• Phishers may be taking advantage of the current lockdown fears in the UK
  • If they do, watch out for SMiShing mobile messages that spoof UK government COVID-19 guidance messages in the coming days and weeks
  • Never click on a link in a mass-generated text or email; always navigate directly to a legitimate government website

This is a “The Defence Works special edition”, a ‘public information announcement’ about potential new threats that may arise.

The COVID-19 pandemic is challenging all of us in many ways. One government announcement this week was that people in certain groups would be required to remain indoors for up to 12 weeks. These individuals are those in our society that are most at risk, people with certain cancers, or severe heart conditions, and so on. A list of people who fall into a category that requires ‘shielding, can be found on the Gov.uk website. And, Monday evening, one of the most chilling announcements was made, all persons in the UK must abide by stringent rules of social distancing to protect our NHS from over-burden.

The details of how to protect our most vulnerable, ourselves, and our NHS means the UK government needs to communicate to the population of the UK in any way they can.

Stay at home. Protect the NHS, Save Lives

As part of ensuring that everyone in the country was aware of the immediacy of the lockdown in the UK, the government has been sending out texts to citizens. To achieve this, the UK government asked carriers, including EE, Vodafone, and O2 to help, by sending a text to their subscribers. A copy of the text is shown below. It alerts the recipient to these new rules to help protect the wider population, ourselves, and the NHS against COVID-19.

The text also contains a link to a government website to give you further details on what you can and cannot do under the new restrictions.

Whilst it is vital under the current coronavirus pandemic for the government to easily communicate with citizens, there are also issues this might raise regarding phishing.

Here, “The Defence Works” takes a look at what you should be aware of to prevent a cybersecurity breach if cybercriminals take advantage of the situation.

SMiShing, Phishing Kits, and COVID-19?

SMiShing is a type of phishing that uses mobile SMS messages or other messaging apps to deliver a phishing message. We regularly write about SMiShing in our Breaking Scams section, as SMiShing is a tactic, often used, by fraudsters; the most recent post discusses a British Telecom (BT) SMiShing scam “PUPpy Love: BT Billing SMiShing Scam’. We describe how the fraudster disguised a phishing text message to make it look like it was from BT. The message contained a link, which if clicked, went to a malicious website.

If you’ve read so far, I’m sure you already know what we are going to say: The BT scam, typical of a SMiShing scam looked a lot like the legitimate UK Gov message received by so many UK citizens.

Fraudsters love an opportunity to increase the click rate of a phishing message. They use any tricks they can to encourage a knee-jerk reaction to click on a link. The fear inherent in the current pandemic situation is perfect fodder for cybercriminals. All you need are the right tools to take advantage of that fear and use it for criminal means.

Phishing kits are big business in the world of cybercrime. Phishing is now an ‘as-a-service’ business opportunity that literally anyone with a criminal mindset can take advantage of. Researchers at Cyren Labs found 5,334 phishing kits for hire in the first half of 2019; to use the ‘Phishing-as-a-Service’ option in the dark web checkout, a fraudster pays the cybercriminal operation behind the kit, from $50 per month rental fee. For that, they can get all the tools they need to send out readymade phishing emails or SMiShing messages and an associated spoof website/malware to use to reel in the cash. The fraudsters can even buy lists of mobile phone numbers to use as targets.

The thing is, this latest government text message, giving advice to citizens on what to do during the coronavirus pandemic is great, but it will also ring the till for cybercriminals.

Copycat, Dirty Rat

As we have seen in our many Breaking Scam posts about phishing and other scams doing the rounds, cybercriminals like to jump on an event. Yearly events like tax return time or Amazon Prime Day, are all candidates for a fraudster phishing campaign; last year security vendor McAfee discovered just such an Amazon Prime phishing kit available for sale on the dark web.

It is not much of a stretch to think that in the coming days or weeks, phishing kits that mimic government texts will be sent out, en masse, to British mobile numbers. Phone numbers that have been stolen in the many data breaches we have seen in recent times.

What to Do if you Receive a UK Gov COVID Text Message?

