The UK wholesale industry is one of the top targets for hackers, but businesses are failing to take cyber security seriously. Andrew Burnyeat finds out what’s being done to address the problem and how wholesalers can fight back
Police and security experts are warning that wholesalers in the UK and abroad are now attractive targets for cybercriminals.
Indeed, the UK wholesale industry emerged as one of the top industry targets for attackers in 2014, according to a 2015 study by technology giant IBM.
Wholesalers are targeted for ransomware, online ID fraud, phishing attacks, email scams and hacking for two reasons. Firstly, their position in the supply chain means that targeting them can lead to a rich seam of other targets. Wholesalers carry databases with information about suppliers, retail customers and major clients.
Simon Placks, director of cybercrime investigations at accounting firm Deloitte says: “The larger companies – the big-brand plcs, banks, multinational companies and so on – have the biggest budgets, the best attitudes towards cybercrime and the best systems for dealing with it.
Secondly, wholesalers come in various shapes and sizes, and so have varying budgets to defend against cybercrime. Depending on their attitude towards IT security, they can be soft victims.
“So the more adventurous criminals attack big companies by going first through their supply chain, targeting smaller companies, such as wholesalers, which don’t always have the big company security systems, but do carry a lot of information about the larger companies.”
And many attacks are straightforward, albeit careful, cases of deception. A Brighton-based wholesaler, who did not want to be named, told Better Wholesaling of falling victim to false emailed invoices – a common type of attack. At first sight, the invoices looked as if they had been sent by a regular supplier of fresh produce. The letterhead looked the same and the email was addressed to a specific person at the wholesaler.
The only difference was that the bank details on the invoice had been changed to those of the fraudster.
The clever forgery, said Sussex police, meant that the cybercriminal must have had access to company records via either hacking or a corrupt member of staff.
In a similar form of crime, ‘European diversion fraud’, fraudsters exploit the ease of doing business across the EU by sending emails to European food, drink, tobacco and other wholesale goods suppliers. The messages falsely claim to be from British and other EU member state wholesalers ordering goods. However, the delivery address given is false. The first the wholesaler knows about such a scam is an invoice for goods they have not received.
Nottingham wholesaler Hyperama was impersonated in this way by a fraudster last year. Although the wholesaler is not the victim of such frauds, there can be ‘reputational damage’, according to Federation of Wholesale Distributors (FWD) spokesman David Visick.
He said: “We have advised our members to take precautions, such as placing messages on their websites giving details of their bona fide delivery addresses.”
The FWD has had talks with the Home Office about cybercrime and supports Action Fraud, the UK’s official fraud reporting service, which sends crime alerts to appropriate investigating authorities.
“But this is often a grey area,” says Visick. “In the case of European diversion fraud, it is difficult to know which authority is responsible for dealing with it because the real victim is the supplier, not the wholesaler.”
As a result of the scam, Hyperama now posts the following message on the home page of its website: “Suppliers please be aware – we only take deliveries to our four depots. If you are asked to deliver to anywhere else, please contact us on this number 0115 985 1301.”
The 2014 UK Commercial Victimisation Survey (CVS) found that computer viruses were the most common crime affecting UK wholesalers and retailers. It estimates that there were more than 136,000 incidents of internet-based crime against wholesalers and retailers in 2013 and early 2014.
Around 10% of all UK wholesale premises experienced at least one type of online crime in the past year, with 9% being attacked by a virus and 2% by hackers.
And such attacks could become more costly. The newly agreed EU general data protection regulation and data protection directive will, from 2018, allow companies to be fined up to €20m or 4% of their annual turnover when allowing security breaches to compromise customer data. This is expected to encourage police to warn companies to take hacking more seriously.
Siân Thomas, communications manager at the Fresh Produce Consortium, says: “In the past, there were some instances where police authorities had advised affected companies that there was no criminal damage because the companies had not suffered any loss. Consequently, in 2010, we lobbied the National Fraud Authority and UK government to take this kind of crime more seriously and do more to support UK companies.
“We have reminded all our members of the risks and advised them to check the robustness of their systems. Our advice is that companies should always contact the local police if they suspect fraud is taking place.”
Thomas says the issue is a very serious problem for the industry. “According to a recent conference on food fraud, a typical organisation loses 5% of its revenue to fraud every year. The National Food Crime Unit has stated that it is interested in receiving information on food fraud, including identity fraud.”
But businesses are failing to take cyber security sufficiently seriously, according to the Institute of Directors (IoD), which says that currently, only 28% of cyber-attacks are being reported to police. It adds that seven out of 10 firms had been sent false invoices by email.
Fernando Ruiz, head of operations at the European Cybercrime Centre, says: “We encourage companies in the middle of the supply chain – and even smaller companies – to take this crime very seriously at all levels and to take responsibility for protecting their customers’ data.”
He warns of the danger posed by corrupt or blackmailed employees: “You are only as strong as your weakest employee.”
Ruiz says companies should report all incidents and that – in the case of Europol, at least – reporting is handled sensitively, with no public naming of firms involved.
“However, we encourage small and large companies to report incidents. I’m convinced the situation is improving thanks to increasing trust, partnership and working groups involving industry and law enforcement specialists.”