Farmers have been warned by the Scottish Business Resilience Centre – the country’s largest organisation charged with nurturing Scotland’s business ecosystem through advice and security – that they may be the next victims of cyber-theft. Leaders from the SBRC, including Chief Ethical Hacking Consultant Gerry Grant, issued the warning following the Scottish Government’s confirmation that CAP payments will arrive farmers’ bank accounts shortly.
CAP (Common Agricultural Policy) payments are issued to subsidise farmers’ incomes. However, problems with the Scottish Government’s IT system caused delays in the issuance of the money, plunging some into a ‘cash flow crisis’. In a bid to rectify the situation, Rural Economy Secretary Fergus Ewing unveiled the CAP Basic Payment Support loan scheme in mid-September, which in late October paid roughly £254 million to Scotland’s farmers and crofters.
But by conducting simple research, according to the SBRC, it is possible for anyone to find out how much an individual farm has received in past CAP payments, and how much they are likely to get this year.
Methods of attack
Gerry Grant warned that these payments could make farmers ‘prime targets’ for cyber-criminals. When approached by DIGIT, Gerry said: “The issue is that the hackers will follow the money. So if they know of a particular industry or particular set of targets that will have cash in the bank, then they become targets. So I wouldn’t be surprised by it – if they do their research they’ll know who and when to target.
“There’s two different ways of being attacked. You can either have internal fraud, where the attackers will make it look like somebody internally is asking you to transfer money around the business – so, ‘It’s your finance director here! Can you transfer £50 million into this offshore account, and don’t tell anybody because it’s a secret deal.’
“Mandate fraud is slightly different – this is where they [hackers] try to intercept an invoice that they know you may well be expecting. If I know that you’ve got a new kitchen installed, I will send an email that looks like it comes from your joiner saying, ‘Can you send us £1,000 to cover for some expenses?’”
The evolving cyber-threat
Gerry warned farmers to be aware of unsolicited calls and emails over the coming weeks. He also advised the recipients of communications to verify where their source before making any moves. Referring to the cyber-frauds that ransacked football clubs Hearts and Hamilton Academical of funds in recent months, Gerry warned DIGIT that the same may be repeated.
“I do not know for certain what it was that caught them, but I suspect that they were caught in either one of those two scams, or in a phishing scam.
“They can be quite convincing. They’ll know exactly who your bank account is with, they will probably have taken the name of somebody who works in the bank and claim that they are that particular person, and they may have some details that they have gleaned about you through more social engineering somewhere else or information that you’ve accidentally leaked online, to try and make it more believable.”
When asked by DIGIT if the wide publishing of the CAP loan scheme might have added Scotland’s farmers’ to hackers’ radars, Gerry said that this was unlikely – cyber-criminals are simply getting more savvy. “The criminals, if they’re smart enough, which most of them are, will be aware of these deadlines and payments anyway. If it’s something that’s debated in the Parliament, it’s going to be common knowledge and in in the minutes of meetings, so there’s nothing we can do to hide it.
“I think it’s just the fact that criminals now are so much smarter, they’re looking for targets and looking for places where the money is coming into bank accounts – resourceful.”