COVID-19 is a very serious and worrying pandemic. We all must make efforts to heed the advice of government scientists at this time. However, if you get a Gov UK COVID-19 text, instead of clicking the link, navigate directly to the government website that has details on the virus. This simple act may not only save lives, but may also save you from identity theft, stolen data, and financial loss which, let’s face it, none of us can afford at this worrying time.

To all reading this, stay physically safe and stay cyber-safe.

If you’d like to know how security awareness training packages work, sign up for a free demo here.

Share this:

Do you hear the words ‘security awareness training’ and think…b..o..r..i..n..g…?

Well, I can’t blame you. So many times, security training programs are frankly, dull. Cybersecurity has traditionally been quite a dry subject, in general, so perhaps that is why awareness training has been also a little on the boring side. However, cybersecurity is far from mundane and lifeless. As cybersecurity threats such as phishing and Business Email Compromise (BEC) continue to attack all businesses across all sectors, the fight against them can be made more attractive through fun, interactive, training sessions.

Here we look at 5 ways that security awareness training can be made, not only attractive and fun, but effective too.

5 Fun Ways to Make Security Awareness Stick

As cybercriminals continually challenge our companies and our staff, we can build defences against them using knowledge. Teaching people how to stay safe in a digital world can be made interesting and useful. How to do that is where The Defence Works excels. We have always designed our training programs to be interactive, fun, and to deliver the most up to date content that reflects real cybercrime. Here are our top 5 ways that you can incorporate fun into your security awareness training.

Play games

Let’s face it, we are all big kids at heart. But on a serious level, having fun while learning has been shown to be more effective at building skills. Fun brings learning to life; it engages people and makes them want more. It can also help in explaining complicated ideas and help with understanding. By using fun and interactive games to train your employees about security awareness training you are building more effective training programs. Game-based Learning Theory calls this type of learning ‘experiential’ as it is based on building experiences through role-playing and other games.

Security awareness offers the perfect scenarios to learn using games. For example, you can create role-playing games where some team members act as cybercriminals attempting to scam other staff members – switch each team to learn about the different aspects of the game. In this way, both sides of the game will learn how each operates and how to prevent a cyber-attack such as a phishing scam.

The Defence Works uses gamification across our security awareness training options to make sure that your staff learns through fun.

It is also worth noting that you can do security awareness training games remotely.

Make it interactive

Boring and dry classroom security awareness training is enough to make anyone fall asleep. But if you train people by encouraging interaction with a training session, they are more likely to remember what they are being taught. Scenario-based or ‘in the moment’ security awareness training makes memories that can become good habits.

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

Make it relatable

People learn more effectively if they can relate to the subject matter. It is one of the reasons why when you teach a subject you try and personalise it. Andragogy, Adult Learning Theory states that:

Since adults are looking for practical learning, content should focus on issues related to their work or personal life.”

Making learning relevant and relatable will make the topic hit home. This is very important when it comes to cybercrime against employees as it often is personal. Cybercriminals use phishing that is tailored to home in on personal aspects of an individual. A phishing email, for example, often uses tricks such as key events that affect people on a personal level. Spear phishing targets specific people and uses their job type to personalise a scam email. The recent surge of phishing that uses the fear of COVID-19 to encourage email recipients to click a malicious link, exemplifies this.

Laughter is the best security medicine

Here at The Defence Works, we take laughter very seriously. The old adage, laughter is the best medicine is also true for learning. Laughter has been shown to improve trust and relax people, both of which contribute to better learning experiences. When you research and develop ideas for building a security awareness training programme for staff, choose one they will respond well to. The Defence Works has created a series of comedy sketches, written by BBC comedy writers to make sure your staff are aware of key cybercrime tactics.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Socially engineer employees

To “socially engineer each other” is definitely a candidate for an updated version of the Oxford English Dictionary.  Cybercriminals use social engineering to the point of being an art form. Scams and other cybercrime attacks are almost always (99% of the time) designed to need human intervention to work. To obtain this human input, the fraudsters turn to human behavioural psychology. That is, they use human traits, like trust and fear, to execute their cybercrime plans.

One thing about human behaviour is that it can be used for good, not just evil. By modifying natural responses and putting in place caution under certain circumstances, you can help avoid cyber-attacks.

