A ransomware attack typically happens either when a hacker bypasses your security and gets into your computer, encrypting data and demanding a ransom in return for the decryption key or by stealing confidential data and threatening to publish it unless a ransom is paid.
The ransom payments are typically paid in Bitcoin because it is hard to trace the recipient.
The ransomware software typically gets in through phishing emails, where you or your staff click on an infected link and download the malware without even knowing it.
Ransomware attacks have grown hugely in recent years and the pandemic has increased the vulnerabilities of many organisations, with staff working at home and often using personal devices.
The have been a spate of high-profile incidents in the last 6 months. Colonial Pipeline made headlines when they were the victim of an attack in May, which led to fuel shortages in the US East coast for a few days. JBS Foods, the world’s largest meat producer, was another victim, as was the Irish health service.
In case you thought you were too small for this type of attack, small businesses are also frequently targeted, as they often have poor security so can be easily infiltrated.
So what do you do if you become the victim of such an attack?
The official advice from the police and government is not to pay. They argue that there is no guarantee you will get your data back or that hackers won’t publish data anyway. You will likely be funding other illegal activity.
However, paying ransoms is not illegal and may well be cheaper than the cost of systems being down for a long period or having to rebuild systems. As a result, many companies do pay up. , Colonial Pipeline paid $4.4m in bitcoin to their attackers, some of which was subsequently recovered by the FBI.
Many of the current attacks come from countries such as Russia, and pressure can be applied at international level. It was reported, for example, the US President Biden broached the subject with Vladimir Putin at their recent summit.
The best course of action for businesses, is to avoid falling victim to an attack in the first place. Most attacks come via relatively unsophisticated methods, such as phishing emails, compromised credentials and unpatched systems. So getting in place good cyber hygiene and training staff properly are essential starting points for reducing the risks.
Having a good back-up strategy which is regularly tested is another key step, so that you always have a recent copy of systems and data that can be quickly reinstalled. Attackers can sometimes target your backup, so make sure backups are completely separate.
Tax scams on the rise
It is being said that scammers and fraudsters are taking advantage of the fact that taxpayers are basically ‘scared of the taxman’ and designing their attacks to take advantage.
As a result the number of clients reporting scam calls, texts, and emails pretending to be from HMRC and the Department of Work and Pensions (DWP) has recently risen significantly.
A recent version has been in the format that recipients are being told that they have been fined for tax evasion and will be summoned to court if they do not pay up and that arrest warrants have been issued in their names, or even that their pension payments will be stopped.
The scammers spoof their way in, making it look like they are calling from an HMRC number. So even if the recipient is on the ball enough to look up the phone number, they may be tricked into thinking it is actually HMRC that has called.
HMRC may communicate with taxpayers by text, phone or email which is much quicker and more secure than by post, however, the HMRC website confirms that they will not ask for any personal or financial details. The website also advises that if the communication is unexpected, offers any form of a refund, asks for personal information, requests a transfer of money or is threatening then it could be a scam.
HMRC have revealed that in the 12 months to 30 April, HMRC responded to more than 1.1m referrals of suspicious contact from the public, and of these more than 576,960 offered bogus tax rebates.
UK – £5.7m of cybercrime losses
A recent report says that there have been £5.7m of losses from 14883 cybercrime incidents and of this total around a third is from businesses.
Hacking, fraudulent use of social media, and email scams accounted for 43% of all reported incidents since 1 January.
Surprisingly the age group that is most affected is the under 40s, but this may be because they are the predominant users of technology juggling multiple social media accounts, email addresses, and banking apps.
The study also found that 81% of offences were committed by an individual person, as opposed to a group, that was not known to the victim.
Malware appears to be at it least prevalent for more than a decade while phishing websites, which seek to gain passwords, credit card numbers, and other private information have increased many times over.
The rise has I part been fuelled by the Covid-19 pandemic with a significant jump in the number of phishing attacks using NHS branding, obtaining people’s personal information with the vaccine rollout as bait.
It is essential to take care online and use robust security measures, always be aware of what you are clicking on and be especially wary of phishing sites and emails sent from companies or individuals not known to you or which you are not expecting.
HMRC will be watching you trade online
HMRC has confirmed that the UK will be adopting the expanded version of the OECD reporting rules for digital platforms. The rules will mean that websites and applications based in the UK will have to report the income arising in the previous calendar year of “sellers” using their platform to HMRC.
HMRC estimates that 2m-5m businesses could be affected, although it expects that the impact for individual sellers will be small.
The rules are unlikely to be implemented until January 2023 at the earliest and HMRC is seeking opinions on the practical implementation of the rules, as well as on areas where the government has flexibility in adopting the rules, such as exclusions, and its proposed approach to penalties for non-compliance.
Alongside recording and reporting the sellers’ incomes, the platforms must also collect and verify information that identifies the seller and their location, as well as the location of rental accommodation. This will enable HMRC to share the income data with the tax authorities where the seller is resident or where a property is located.
The platforms are also required to provide a copy of the information to the seller each year, to help the seller declare the correct amounts for tax purposes.
Save VAT – book in advance
Hospitality businesses taking advance payments before October can charge 5% VAT and then the rate will increase to 12.5% on 1 October 2021 and 20% on 1 April 2022.
If you receive an advance payment before 1 October for a supply being made on or after this date, you need only charge 5% VAT based on the payment date. There are no anti avoidance rules to worry about.
Normal tax point rules are applied, so the relevant date is the earlier of the invoice date or date of payment.
So, if you are in hospitality and sell your goods and services on a VAT inclusive basis, you will lose less of the price in VAT and so increasing your profits.
The new 12.5% VAT rate is still six weeks away, so you have got time to encourage customers to pay in advance for post October supplies, increasing your profit margin.
Can you get your Xmas customers to pay you before 1 October?
Questions?
If you have any questions about any of these, you know where to find us. If you prefer, just give me a ring on 07770 738770 or email me at alan.long@thelongpartnership.co.uk.
Disclaimer
