Category Archives: Cybercrime

Scam Alert!

A friend I have known since my university days recently came dangerously close to falling for a phone scam. Nothing unusual there, you might think. However, this victim was a hard-headed businessman, the last person you would expect to be caught out by scammers. I began to think about the number of people I knew who had been targeted in this way.

Generally, the victims of these scams are NOT poor decision-makers. They may, like my friend, have successful business or professional careers, but something makes them unduly open to persuasion. Modern life is increasingly complicated and the information overload seems to get a greater every day. We navigate through its using all sorts of shortcuts and rules-of-thumb. Scammers take advantage of these processes to catch their targets off-guard. Which means that no one is immune to being scammed. We need to be on our guard: if something sounds like a scam it probably is one.

The subconscious mind can be exploited in different ways. Scammers know about many of the techniques that can help people to take irrational decisions. These include allowing them to visualise future outcomes, motivating them to make over-hasty decisions, among many other methods. Many scams target people who do not have enough technical knowledge to understand how some things work. When a person has less knowledge about something it becomes much easier for a plausible scammer to drag him into their trap.

Wikipedia defines Emotional intelligence (EI) as: “the capability of individuals to recognize their own, and other people’s emotions, to discern between different feelings and label them appropriately, to use emotional information to guide thinking and behaviour, and to manage and/or adjust emotions to adapt environments or achieve one’s goal(s).” Which is a long-winded way of saying that, when dealing with strangers (particularly on the telephone) you need a very strong empathetic sense of what is going on in the current transaction. Scammers also use emotion intelligence to make us comply and to “feel safe”. Perhaps this explains why so many technically-oriented professionals fall into the trap.

Saddest thing of all, it is good people who make the easiest targets. Some people assume that all people are “good”; usually the ones who really are “good” think that way. By believing that everyone out there is like them, they respond to scammers without suspicion. I would put my friend in this category, although he had enough life-experience to smell a rat when his caller told him that he was due a credit from BT Openreach for which they would need bank details.

Forgive me if I am preaching to the converted but I treat all cold calls whether by telephone or email or any other method with deep rooted suspicion, but that might be because I am a tight-fisted Yorkshireman, a cynical bastard, or probably both. Whichever way it might be I have learned to respond to cold calls by telephone either by telling the caller that, when I want the goods or services they are purporting to sell, I will go looking for them myself or, if I am interested, I tell them that I am too busy to talk at the moment and ask them for their telephone number so that I can ring them back when I am free. It is amazing how many callers hang up at this point.

If you are targeted by phone, including texts, or by email or are the victim of any kind of cybercrime, please report it immediately to Action Fraud any time of the day or night using their online fraud reporting tool: www.actionfraud.police.uk/report_fraud, or by calling 0300 123 2040. Your local police might also have their own cybercrime unit. The more information the police receive the more likely they are to put a stop to the scammer.

As an object lesson:

  • This was a BT Openreach scam, masquerading as a cold call about broadband speed.
  • The caller installed Team Viewer on my friend’s PC ostensibly to check broadband speed.
  • He did ask for ID and the credentials offered were very plausible. For example: everything that was shown was branded as “BT Openreach”.
  • The scammer asked my friend to type values into terminal.
  • The calling telephone number was within the UK.

Carefully prepared and expertly executed. Unlike a scam that was visited on a friend in the USA who got an email from “Smith & Weson”! We cannot rely on scammers to make obvious mistakes these days; they have learned.

One lesson we can learn is not to let anybody take control of your computer unless you have contacted them and asked them to – for example – run diagnostics. Otherwise nobody has any legitimate reason to take over control of your computer and you do not have to type in any values if you are uncomfortable doing so.

A suggested immediate action drill on finding yourself in this situation:

  1. Break the Internet connection at once, and I mean physically. Pull out the cable or switch off the router.
  2. Put your virus protection and related security software on a deep scan.
  3. Phone your bank to have them monitor your account(s).
  4. Phone your payment card providers (there is usually an emergency number printed on the back of each card) so that they can block any suspect transactions.
  5. Contact your dealer, tech support number or any other support you have available to you, tell them what has happened and follow their instructions. Most suppliers and manufacturers have a help line. This may involve taking your machine in or calling out an engineer to thoroughly diagnose the extent of the damage done.
  6. Lodge an incident with the police (see above).
  7. When you are back on line send an email to everyone in your contact book to tell them to report any unusual messages they receive from you. Do not be embarrassed to admit that there has been an attempt to scam your account; you are acting decisively to clear up after it.