Add some fun into security awareness training by socially engineering each other. I know it sounds a bit mad, but it makes sense. The more a person gets used to the tricks that cybercriminals play, the more security aware they become. In turn, a person will become more likely to stop and think before clicking a malicious link.

Use the game-based strategy described above to design social engineering-based games where staff members try out different methods to trick colleagues into clicking a link in an email.

Although we advocate making security awareness training fun and interactive, we also recognise how serious cybercrime is. The Defence Works design programs that deliver effective security training that make your workplace a safer place.

If you’d like to see just how much fun our security awareness training packages are, sign up for a free demo here.

Share this:

The chains of habit are too weak to be felt until they are too strong to be broken.” – Samuel Johnson

As we all know, in life, there are good habits and bad habits. I am not here to discuss the bad ones; we all know what they are…but forming good habits can be a really important thing to do when fighting modern cybersecurity threats.

A habit is a type of behaviour. As such, by creating a habit you are developing a behaviour that will, over time, become second nature. And positive habits can be a weapon against cybercrime. Cybercriminals also use human traits and habits to facilitate cybercrime; the types of habits they use include things such as creating a poor password. In a National Cyber Security Centre (NCSC) survey into the most common passwords, the top was“123456”.

To create “strong chains of habit”, we offer up 5 top security habits to form.

Top Cybersecurity Habits to Form

Here are our top 5 security habits that will help you to protect yourself and your business from cybersecurity attacks.

Habit One: Practise good passwords

You may not have as bad a habit as using 123456 for your password, however, here are some good tips to use to give you good password habits:

  • Do not share passwords with others (no matter how much you like them)
  • Do not write passwords down on paper – if you do, place the paper in a safe, lockable place.
  • Do not use the same password for multiple accounts
  • Create passwords using 3 or more random words
  • As an option, look at using a password manager to manage your passwords

Habit two: Patch in time

Software flaws (vulnerabilities) are exploited by cybercriminals to infect computers and other devices with malware. Sometimes this infection happens without you even being aware. In this case, you will likely have been the victim of a ‘drive-by-download’ which is where a website that contains an ‘exploit kit’ is used to look for software vulnerabilities on your machine. If the exploit kit finds one, it takes advantage of the flaw and automatically installs or prepares to install, malware. Recently, this tactic was used when a vulnerability was discovered in Internet Explorer. The malware installed was a form of ransomware.

To minimise the risk of infection by this method, always keep your computers and other devices, including IoT devices, up to date with the latest updates and patches.

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

Habit three: Know your security

Cybercriminals are always looking for new ways to commit cybercrime. Phishing tactics, for example, are continuously being updated to reflect any new changes in technology. It is as if the cybercriminals are always one step ahead. Phishing is such a big business that there are now ‘phishing kits’ that automate the process of phishing so that anyone can now send out phishing campaigns and rake in the money.

Get into the habit of keeping up to date with the latest in cybersecurity fraudster tricks. You can do this by personally taking an interest in the area and reading scam warnings from The Defence Works regular “Breaking Scams” posts. You can also build a good habit by using fun, interactive, online training in security awareness from The Defence Works to keep you ahead of the fraudsters.

Habit four: Be Mobile “Appy”

Many of us have a habit of downloading mobile phone apps. It is so easy to go to the app store, find something interesting, then click to download and install. In fact, it is almost too easy…Fraudsters know this, and there are many cybercrimes that begin with a malicious app download. A report from WhiteOps found that over 100 Android apps with 4.5 million downloads were infected with malware that delivered non-stop fraudulent ads to a phone. Malicious apps can be used to steal personal data and login credentials too. It is important to stop the bad habit of downloading free apps and form good app habits:

  • Only download mobile apps from known app stores
  • Check app settings and disable any that seem unneeded
  • Be careful about using free apps and read the comments and reviews on the app
  • Double check any permission requests during install or use of an app
  • Turn off any automatic connection for wireless services

Habit five: Back it up

A good habit to form is to keep secure backups of your files. Ransomware continues unabated increasing by 365% between Q2 2018 and Q2 2019. One way to minimise the impact of a ransomware attack is to have robust, secure, and ransomware-resistant backups. The key to this is to maintain offline backups, as the NCSC states “only connecting the backup to live systems when absolutely necessary”

