On a recent service-check road trip for one of our clients – something we do as part of our package – we had a bit of an epiphany. One of the key areas of engagement from all stakeholders on every visit was the subject of security and protecting information assets. We realised that cybersecurity is such a big deal to you – to us, to everyone. And we think it’s because this issue is relevant to our personal lives as much as it is to our professional lives.
We are all vulnerable to attacks from unscrupulous individuals looking to take or make money from us – and sadly, though it may be the most wonderful time of the year, Christmas can also be the most vulnerable time of the year. We’re distracted, we’re spending a lot and have lots of transactions etc – there are lots of opportunities for attackers to take advantage of us.
The discussions we had on our tour of our client’s sites have inspired us to share with you some of the issues we covered, and the key threats that we are all facing both in business and at home.
I hope this serves to enlighten you as to the reality of the security issues we are all at risk from and gives you some tools to keep you, your family and friends, and your businesses safe this Christmas and beyond.
The most common security threats we’ve seen in 2022
Man-In-The Middle attacks
The so-called “man-in-the-middle” attack refers to when a malicious third party gets into a major account – think your Apple, Microsoft or Google account – and either pretends to be you or gathers information from your account details. They will then usually make changes and send or sell your information on.
The trouble with this form of attack is that it isn’t always obvious you’ve *been* attacked – until it’s far too late. Sometimes these attackers don’t even act straight away; they sit and wait, scanning for those all-valuable bits of information – your bank details, credit card numbers, pictures of your PINs or personal information. Then when you least expect it, they will change some details in an email, or forward it somewhere and your money will be gone.
In respect of keeping yourself safe from a man-in-the-middle attack, you must think about your passwords – the passwords you use for your various devices, applications and online services right now.
Also, think about what information about you and your family is available publicly. Birthdays, anniversaries, names of your loved ones and pets, your favourite football team. How many words associated with that information you feel is private are included in your passwords? Your PINs? Your alarm code?
One of our staff members when handling a cyber breach managed to access 6% of accounts simply by having a good guess at what some passwords might be. That’s just human brainpower. Imagine then what a BOT with Ai or something even more clever like Jacob could achieve…
At Astro, we scan the dark web for “sold” passwords and we get sent lists and lists of them every week and cross-reference them with our customers’ passwords to keep them safe. All passwords should be long and use uncommon characters. And that doesn’t mean sticking an exclamation mark at the end of your firstborn’s name. We know you’ve done it.
Spoof attacks asking for money
You’ve probably heard of the text message and Whatsapp scams that are doing the rounds where scammers send messages pretending to be a feckless teen or grown up child appealing to a loving parent to bail them out of a financial predicament.
This kind of spoof attack is as common in emails as it is in text messages, WhatsApp or Messenger. And they’re as common in business – if not *more* common in business – than they are in personal communication.
The general premise is that they pretend to be someone you know, and they generally have an urgency to them that makes you unlikely to hang about making the right kind of checks to ensure the veracity of the claims. Every week at Astro our CEO gets a message from another of the senior leadership team asking for him to send money somewhere.
“I know you are busy, but I need you to do something for me really quickly.”
“I can’t talk right now, but I need you to make a transfer ASAP.”
“I’m really embarrassed but I can’t pay my xxx, and I need to borrow xxx until next week.”
And some of them are even fake!
These scammers are never asking for a fortune, because they know this will make you stop and think. But there’re always asking for enough that it will hurt when you realise it’s gone.
In the business world, this kind of scam is known as Business Email Compromise. It’s easy for these attackers to monitor your business communication, learn about your structure and who you work with. They may know who’s in and out of the office, be able to address everyone by name, emulate communication style and create convincing email addresses so nobody suspects a thing until it’s too late.
We’ve even seen emails to Finance and HR departments asking for someone to change their bank details for their salary payment. Of course, the bank details are fake – and the salary payment goes to the scammer.
The same types of emails (and snail mail letters) are often used by scammers to pose as suppliers requesting a change of bank details.
Spoof attacks by phone
There are now so many malicious call scams, but HMRC is still the most common – telling you that you need to make a payment for unpaid taxes. Another really common version of this scam is when a delivery company call you saying an item you ordered or have been sent is stuck in customs and you need to pay the duty or they can’t deliver it.
