Being ‘scam savvy’ in the cyber world

Staff are usually the first line of defence against cybercrime. With the right training and guidance, employees can help prevent cyber attacks against your organisation. 

It is important that your staff know what to do if they receive a suspicious email:

• Exercise caution when dealing with any unsolicited emails. Look carefully at spelling and grammar – poor spelling and bad grammar is an indication that the email is unlikely to be from a genuine company.
• Check the sender’s email domain by hovering your mouse over the sender’s name.
• Do not click on any links in a suspicious email.
• Do not reply to the email or contact the senders in any way.
• Do not open any attachments or download content or images if you are prompted to do so.
• Permanently delete the email.
• Apply the usual processes when making changes or payments. Contact the organisation or person requesting the change using established contact details and verify the authenticity of the change. Do not make contact by replying to the email and do not respond using any of the contact details, such as phone numbers, shown in the email.
• Immediately contact your IT team, and your bank if payment has been made.
• Apply the Cyber Security Incident Response Plan.

Staff will also need to have in place strong passwords that are different for each account, and use the following as a guide:

• Avoid using predictable passwords: Try to make sure that even somebody who knows you well couldn't guess your password in 20 attempts. A good way to create a strong and memorable password is to use three random words. Numbers and symbols can still be used if needed, for example 3redhousemonkeys27! or use a long and unique passphrase like We-Love-the-Summer-2022!
• Only store passwords in a secure location, such as on a secure password manager program – not near the device on a piece of paper.
• Use two-factor authentication (also known as 2FA) for any of your accounts where that option is available. It adds a lot of security for little extra effort. 2FA requires two different methods to 'prove' your identity before you can use a service, generally a password plus one other method.
• Change all passwords on a regular basis.
• Do not share any of your passwords with anyone else – if anyone else knows your password, it is no longer secure.
• Switch on password protection: Set a screen lock password, PIN, or other authentication method (such as fingerprint or face unlock).
• Only use answers to security questions that are not available online/on social media accounts.
• Only log into accounts from computers or devices that you trust.
• Consider extra security for highly privileged accounts used by the organisation, IT and third parties.

Scams and phishing attempts are not always in the form of an email, but can be a text message, phone call or social media contact. 

You can report all suspicious forms of contact to Action Fraud.

If you have inadvertently clicked on a link or provided your details, advise the IT Security team at the earliest opportunity, and consider changing passwords immediately. If you have made payment and are concerned, you must contact the bank without delay as they can sometimes put a stop to the payment.

Payment diversion fraud is exactly what it sounds like. Typically, a link is emailed to an employee. The link often appears to be to their employer’s self-service login page but is in fact to a spoof website set up by the fraudster. The spoof records the employee’s username and password, and the fraudster uses this information to divert the employee’s salary payments into their own bank account. 

These emails often use overly formal language and incentivise the employee to click the link, often with the ‘notification’ of a generous pay increase or an issue with their pay.

For example:

In accordance with the Fiscal Year 2022 Salary Allocation Guidelines (SAG) kindly be informed that your monthly salary starting April 2022 will reflect a 12.36 percent salary increase. Your new salary is analysed herewith. All documents are enclosed hereunder: view documents here

Your monthly salary starting from April 2022 will be raised by 13.84%. Enclosed is your salary increase letter. Download and keep a copy for your records. **when prompted, your date of birth on records must be authenticated**. View letter here.

Finance have noticed some irregularities on your payslip and P60 form which may impact your January salary. Report is as attached. Kindly download and update accordingly as highlighted. **this is a secure document, hence authentication will be required**.

