A local cybersecurity firm is seeing more and more firms cheated out of thousands of dollars by digital scams

“We have seen an evolution in the way attacks have been performed over time,” said Fernando De Deus, Ingine chief executive. “From a year ago to now, there has been an increase in cases.”

Ingine is particularly seeing an uptick in invoice scams, which Mr De Deus estimated were costing victims in Bermuda “upwards of five figures”.

In this case hackers take over a user or company computer system and send out fake invoices to the victim’s clients or contacts. They use the same invoice and letter head as the hacked company to request payment. The only thing different is the bank details for the supplier.

Ingine chief information security officer Henryk Marszalek said there were two things that should happen when a company was told that their usual vendor’s bank details had changed.

“First, the company should talk to someone rather than just accepting a digital request for payment,” Mr Marszalek said.

Secondly, he said that if the payment went through, the company’s bank should be alerted because it was a first payment.

“If the bank sees payments going out to a different type of bank, or a bank in a different jurisdiction or geographical location, that should be enough for the bank to realise this is something unusual and chase it up,” Mr Marszalek said. “If those things were followed, the majority of these scams would not succeed.”

For their first salvo, hackers often ask for a small amount of money to bypass bank fraud alert systems. Once the unsuspecting company has made a transaction with the hacker, precedent has been set, and larger amounts are less likely to trigger any warning systems.

Mr De Deus would like to see banks set additional checks and balances in place to counteract cybercrime.

Mr Marszalek said artificial intelligence was adding fuel to the fire.

“AI is becoming much more sophisticated,” he said. “Malicious actors are using AI to make themselves come across as far more legitimate than they are.”

In some cases AI mimics users’ voices, which Mr Marszalek said was difficult to capture and prevent.

“There have been situations where someone has hooked someone or compromised their system,” he said. “They stay in the users system for more than a year. Faking a number to look like calls are coming from Bermuda is very easy.”

Mr Marszalek said banks did not put out reports on cyber attacks on their clients and many victims of cybercrime were too embarrassed or ashamed to report it.

Mr De Deus said there was no need to feel this way because hackers today could be very convincing.

“We had an incident where a hacker set up a website to look exactly like HSBC’s website,” he said. “The only detail different was a link to click. That link allowed the hacker to access the client’s computer. When the client realised what was happening they cut off the session and turned everything off.”

He urged victims of digital crime to contact authorities by reporting it to the bank, or the police.

Mr De Deus said firms needed to have systems in place that allowed customers to report possible cyber attacks, quickly. Time is of the essence when it comes to shutting down digital fraud or recovering money after one.