Our CEO’s brother was almost the victim of a similar attack, where he received a call apparently from the holiday company he was booking a holiday home through. They told him that their bank details had changed, and asked him to change them to the new ones before making his scheduled payment. He didn’t, thankfully. But they knew what he had booked when his payment date was – and it seemed legitimate.
Spoof attacks by link
At Astro, we’ve experienced a huge increase in the number of this type of scam we’ve been the attempted victim of. Both personally and professionally.
The CEO received a Whatsapp message seemingly from a close friend recommending a tempting BA deal with a link to click on – but it was a fake, and the link contained a one-way ticket to malware hell. The friend’s account had been compromised.
A client sent us a link to a prospectus via LinkedIn, which required us to log in to OneDrive. It looked out of character, so suspicion was alerted – and it was someone trying to steal our Microsoft account details through a fake portal.
We’ve also received messages from ‘Microsoft’ asking us to change passwords, or fill out a form with details before the account is ‘locked’. Also, ‘PayPal’ asking us to deal with an urgent security issue by clicking a link.
The links will vary depending on motive as to the damage that they can cause, but they’re never good news. Do not ever click on a link in a message unless you are absolutely certain it’s come from a reliable source.
What you can do to keep safe from security threats:
At Astro, we do a number of things to protect our colleagues and clients at work. Multi-factor authentication, firewalls, 1Password, AntiVirus (Avast) – but 90% of attacks at work from through users, not technology – and this is true for almost 100% of personal attacks.
Some of the attacks you might come across will be sophisticated – and the attackers are, at times, more determined to get your money than you are to keep it.
At this time of year especially, you are often busy and just want to get on with your day. This is a facet of the human condition that they prey on. But, as worrying as all this is, there are definitely things you can do to help protect yourself, both at work and at home. The following dos and don’ts will help you stay vigilant against security threats.
Dos and Don’ts of information security
Don’t use the same password for everyone, and certainly don’t use the same passwords for work and personal things. Use a tool like Roboform, Dashlane or 1Password to create and manage complex passwords.
Do change your password on your personal devices and accounts regularly. Usually, this will be taken care of at work, but it’s something we neglect in our personal lives. Guidance varies, but currently the recommendation is to use a 16-character passphrase including upper and lower case letters, numbers and uncommon characters and change it infrequently – but you need to keep it secure and do not use it across multiple platforms.
Don’t change any bank details or provide bank details without validating the contact is definitely who they say they are over the phone. Your bank will never text you or email you and ask you to enter your details into a platform, they will only ever ask you to use your pre-existing applications.
Do use MFA wherever possible. On as many applications and services as you can – either with authentication apps or SMS.
Don’t click on links in messages unless you are 100% sure of the source, a simple call can help verify this.
Do follow the time-tested adage to develop a scam radar: If it seems too good to be true, it probably is – so whatever it is, delete it.
Don’t pay any money into anyone’s account directly, unless you have verified the details directly. Even if you think you know them, you can’t verify it digitally. Talk first and if you can send a link for the money via a method that isn’t the one you’ve been communicating with already. Neobanks like Monzo, Starling and Revolut offer top-notch security for money transfers.
Do remember – no matter how busy we are, nobody’s in that much of a hurry that sending an email or text message would be faster than making an urgent phone call. We can all speak faster than we can convey a message using our thumbs. So if someone’s asking you for something urgently and it isn’t a phone call, be suspicious.
Don’t give away any personal information until you’ve confirmed someone’s identity on the phone.
Do ask for confirmation of the request in writing someone like HMRC or the council are pressuring you for payment. They’ll always oblige if it’s genuine – and they have your address already, so no need to give it out.
Don’t panic ! Tell someone what has happened and get them to sanity check it.
This blog could turn into a novel
We could give you 50+ examples of common ways criminals will try to use your information to extort money out of you. But, more than anything, we just want to encourage conscious focus on issues surrounding business and personal protection.
It really is a battlefield out there at the moment due to the flexibility, mobility and speed of these attacks that can force you to make split-second decisions. There’s no shame in being the victim of an attack like this, but it’s so common for people to feel silly (and skint) in the aftermath, realising with the benefit of hindsight that they should have seen it coming.
We want you to keep your money, protect your businesses and families and not have to deal with any fallout from cyber attacks in the coming weeks or in the future. We’re always here to help with your security strategy and offer friendly advice – feel free to email us, or pick up the phone if it feels safer after our cautionary tales!
Wishing you all a very Merry Christmas and a happy and safe New Year from all at Astro.