One last word: I keep the emergency numbers (tech support, BT, police, bank etc.) on a card that goes everywhere with my laptop. I have never had to use it but I am easier in my mind knowing that I have everything in one place if I do fall victim.

Cyber-security must be top-down and all-pervading

code-707069_960_720 There is a dawning suspicion among both the private sector and the public that even with the most advanced encryption the internet will never be sufficiently secure for the most sensitive data. The debacle over the San Bernardino shooter’s iPhone has shaken many I have spoken to who thought that technology could make them safe. Leaving aside the legal and ethical considerations (which the legal systems of the world will have to sort out by test cases in coming years) the question comes down to this: will there ever be a technology that cannot be unravelled by an intruder if the incentive is there?  At present the answer seems to be: “No”.

Does this mean that sensitive data will have to be transmitted in other ways? Are we going to see the re-emergence of bank messengers and military despatch riders? Should we be buying shares in paper mills? Where does that leave the UK government’s “Digital by Default”? We have a client who reverted to paper-based operation until he could design and install a closed dedicated messaging system. Will this be the way forward? As banking becomes increasingly a digital business this might be the only way to reassure customers that their details, and their money, are being protected.

It is not too far-fetched to imagine a secure intranet being set up and managed, possibly by the Cyber-Innovation Centre at GCHQ, to allow UK businesses, banks and government to trade with each other in a closed environment outside the internet. However, where does that leave the man-on-the-street? There is an individual judgement to be made here: am I prepared to accept the level of risk involved for the convenience of transacting on-line? Having adequate insurance against losses moves the balance of the argument toward “yes”. We have to get used to the idea that there are no guarantees.

Since I began working on eBusiness in 1995 organisations have generally considered Cyber-security to be an ICT issue – “our IT department does all that” – and it is only within the past five years that it has begun to be recognised as a matter of corporate governance and the responsibility of everyone in the organisation from the C-suite down. Directors and senior managers take the lead, embedding best practice in the corporate standards and strategies and cascading those down to every employee. Cyber-security is now as important at the monthly sales figures for most businesses, even if many do not realise it. Showing customers that the business or other organisation is taking every reasonable measure to minimise the risk to them will help build confidence in the organisation and encourage customers to transact on-line.

I will close with an anecdote: a major City business carried out a redundancy exercise during the recession, eliminating a complete layer of management. One manager in the IT department was allowed to work his notice (generally considered to be a bad idea!) and one evening visited the eighth floor to check an equipment closet. As he passed the CEO’s office he noticed that the CEO‘s password was stuck to the screen on a sticky-note (incidentally the staff handbook listed this as a disciplinary offence). He sat down, logged on and emailed redundancy notices to the entire board, logged off and went home. The point of this story is that even if there were such a thing as wholly secure technology that fallible component called a human being will find ways to compromise it and that is why Cyber-security must be top-down and all-pervading.

Where’s my data?

Moving corporate data off-site to a cloud provider can make good sense; it will have levels of security, resilience and availability that it would not get in a local server room and at a lower cost. However, talking to a colleague yesterday reminded me that I have often spoken to businesses that do not know where their data is held. At least their IT department might know but the C-suite decision makers answer the question with: “It is in the cloud”. Asked to define the cloud many are surprised when they realise that cloud storage just means putting your data on somebody else’s server or servers.

Where those servers are physically sited can be an issue. I remember one CEO who threw a wobbler when he learned that his precious data was sitting in a datacentre in China. That was an extreme reaction but if you are possibly going to have your data stored on multiple sites in different countries and backed up elsewhere then you need to know where those locations are and to satisfy yourself that you are happy with the risk strategies, insurance and legal safeguards in place at these locations.

When working as a systems or solution architect among the questions I ask clients are: “Is your cloud provider reliable and trustworthy?” “Have you looked into their track record, size, stability?” “What insurance have they got in place?” “Has the provider been hacked or otherwise compromised?” (They will provide levels of security and resilience beyond the resources of most local datacentres but they are not invulnerable). “Can they provide 24/7 cover and support?” (If your business operates over the weekend you do not want your operating data stored with an organisation that goes home at five on Fridays).

There is a danger, too, in excessive reliance on a single supplier. Once your data is embedded with the supplier the cost and inconvenience of moving it to another supplier can make it impractical or you might end up running in parallel with two suppliers for a time. Some organisations get round this by having a primary cloud provider and a deep storage supplier.

If we accept that an organisation’s data is its most valuable resource then handing it over to another organisation should only be done after a good deal of due diligence, investigation, visits to the datacentre, talking to other customers of the provider, the entire process. It might also be worth calling in a consultancy to review or design your cloud storage. A little extra up-front cost but a lot of extra peace of mind.