12 Mar The LogoSystems Guide to Avoiding Cyber Crime
If a stranger stopped you on the street and asked you for the keys to your house would you hand them over?
We would like to think you wouldn’t.
So why would you hand over the keys to your computer.
The usernames and passwords for every account you have created is like a key to your “on-line” house. These can range from Amazon to Zoopla, from your iCloud account to your email account.
What to watch out for
There are all kinds of ways a cyber criminal will attempt to get these details.
The most common method we come across is where the criminal impersonates a known company in an attempt to steal your login credentials or personal information. These are generally in the form of a threatening email warning of a strange transaction or discrepancy on your account. These emails are designed to scare you into logging in via a website they have created that looks exactly like the website of the legitimate company.
If you then type your username and password into this fake site, the scammers will capture your details, giving them the opportunity to log in to your real account.
Steps to protect yourself
Just because the email has all your details doesn’t mean it is real. Your information can be farmed from many places including companies house and sites such as LinkedIn.
You have probably heard this before but your bank will never ask you to click on a link in an email to verify your details, even if it does look genuine. If you are unsure always call your bank first using the number on the back of your card.
Certain companies do sometimes send you emails including links requesting that you to log in. Our advice is that unless you are 100% certain you are heading to the correct place (https at the beginning of the url is a good pointer but not definitive) eg. https://appleid.apple.com then you should manually put the “known” web address into your browser such as www.amazon.co.uk and then log in. We have seen links to very similar addresses such as https://appleonline.com
If you receive an email asking you to click a link or go to a website and you are on a Mac, you can hover this link and it will show you the address you will be heading too. If it bears no resemblance to the sender such as Microsoft, (see below) definitely do not follow it.
Fraudulent Email Web Address Cyber Crime
Accounts such as iCloud, AOL, Microsoft Outlook and many others now offer 2 step verification. This means that when you try and sign in via a web browser, you will receive a code on your mobile which you need to enter, to confirm it is you trying to get into your account. We recommend you turn this on.
It is also a good idea to look out for general grammatical errors and spelling mistakes within the email.
Accounts Department Phishing
We have recently witnessed two new kinds of attack aimed at businesses.
The first involves the scammer getting a company directors details from companies house and then tracking down the accounts contacts via LinkedIn.
They then create a domain that is very similar to the company they plan to scam. For the purposes of this example the company being scammed is Fred Bloggs Design Associates. The CEO is Fred Bloggs. The company domain is fredbloggsdesign.com
The scammer will register a very similar domain such as fredblogssdesigns.com (note the missing “g”).
The scammer then sends an email to the company “accounts payable” contact at Fred Bloggs Design requesting an urgent payment be made to a particular supplier for an amount such as £5000 including their account number and sort code.
The email looks as though it comes from firstname.lastname@example.org but the return address is actually email@example.com (note the missing “g”).
That way when the accounts department reply with an “Are you sure about this Fred?” email they can reply “Yes”.
WARN YOUR ACCOUNTS DEPARTMENT. We recommend you put a policy in place to ensure all new payees are validated by the director requesting the payment by text or voice call/conversation.
Taking things up a level
The second is the after effects of a scammer getting their hands on an email username and password for somebody who sends invoices to companies.
The scammer scans the users outgoing mailbox for recently sent invoices.
They then send an email to the company the invoice was sent to requesting that the invoice be paid to their new bank account as they have recently changed their bank details.
Their aim is to get the invoice paid to their bank account rather than the owner of the email. It is brazen but potentially successful.
As with the last method WARN YOUR ACCOUNTS DEPARTMENT. We recommend a policy to ensure that any payees requesting changes of bank account be contacted verbally by someone within your business who has a relationship with said payee.
If you can think of anybody who would benefit from this information please send them to this page.