Infosec Cloud
Solutions. Services. Training.

Stay Cyber-Safe this Christmas

Here’s a few tips to help you stay ‘cyber-safe’ at home over the holidays.

Download the list here >>

Watch out for fake websites

It’s very easy for cyber-criminals to create a spoofed website that looks like an official retailer and then offer ‘unbelievable’ deals. Once a payment is made you may receive inferior products, and that’s if they arrive at all. Remember to always check the URL of the website and look out for domain names that end in .net or .org.

Pay by credit card

Credit cards provide protection if things go wrong with a purchase. If the goods don’t show up or are faulty, and cost more than £100, Section 75 of the Consumer Rights Act means you can claim the money back.  For goods under £100, or payments made by debit card, you can ask your bank to recover the money through “chargeback”. Always be suspicious if a website asks you to make a bank transfer instead of paying by card.

Make sure the site is secure

Check for ‘https’ at the start of the website URL. The ‘s’ stands for secure. Look for a padlock on the left of the browser. If the padlock is on the page itself this is probably a spoofed website.

Beware of phishing emails

Phishing messages are designed to appear from trusted organisations such as your bank or HMRC, or familiar retailers like Apple, Tesco and Argos. They aim to trick you into revealing personal details. The emails usually contain links which when clicked download malicious software or take you through to a spoofed website where your personal details are requested.

Over the Christmas holidays, be very wary of emails from retailers offering deals or cash prizes. Check the email address and don’t click on any links embedded in the message. Even an “unsubscribe” link could be malicious.

Don’t trust Whatsapp messages offering gift cards

Whatsapp users have reported receiving messages offering Topshop and Sainsbury’s gift cards that appear to be sent from a phone contact. The link takes you through to an official looking site which requests personal details.

Clicking on the link would also allow cyber-criminals to collect personal information from your device that could track you. Delete messages like these even if they look like they’ve come from someone you trust and install security software on your device.

‘Freebies’ on Facebook

Free iPads, flights, shopping vouchers, Alton Tower tickets and cheap RayBan sunglasses all fall into the category of “if it looks too good to be true, it probably is”.

Cyber-criminals create attractive looking deals which they post on Facebook asking users to “like” and “share” the advert to boost it to the top of news feeds and target a wider audience. If you click through you will be asked for personal details which can be used for fraudulent purposes. The posts may appear to be from legitimate companies – check if the Facebook account is verified with a blue tick.

Avoid shopping on public Wi-Fi

Internet hotspots offered by coffee shops, libraries and bars may be incredibly convenient but are extremely vulnerable. A cyber-criminal can easily hack into the network and access your user details or set up their own fake hotspot. If you’re shopping or banking online use your own 3G/4G network or wait until you get home.

Don’t fall for the “Click and Receive” scam

Be suspicious of emails that ask you to click on a link and enter your details to rearrange a delivery. It won’t tell you what the item is but over the holiday period thousands of people are likely to have ordered something online and may be tricked into handing over personal information.

In some cases credit card details may be asked for to “verify” the delivery. Be suspicious if the email doesn’t tell you what the ordered goods are and if in doubt, retrace your order trail and make a call to the company you’re expecting a delivery from.

When shopping on eBay stick to the rules

There are various ways that eBay protects users – those who don’t stay within the guidelines will struggle to get their money back if they fall victim to a scam. Always pay by Paypal – most items will be protected by eBay’s Money Back Guarantee. Scammers will try and get you to pay by bank transfer or a service such as Moneygram. Do this and you forfeit your protection.

Also be wary of sellers contacting you directly to offer you a better deal than the listed price. Be careful of those with little or no selling history.

Watch out for fake customer reviews

More than half of UK adults use online review websites such as Amazon, Tripadvisor, Expedia and Checkatrade to find the best bargains.

But among the genuine reviews are millions of fakes. Be suspicious if too many of the reviews seem similar – it suggests they are being copied and pasted or written by the same person. It should raise a red flag if the reviews are all very new. If you are at all suspicious of the website avoid it.

If you think you’ve been a victim of a scam – act fast

If you’ve been conned call your bank immediately and ask them to try and stop the payment. The sooner you do this the more chance you have of getting your money back. Banks will only refund customers who have been defrauded on their credit card or debit card, or a transaction has been actioned without their authorisation. Call your bank yourself, not a phone number given to you in a possibly scam letter or email.

Banks are not responsible for reimbursing customers who have been deceived into making payments.

If action is taken swiftly and there are funds remaining in the cyber-criminal’s account your bank may be able to claw back it back if it requests an indemnity. If you feel your bank has not done enough to help you make a complaint and take it to the Financial Ombudsman to investigate. You should also report it to Action Fraud.

Websites for more information:

Get Safe Online: https://www.getsafeonline.org/

The UK’s leading awareness resource helping protect people, finances, devices and businesses from fraud, abuse and other issues encountered online.

Action Fraud: https://www.actionfraud.police.uk/

The UK’s national fraud and cyber-crime reporting centre. The easiest way to report fraud and cyber-crime is by using the online reporting tool.

Stay Vigilant and Stay Safe this Christmas Holiday Time!


Keep your employees cyber security aware in 2018: See our Security Awareness Training and Testing program >>

  • Employee GDPR Awareness Training

  •  Identity-as-a-Service (IDaaS) solution

  • Tokenless Strong Authentication (MFA)

  • Next Gen Endpoint Security

  • Enquiry LinkedIn Spiceworks

    Deloitte hacked by stealing admin password

    It was revealed last week that Deloitte was hit by a major cyber attack that compromised its email system and certain client records.

    The attack was achieved by knowing the password of a single system administrator.

    With that simple piece of information, the hackers were able to gain access to Deloitte’s email services and, according to some reports, extract several gigabytes of data containing the content and details of clients’ email messages and attachments.

    The initial report of the Deloitte breach came from the Guardian, which revealed hackers had compromised the “confidential emails and plans of some of its blue-chip clients.” In response, the firm confirmed it had suffered a cyber-attack, but played down the significance by saying “only very few clients were impacted.”

     Well-respected security journalist, Brian Krebs, cites sources close to Deloitte who suggest the hack was likely more severe than that. The sources claimed the hackers accessed the entirety of the firm’s internal email database, and all administrative accounts.

    This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for ‘a long time’ and that the company still does not know exactly how much total data was taken.

    Meanwhile, Krebs’ sources say Deloitte has yet to identify the full pervasiveness of the attack.

    For a key system to rely simply on user name and password for access is a fundamental failure of security, and one that could easily have been fixed by the addition of multi-factor authentication (MFA).

    MFA provides maximum flexibility and ease of use, and can be rapidly introduced – thereby ensuring that a lost password no longer offers hackers an easy way into your organisation. Read our guide to choosing the right MFA solution to meet your specific needs.

    Request the MFA Buyer’s Guide:

    Full Name (required)

    Business Email (required)

    Job Title

    Company Name (required)

    Phone Number

    Enter these characters below: captcha

     

    How to Pick a Proper Password

    Did you know that for less than $20,000 you could build your very own password cracker that, under ideal conditions, could try out more than 100,000,000,000 passwords EVERY SECOND?

    That means you could churn through every possible 8-letter password in just 2 seconds, and every 9-letter password in under a minute!

    So here is a short and straight-talking video from Paul Ducklin at Sophos, that not only shows you how to pick a proper password, but also explains why you should bother.

    About Paul Ducklin
    Paul Ducklin is a passionate security proselytiser. (That’s like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Follow him on Twitter: @duckblog

    Need help managing employee password changes? Check out Secure Password Manager from SecurEnvoy >>