PETALING JAYA – On a regular business day in June, boxes of what appeared to be antivirus software were delivered to two branches of a remittance agency in Kuala Lumpur and Muar.
On the box was a note, purportedly from the chief executive officer, telling the supervisors the company was undergoing a security upgrade and asking them to install the disks in every computer in their office.
The branches should have checked if the note and boxes really came from headquarters. They did not. They came from hackers.
And in one weekend, the hackers moved as much as RM6mil from their branches to remitters in Paraguay, China and some parts of Europe.
The branches had installed backdoor access for hackers to gain entry into every aspect of their network. For a month, these hackers studied the offices’ process of clearing and moving money.
On a weekend when no one was in the office, they struck.
By the time the employees came back to work on Monday, they had discovered that their computers had moved out the money.
The money had been cleared out on the international side before they even knew they had been hacked, said LE Global Services executive director Fong Choong Fook, whose private cybersecurity firm employs hackers to test the network security of major banks.
More and more Malaysian companies are falling prey to cyberhackers who have turned thieves. It is believed that they took at least RM1bil out of the national economy in 2014, without even having to leave their desktops.
“The victims are not just small companies but large organisations and banks.
“However, you don’t hear about this because they don’t want to report that their servers or computers have been hacked as their image is at stake,” said Fong.
Things are even more dire for small and medium enterprises (SMEs), who are prime targets for hackers because they lack the resources to have cybersecurity measures or rely on third parties to protect their digital spaces.
CyberSecurity Malaysia chief executive officer Dr Amiruddin Wahab said Malaysian SMEs were 33% likely to be victims of cyber attacks, nearly 5% higher than businesses of any other Asean country.
“Unfortunately, most still lack awareness on information security and this often leads to haphazard management of their information and digital assets,” he said.
PwC Consulting Services Associates (M) Sdn Bhd’s senior executive director and forensic lead Alex Tan said he had dealt with three cases here involving losses of between RM700,000 and RM36mil.
“The figures should be higher as there are cases that go unreported due to unwanted embarrassment or because the company was simply unaware it had been hacked,” he said.
Tan said professional service providers such as lawyers, accountants and architects were among targets of such cyber criminals.
He cited an example where a lawyer’s client may get an email from a hacker using the firm’s e-mail requesting payment for service or for purchase of a property.
“The hacker would usually give the excuse that there is a problem with the firm’s bank account and request the unsuspecting client to transfer money to a different account instead,” he said.
Tan advised companies to verify before making online payments to unfamiliar bank accounts.
“One step companies can take is that their board of directors ask for monthly reports on cybersecurity. They should know where their company’s data is located and stored, who has access to it and how it is protected,” Tan added.