A cybersecurity specialist says a provincial advisory panel would help the public better identify and manage risk
Saskatchewan farmers Andrew and Laurie Johnson won’t forget the events of 2020.
Early in the year, the couple from Peebles, Sask., became victims of a cellphone fraud scam that resulted in more than $100,000 disappearing from their corporate bank account.
The Johnsons, owners of Johnson Livestock, noticed in the middle of their busy calving season that one of their cellphones was no longer working.
Initially, they didn’t think much about the problem. They assumed their cellphone was simply malfunctioning or that their service provider was having network problems.
But then they noticed their email accounts were down as well.
A few days later, a banking representative called to tell them their corporate account was overdrawn.
The Johnsons were victims of a “port-out fraud scheme,” where criminals collect personal information and use it to access other sensitive information, ultimately taking control of online or digital accounts.
Andrew Johnson, contacted recently by The Western Producer, declined to comment on the incident, citing a non-disclosure agreement that prevents him from sharing details. But he encouraged others to take every step possible to protect their personal and business information.
Any odd or suspicious activity involving cellphone services, emails, online commercial accounts and electronic devices such as tablets, phones and computers should also be treated seriously, he said.
Another Saskatchewan farmer offered similar advice.
Not long ago, the farmer, who requested that his real name be withheld for security reasons, received a ransom email informing him that his email accounts had been hacked.
The criminals claimed to have full access to all his email messages and contacts.
In addition, the hackers said they had installed malware on all his personal devices, including cellphones, tablets and desktop computers. In other words, they had gained access to all of the farmer’s files as well as personal information stored on the compromised devices.
The ransom email demand a cryptocurrency deposit worth the equivalent of US$2,500, to be deposited in an untraceable bitcoin wallet.
The farmer refused to pay and has since taken steps to change all his passwords, credit cards numbers and banking information.
But he’s still not certain the incident is behind him.
According to the Canadian Anti-Fraud Centre, there have been 150,000 reported cases of fraud since January 2021, many of them targeting online accounts.
The total cost to Canadians was an estimated $600 million.
And those numbers don’t include thousands of cases that go unreported each year in Canada.
According to cybersecurity experts, cyber threat activities are now one of the fastest growing categories of criminal activity in the country.
And unfortunately, most Canadians are unaware of their vulnerability.
“Canadians use the internet for financial transactions, to connect with friends and family, attend medical appointments and work,” said the Canadian Centre for Cyber-Security in its national Cyber Threat Assessment report for 2023-24.
“As Canadians spend more time and do more on the internet, the opportunities grow for cyber threat activity.”
Indeed, the rising amount of personal, financial and business data that’s available online has made it an attractive target for enterprising criminals.
Criminal activities conducted online can range from basic scams targeting individuals or small businesses that haven’t properly protected their personal or commercially sensitive information, to state-sponsored programs that target critical public or private infrastructure.
High-profile ransomware attacks in recent years include Colonial Pipeline Company in the United States and the North American and Australian operations of JBS Foods.
Those attacks alone resulted in multimillion-dollar payouts and disrupted fuel and food supply chains.
Canadian hospitals and large business enterprises have also been affected.
Individuals and small business owners in the agriculture sector are not immune, and most are playing catch-up when it comes to protecting commercially sensitive information from potential attackers, said one source.
“A lot of small businesses have no idea what kind of threat they’re facing,” said the source, an IT professional contracted to shore up the online defences of a Saskatchewan-based retailer with sales worth hundreds of millions of dollars annually.
“For a lot of companies, ransom attacks and loss of corporate data represent a huge business risk,” he said.
Brennan Schmidt, a Regina-based management consultant and cybersecurity advocate, agrees.
Schmidt advocates for the creation of a provincial cybersecurity advisory panel that would help public and private sector organizations to identify, manage and mitigate cybersecurity risks.
“There are so many ways (that people and organizations can get victimized) and I think that’s an important thing to underscore,” Schmidt said.
“Threat actors — the bad actors that are looking to do harm to others — they’re going to do their research and they’re going to target people and organizations in the ways that they’ve found to be most effective.”
According to Schmidt, criminal sophistication varies widely and any electronic device can be the subject of a potential attacker.
Email messages using bogus hyperlinks are a commonly used tool, he said. Threat actors will use e-mail blasts to distribute phishing emails. Those who respond are potential victims.
In some cases, perpetrators will use hacked or bogus email accounts to impersonate employers or company executives. Fraudulent emails will encourage employees to respond, click on hyperlinks or provide sensitive personal or corporate information that could lead to security breaches.
When criminals gain access to personal or business accounts or sensitive data, that data can be sold to other criminals or used to get additional information or financial assets.
“Really, when you think about it, with so many things going digital, it’s so, so important for us to all play a role in making sure that … we’re protecting ourselves and (using) whatever kinds of protections are made available,” Schmidt said.
For example, if using online resources, get in the habit of using trusted tools and technologies, such as multi-factor authentication and password managers.
Password managers are secure tools that make it easy for legitimate digital account holders to manage and access complex passwords that would otherwise be impossible to remember.
Using complex and unique passwords for all online accounts is the golden rule of online activity and commerce.
Create a list of every device that has a chip in it, Schmidt added.
This list would include phones, laptops, desktop computers and another data storage and collection systems. Then review it and assess which devices and systems represent the greatest risk.
“Ask yourself, what are my crown jewels? What are the most important things that would be of value to (potential criminals) who want to take something away from me?“ Once you’ve done that, you can then introduce controls to better protect those (assets).”
Even basic preventive measures can help minimizing risk.
“For example, if folks at home have a router that they just plugged into the wall for internet, it’s probably got a password and it’s probably a good idea to change that,” Schmidt said.
“And get yourself a password manager. Instead of using the same password for everything because it’s easier to remember, use a password manager and keep track of those passwords. Make sure they’re complex and make a different password for every service.”
Also, be careful how and where you use your devices.
Conduct online activity with known and trusted companies. Be careful which websites are visited. Clicking unfamiliar links on untrusted websites or in emails from unknown sources can have costly and unexpected results.
If computer devices are functioning strangely or operating by themselves, there is a good chance they’ve been infected by malware.
Just as it was in the days before the internet, an ounce of prevention is worth a pound of cure.