Actions to take

• Educate your teams about the way you communicate salary increases and payroll issues, so that they are on the alert for such scam emails. It is very unlikely – or should be – that the first someone hears that they’ll be receiving a large pay rise is from an unsigned, impersonal email. Use Multi-Factor Authentication (MFA) on self-service sites to strengthen access security by requiring more than one method to verify identity beyond the username and password.
• Enable notification of change of bank account details to ensure affected staff are aware of any changes and can report concerns at the earliest opportunity. Additionally, when it comes to approvals, ensure appropriate access rights and division of duties.
• Run payroll reports to identify requests for bank detail changes. Double-check with the member of staff requesting the change. Check contact details and, if those have also been changed, use alternative sources of recorded contact details (email is not recommended).
• Run IT security reports, if this facility is available, to review how email security features are being applied to protect your organisation and identify email spam and compromised users. There should also be anti-spoofing controls in place and filters/blocks on suspicious emails.
• Review email accounts to check that all ‘rules’ applied are legitimate. Some fraudsters have used employee email addresses to contact payroll directly and ask for changes to bank details. Through compromised email accounts, fraudsters have also set up ‘rules’ to divert certain emails – eg those containing the phrase ‘bank account’ – to accounts they control. The fraudster can then impersonate the employee to respond to verification emails from payroll and confirm changes to payment details.

Email interception

Organised crime groups use viruses and other malware to hack into suppliers’ email accounts, then intercept communications between suppliers and the organisations they work with. Common methods of email interception include phishing emails that target specific staff members, spoofing a genuine supplier’s email account, and installing malware on a supplier’s devices. 
Fraudsters intercept the emails and can then make changes to their contents, eg adding a line to request that future payments for products or services be paid into an account controlled by the fraudster.

Actions to take

• Raise awareness of interception bank mandate fraud.
• Communicate to your suppliers the importance of keeping their operating systems up to date and secure to prevent phishing and hacking of email accounts.
• Consider adding mitigation clauses to supplier contracts to mitigate your losses from these types of incidents if the supplier is found to be in any way negligent.
• Undertake proactive audits of suppliers with whom you share data or services.
• Ensure you have robust change of bank account request forms (for example, that request details of the last transaction made by the supplier) and processes and, where bank accounts of concern are identified, immediately configure your finance systems to reject them.
• Use bank account verification software to reduce payment processing errors.
• Use external data sources to identify accounts known to be linked to fraudulent activity.
• Staff should apply the usual verification process by using only the details held on file.
• Check bank statements for any suspicious activity
• Contact your bank immediately if any illegitimate payments have been made.

Mandate fraud

In a mandate fraud, fraudsters contact organisations posing as one of their existing suppliers. They request a change to the genuine supplier’s phone number, then at a later date ask for a change to the supplier’s bank mandate. In this way, call-back checks from the bank are made to the fraudster and the supplier remains unaware of the fraud.

Actions to take 

• Raise awareness of bank mandate fraud, and especially ask that employers flag when suppliers request changes to their phone numbers.
• Before responding, check the details of the person making the request and the supplier’s details.
• Requests to change a bank mandate should follow your own organisation’s procedures.

Phishing and fraudulent links

When you receive an email, hover your cursor over the sender’s address and any links in the email. This ‘hover test’ displays the true email address the message has come from and the actual destination of the hyperlinks. It also pays to check that the email address shown is an organisation’s correct email address eg is spelt correctly.

Spotting a targeted phishing email

Identifying fraudulent links

Fake emails often display some of the following characteristics:

• Spelling and grammatical errors.
• Sender’s email address doesn’t correspond with the organisation’s website address.
• The email doesn’t use your proper name, but uses a generic greeting like ‘Dear Customer’ or ‘Hi friend’.
• Creates a sense of urgency: 'act immediately or your account will be locked'.
• Prominent weblink, easily forged and looks similar, but check for character differences.
• A request for personal information such as username, password or bank details.
• You weren’t expecting to get an email from the company that appears to have sent it.
• The entire text of the email is an image rather than the usual text format.
• The image contains an embedded hyperlink that, if clicked, would divert to a bogus website.
• Double check the attachment file. Does it have an unfamiliar extension associated with malware such as: .exe, .scr; .bat.