Prevention is the Best Defence
Cyber Crime is a major problem for business and is one of the fastest growing areas of crime in the world. The ‘WannaCry’ attack in 2017 is estimated to have cost the NHS over £93 Million. We all have a duty to help protect the NHS and its systems from attack. The following are some hints and tips, many of which have been provided by the South of England Regional Organised Crime Unit.
Passwords
Short passwords of eight digits or less can be hacked in less than twenty minutes using software available on the dark web. A password should be at least thirteen digits long, ideally three random words, using a mixture of upper and lower case, using some symbols and numbers in the place of some letters. This would take over six-months to hack.
It is recommended that passwords should not be changed regularly as this encourages the use of short or easily remembered passwords. Passwords should only be changed if the user is alerted to a potential breach.
It is essential that a user uses a unique password for their email account, not shared with any other applications. This will ensure that if an application password is hacked, the user can reset the password easily. However, if an application password is hacked which is the same as the email password, the hacker can reset both passwords and lock the user out.
Social media awareness
Fraudsters will use social media to build a profile of an individual, especially those working in key positions in an organisation. They may ‘friend’ request the individual to try and gain greater access to personal information.
To reduce the risk, do not add ‘friends’ that you do not know. Avoid putting any information relating to your work on social media. Do not answer social media posts about your favourite band, first holiday etc. as these answers are often security password reset questions. Avoid clicking on Facebook quizzes, to find out ‘what kind of kitchen utensil you are’ or ‘what your Viking name might be’, as, in doing so, you give that app access to your personal data on Facebook and will probably provide a lot more when answering the quiz questions. Finally, regularly review and update your security settings and make sure you use the highest privacy options available.
CEO, Mandate, and Salary Diversion Fraud
CEO, Mandate, and Salary Diversion Fraud continue to pose a huge risk.
CEO Fraud occurs when the fraudster targets a Finance employee and impersonates the organisation’s Chief Executive Officer or another director. This is normally done using lookalike or hacked email accounts. The fraudster requests a financial transaction which, if completed, would move money into the fraudster’s bank account. the message often stresses the urgency in the hope that the employee will act without thinking.
Mandate Fraud is another type of impersonation fraud where a Finance employee receives a fraudulent email purporting to be from an existing supplier, requesting that the banking information for that supplier is changed. Again, lookalike or hacked email accounts are used. If the request is processed, the next legitimate payment due to that supplier will be diverted into the fraudster’s bank account. Sometimes the fraudster might first contact Finance and request that contact information is changed, so, when a Mandate Fraud is attempted later, checks to confirm whether the request is legitimate are diverted to the criminal.
In both cases, once a payment is made, the money is rapidly moved through a series of ‘mule’ accounts which are then shut down making quick tracing almost impossible.
An alternative is Salary Diversion Fraud, where the Payroll Department is contacted by a fraudster impersonating an employee (normally a highly paid employee), requesting that bank details for salary payments are amended. Again, if successful monies will be diverted into the criminal’s bank account. Alternatively, if an employee responds to a phishing email, they might give criminal access to their ESR account enabling the criminal to change the bank details for salary payments.
Finance, Payroll and Human Resources Teams should remain vigilant against such attempts as emails are very easily spoofed or hacked. Financial transactions or changes to banking or contact information should never be undertaken on the basis of an email. All such requests should be checked with the apparent sender on an independently verified number.
A short video demonstrating ‘Mandate Fraud’, shared with kind permission of the NHS Counter Fraud Authority.
Check your own email account
Email addresses are often used as ‘logins’ for financial sites such as PayPal, eBay, iTunes, Amazon, etc. By entering your email address at the website www.haveibeenpwned.com it will show whether that email address has ever been associated with any kind of compromise or data breach. If it has, it will list the company that has lost the data. This data could end up for sale on the dark web, giving a criminal access to your personal information on that application and potentially any others that use the same login / password combination. You should immediately change your password on that application and any other application that uses the same login / password combination.
EXAMPLE
It was reported that the application ‘MyFitnessPal’ application suffered a data loss in February 2018 and this data was subsequently listed for sale on the dark web. If you used the application at that time this means that your email address / password combination may be in the hands of a criminal.
ACTION
You should a) change your password for that application, and b) change the passwords for any other applications that use the same email/password combination as the login.
Short Metropolitan Police awareness videos
The Metropolitan Police have released a series of five very short awareness videos, providing best advice on a number of key topics. Most last about 45 seconds, and are a great summary of the steps you can take to stay safe.
Test and trace
Phishing
Working from home
Vishing
Ransomware
Always follow best practice
Your organisation’s information governance rules are there for a purpose, ensure you follow them. Here is a quick list of some general best practice rules to be followed:
- Always lock your computer when you are away from your keyboard, even for a short time.
- Use strong passwords (more than 13 digits long, & a mix of upper and lower case, numbers and special characters).
- Use different passwords for different applications.
- Use a password vault (free applications are available for smartphones and other devices) to store your passwords securely.
- Never share your passwords with anyone.
- Don’t follow links in emails, they often take you to dangerous cloned sites which harvest your personal information if you attempt to use them.
- Be cautious of attachments in emails, particularly from people that you don’t know or don’t routinely communicate with. They could be ‘Malware’; malicious software which will install on your computer if the attachment is clicked. Don’t open anything you are not expecting.
- Any email that is threatening, alarmist or designed to make you panic should be viewed with extreme caution.
- The ‘sent’ field in an email can be manipulated and should not be replied upon.
- Harmful emails can come from legitimate email addresses if the user has been hacked.
- There is dark web software that enables a message to attach itself to an existing contact in your phone. Be suspicious of strange requests, and any messages that are not written in the sender’s usual tone and language. Contact the sender on a verified telephone number to check the validity of the message.
- Don’t plug non-NHS hardware (phones, memory sticks etc.) into your computer.
- Don’t leave a laptop, NHS phone or other equipment in your car. If it is unavoidable then lock it in the boot.
- Don’t use public Wi-Fi; as soon as you connect, your logins and passwords could be collected by a criminal using dark web software.
- Keep your computer and phone software upgrades up to date.
- If you think your work computer is infected with any kind of harmful virus, immediately remove the network cable and contact I.T. urgently.
