The Ministry of Post and Telecommunications on May 23 issued a statement expressing concerns about cyberattacks in the Kingdom, calling for greater vigilance to thwart the rise of hacking attacks aimed at the private sector.
The statement said there had been a number of business email compromise (BEC) scams aimed at stealing cash by sending e-mails for payment invoices for transactions to overseas companies.
“The scam is particularly prevalent in the private sector, with cybercriminals hacking a company to study their business practices and records and then attacking the targeted entities by sending e-mails that appear to be invoices from known and legitimate sources,” it said.
This crime is often named in US laws as “theft by swindle”, meaning it is a theft that takes place by “swindling” – that is, tricking – the victims somehow rather than using violence or breaking an entry.
The Kingdom’s Criminal Code refers to all such thefts that rely on subterfuge or gaining the victim’s confidence first as forms “fraud” with different severities as defined in Chapter Two, Article 377.
The ministry said that hackers or sometimes organised groups of hackers will hack a company and gain access to their computer network and then research it and its employees carefully.
They then wait for the right moment to execute their plans, which usually involves submitting fake invoices with large payments due, or they may impersonate the company’s CEO or another executive or contact those corporate officers pretending to be a trusted vendor or business partner and then request a transfer of cash to an overseas account or request that payments for goods and services in the future be routed to a new bank account.
The groups often complete the deception by first hacking the network of the businesses on both ends of the transaction so that they are able to send a 100 per cent legitimate-looking request from one company to the other using the correct paperwork, employee names and even their real email addresses. This makes it a very difficult scam to defend against for companies that regularly make significant expenditures with dozens or sometimes even hundreds of vendors or service providers.
The ministry advised users to be extremely careful with measures such as carefully checking and verifying the names and email addresses, or to inquire by phone in case of suspicion even if the email from known people.
The ministry advised that all companies be very wary of all e-mails requesting a change be made to account information for cash transfers and to be sure to institute procedures and protocols that require employees to confirm or verify requests to change account information directly with individuals or business partners through means other than e-mail, such as phone calls, for example.
And after that they should consider going a step further and – without making mention of their intentions to do so while speaking to their business contact – try phoning their company’s security or IT department following that conversation and request that they independently verify the legitimacy of the transaction before allowing it.
And, the ministry noted, any company tricked in one of these scams should contact the bank immediately if they find out that they have been cheated and try to have the transaction reversed or frozen while also filing complaints with the police and other authorities if they ever want to find the hackers responsible and have them punished.
Independent digital security consultant Nget Mose said the reason for the increase in cyberattacks in Cambodia was because the sector’s development was still limited in terms of digital laws, tools and literacy, which made Cambodia an easy country to target for attacks via emails.
“The global trend of cyberattacks to steal or launder money is increasing everywhere, not just in Cambodia, but they are succeeding here at a higher rate than we’d like to see because our digital security infrastructure is still limited,” he said.
He added that in order to protect their businesses from these attacks, the private sector should have security management plans in place and build staff capacity in digital resources while implementing tighter protocols with multi-factor or multi-step verification or approval for certain highly sensitive data such as bank account information and other payment processes.
The ministry urged the public to get more information about such cases on the website of the Cambodia Computer Emergency Response Team Office (CamCERT) under the ministry’s Department of Security, Information and Communication Technology at www.camcert.gov.kh
They can also get more technical assistance and report illegal activity by emailing incident@camcert.gov.kh or calling 023 722 391 / 016 851 678.