Builders’ merchants could be a goldmine for cybercriminals

Andy Barratt,  UK managing director at Coalfire, the global cyber security consultancy on the need to be cyber-vigilant

In November 2017 , one of the largest builders’ merchants in the UK, Jewsons, revealed that it had been the victim of a large-scale cyber security breach – potentially putting countless customers’ data at risk.

It was a stark reminder that the building trade is as much a target for hackers as the sectors we more readily associate with high profile cyber-attacks – the likes of financial services, retail and the public sector.

In fact, the construction sector is a key target for hackers. Fraudsters generally perceive that a lot of the businesses within the construction industry are ‘easy’ targets as they typically have a low level of cyber security in place.

In a very hands-on industry, where far few work hours are spent on a computer than in a lot of other professions, it’s understandable that small building firms are less likely to have cyber expertise in-house. Tight cash flow cycles also mean investment in technology or third-party consultancy is often difficult to prioritise.

As a result, tradesmen and small construction contractors are a very attractive target. For a builders ‘ merchant, this makes the customer it holds incredibly valuable to a cybercriminal.

Why are builders’ merchants a target? To a hacker, a builders’ merchant’s customer records are essentially a ready-made database of potential targets for fraud.

This is particularly true as merchants move increasing amounts of their business online; through ecommerce but also through cloud services for back-end operations such as payment automation and data storage.

In effect, this means the merchant is taking an element of its customer supply chain online. A builder who probably spends a very small percentage of working hours on an internet-connected device is unlikely to be actively pursuing cyber security best practice, particularly if they are unaware of how much information concerning their relationship with a merchant is stored digitally.

This puts a certain element of responsibility onto merchants for the cyber security of its customers.

How do the hackers do it? One of the most common methods for a hacker to extract money from a business or its customers is through a type of fraud called authorised push payment (APP). This is where the criminal uses fake emails or text messages to trick someone into authorising a fraudulent payment.

Commonly, the hacker will gain access to a company’s (i.e. the builders’ merchant) email system and set up a rule that redirects messages to their personal account. This enables them to monitor for when sensitive information, like an invoice, is sent out.

The hacker will then re-send the invoice, claiming that the payment details have changed. The customer, keen to pay off the debt, authorises the payment without realising the money has gone to a fraudulent bank account and not the merchant it has a relationship with.

How can builders’ merchants protect themselves and their customers? All businesses should have a cyber security framework to whatever extent is feasible. But for builders’ merchants who deal in high value transactions and store large amounts of customer data, it is essential.

For those that aren’t doing so already, a thorough audit of IT infrastructure is advisable to identify key systems that are a potential target for hackers and any vulnerabilities within them.

But even with a comprehensive security framework in place, safety is not guaranteed and there are some easy-to-implement procedures that can help to limit the potential damage of a breach.

A useful starting point is to introduce an automated electronic payment process that doesn’t necessitate sending out a traditional invoice or the customer manually transferring money from one bank account to another.

Instead a link to a secure customer portal is sent where payments are made via a card. The payment information can be end-to-end encrypted and there is no email or paper invoice containing account details for the hacker to intercept.

Another important step is to make employees and customers aware of the kinds of threats that the business is susceptible to. For builders’ merchants, this is likely to be some form of payment fraud, such as APP.

Once the relevant threats are identified, an awareness policy can be put in place.  Providing information about this potential threat can go a long way to preventing financial loss – both for the builders’ merchant and its customers.

For example, it is a good idea to warn customers to be on the lookout for emails that contain a change of payment information and to notify the merchant if they receive one.

Educating customers will turn them into part of a merchant’s cyber defence network, alerting the business to suspicious activity that could uncover a potential threat or a breach to the system before it causes significant damage.

Other simple steps include easy-to-action housekeeping policies like renewing passwords on a bi-annual or quarterly basis and instructing employees to check work email accounts for unfamiliar auto-forward rules.

It’s a sad fact that cybercrime is now a part of doing business. The key to being protected is acknowledging that merchants and their customer base are as attractive a target to hackers as the types of business we more readily associate with cybercrime.

Minimising the risks involves having the right security in place, understanding the threats and ensuring that customers are as well-informed and alert as possible.