was the case with the Meath mega-sum, now resting in a Hong Kong account.

Where to begin?

I know exactly where, because one thing about this whole scam made my skin crawl: the use of the word “cyber”. Can we just lay off the “cyber”?

At every mention of the word cyber, my will to live declines further. What makes media and communications people rush to use it about anything related to computers and the internet? With the Meath story, cyber was splattered everywhere.

I get that this may not be understood clearly by most of the world, but the use of cyber is controlled by very strict rules.

Thanks to mathematician Norbert Wiener’s 1948 book Cybernetics or Control and Communication in the Animal and the Machine, it’s acceptable to utilise cyber in order to discuss cybernetics (should you be so inclined) or even cyborgs – short for cybernetic organisms.

And cyber also may be deployed at will when discussing William Gibson’s famed 1984 novel Neuromancer, which is credited with introducing the term cyberspace to the world. The popularity of the novel, however, seems to be responsible for the release into the wild of all the unwanted silly cyber variations that plague us today.

Just because the novel is cool cyberpunk (arguably, an allowed usage) does not mean your use of cyber is cool. It almost certainly is not.

Nothing flags a wannabe geek desperately vying for street cred, a generalist in search of a trendy speciality, or an insecure self-promotional IT security professional like sticking cyber in front of a job title or using the word liberally in reference to anything digital.

This is of course why governments, surveillance agencies and a host of makey-uppy experts wave the word around. But please, I beg of you, just back away slowly from the term unless you know how to handle it properly. Especially if what you are referring to is plain old boring, if still very effective, fraud. Not a “cyberattack”. Especially not a “sophisticated” cyberattack. Not even a “serious, attempted cyber-enabled offence” as the council statement had it.

Because let’s make one thing clear. If the term cyberattack is going to be forced on us, it has to at least be in the context in which it is just about acceptable for security experts to sometimes use it. That means a major and debilitating attack using computers and the internet, by the most sophisticated of criminal hackers or those acting on behalf of a nation state. 

Garden variety fraud

It should not be used just because an email was used to perpetrate a garden variety fraud, as in the case of the Meath embarrassment. It could just as easily have been a letter in the post, a text or a phone call. But in this case “the vector of attack” (see how I went all IT security professional there?) appears to have been an email. This uses basic social engineering – pretend to be someone you are not and sometimes a third party will be taken in and you’ll get useful information, access to networks, or money transfers.

Common they may be, but the fact that this scam came within a hair’s breadth of succeeding raises many questions. Such as, how could a sum that large – or even a fraction that large – be approved for transfer just by an email? Doesn’t a €4.3 million transfer trigger some basic internal security, such as a confirmation phone call to a known individual? Or two people to approve it? Didn’t a massive transfer request from Meath to a Hong Kong account seem a little . . strange?

By international measures, this was indeed a big scam. When the FBI sent out an alert last spring warning about a massive increase in these so-called CEO scams, it noted the average loss to duped companies was $25,000-$75,000. Chump change to Meath.

Mattel – the giant multinational toy company – lost $3 million in 2015 to a CEO scam. Meath County Council nearly outperformed Mattel.

Incidentally, one common way of perpetrating these scams, according to the FBI, is free email services. Hack into someone in authority’s account, send an email seeming to come from that person . . . Just saying, maybe some of our politicians and State employees need to think again about those Gmail accounts they also use for business matters.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.