Creating good security habits is a great way to turn everyday computing-related behaviour into something that can prevent a cyber-attack. By knowing what kind of behaviour works to stop a cyber-threat, you can create a more secure working environment for yourself and your colleagues.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

Gadgets, we love them, don’t we? So much so, that the Smart Home market will be worth about £117 billion (USD 151.4 billion) by 2024. The problem is that the modern gadget is internet-enabled, or in other words, home devices are now part of the wider Internet of Things (IoT). So what, I hear you exclaim, as you turn to your digital assistant and say: “Hello Alexa, tell me a joke.” Well, the joke may be on you if you don’t take some precautionary measures to protect your Smart Home against cyber-threats.

In 2019, cyber-attacks on IoT devices increased by 300%, according to research by security vendor F-Secure. Cybercriminals love the fact they can disrupt your life by taking advantage of security flaws and vulnerabilities in things that sit inside our living room.

If there is no safer place than home, then we need to make sure that we close the door on cybercrime. Here are 5 tips to do so…

The Smart Home is a Safe Home

A YouGov report found that 23% of British homes contained one or more smart devices (excluding smart meters). Smart devices are based on data. They create it, collect it, share it, and often store it in apps on your mobile phone. These data are valuable because these data are us; our identity, our behaviour, our financial details. The job that a smart device does is also a risky area in terms of cyber-threats. Being able to control a person by controlling their environment can be an attractive proposition for a certain nefarious individual. Personal safety is also an element of cybercrime aimed at smart devices.

Here are 5 ways to make sure you can batten down those smart home hatches.

Tip one: A good pedigree

The UK Government is bringing stronger legislation around IoT devices into law. The legislation will mandate that IoT manufacturers must follow stringent security guidelines, including ensuring that passwords are unique and that reporting a security flaw is made easier. This legislation is being created to reflect the poor security practises of many IoT manufacturers, evidenced by the fact that less than 10% of consumer IoT companies follow vulnerability disclosure policies.

When buying a smart device, check out the pedigree of the manufacturer. Do they offer regular security patches, do they allow for easy password updates? Once the UK legislation comes into force this will be much easier to do, as it will force manufacturers to use an IoT security label that clearly shows their commitment to security.

Tip two: The old default password issue

Default passwords for common IoT devices are on the internet for any interested person to find. For example, a recent list was posted to the web that gives manufacturer passwords for half a million routers and smart home devices.

Whilst the legislation to mandate good security practices weaves its ways into the mainstream of manufacturing, you should look to ensure that any default passwords on your smart devices are immediately changed.

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

Tip three: Isolation and guest networks

If you have visitors to your home, make sure that they use a guest network and not your main network. Isolate your main home network from a guest network using a password (and use a second factor for login if available too). Connect your own personal smart devices to your main network. Work on the use of IoT devices in domestic abuse cases has been carried out by a team at UCL in London. They found instances where ex-partners still had control of a device through the network which they would use to control temperature setting, etc.

On the matter of misuse of devices and associated data. This Tweet shows how difficult it can be to control your own information once someone else has control of it.

 

Source: Twitter

Tip four: Switch off extra settings

Switch off any settings on your smart device that are not needed. For example, you may want to switch off routine use of the microphone and camera on a digital assistant such as Amazon Alexa. Or think about disabling the use of voice purchases. In terms of privacy, some smart devices are better than others. Check the privacy settings to see if your data is being shared with third-parties and if you can switch this feature off. You can also check to see if voice data is saved and delete any that is not expressly needed to work the device.

Tip five: Smart unplugged

If you don’t use it, switch it off. A study by the Royal Society of Chemistry (RSC) found that there may be up to 40 million old or unused smart devices in homes across the UK. Many of these are smart phones, but other devices such as wearables are also commonly bought and discarded. Whilst this is bad for the environment, it is potentially great for cybercriminals. The devices may have been used at some point, accounts created, data added, stored in cloud servers and forgotten about. If you stop using a device, you should attempt to delete the data and the account. However, some manufacturers may not have made provision for this option, and you may have to contact them directly to have your account closed and data deleted.

The Defence Works hopes that you find these tips on how to keep your smart devices cyber-safe useful. Check out our blog features for more cybersecurity tips.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this: