tHiS iSnt pHiSHinG, itS wHALinG! WInTer 2016 SCAMS Follow these simple steps to help protect you and your business from attacks by the growing army of online scammers The fraudsters take their time to research the business and their victims, to make the bogus emails they send sound as plausible as possible Many of us are now familiar with phishing attacks emails that appear to come from genuine businesses but which are, in fact, bogus and may contain links to scam websites, or carry virus-laden attachments. Phishing emails are very generic, often sent out in their millions, and should be spotted quite easily and dealt with by a spam filter. But what if that bogus email appears to come from someone inside your company from someone who often sends you emails? How can you protect yourself from a threat such as this? Spear phishing and whaling are terms being used to describe a business scam that has increased dramatically. Criminal gangs are now choosing to target individual businesses and the people who work for them this is spear phishing. When they target the head of the business, the chief executive, this is known as whaling. Heres how it works. The gangs either spoof the email address of the chief executive by creating an email address that is very similar to the genuine one or they hack his/her email account. They then send a message to an employee of the business, asking them to arrange for an urgent transfer of funds to a bank account controlled by the fraudsters. How many employees would query a direct request from their boss? The fraudsters take their time to research the business and their victims, to make the bogus emails they send sound as plausible as possible. Think it can never happen to you? Last year, toy maker Mattel sent more than uS$3m (2.3m) to a fraudulent account in China after a finance executive was fooled by a message he thought had been sent by the companys chief executive, Christopher Sinclair. Another business scam with similar characteristics is invoice fraud, which involves criminal gangs masquerading as a businesss genuine suppliers. They send an email or letter to the firm to change the real suppliers bank account details to their own. Bogus invoices are then sent and, if paid, the money is sent to the fraudsters bank account. Credit: Simon Cripwell Images: Raurielaki / Shutterstock Preventing whaling and invoice fraud may mean introducing new double-checking procedures or enhanced anti-fraud technology. But all businesses big or small can make a start by raising awareness of these sorts of scams among their employees. cyBer eSSenTIAlS cyber security can seem so complex that many password, and manage and monitor it. This is probably organisations freeze, like rabbits in the headlights, and the most technical of the five controls do nothing. l Patch management: keep your software up to date. The operating system ones such as Microsoft and Apple etc The uk government is helping by specifying five things are the most visible, but you also need to find and install (controls) that every organisation should have in place to patches for all your software. A significant percentage of protect themselves from 80 per cent of the most common patches are security-related. look up the term zero day types of attacks in recent years. attacks l Access control: giving users access only to what is needed These controls collectively termed cyber essentials are is a good damage-limitation strategy. Too many people still voluntary for most organisations, but are becoming access systems with a username that has admin rights; mandatory in more and more trading situations. What this is an all-access backstage pass to do whatever they each control covers will be determined by the nature of want. If the user is compromised, there goes the firm! theorganisation, but here is a simple interpretation of limit access and you can limit damage whatthey are: you can certify yourself against a government standard to l Secure configuration of devices (not just computers): ensure you are compliant, but even if you decide not to change the admin default password; use the device with do this you should still adopt the controls. research them, a username that does not have admin rights; and remove look at your organisation, and put in the solutions that are software that is not needed appropriate and meet the standards l Malware protection: install this on all devices, keep it updated, and govern how employees use the internet further reading: and how different file types are employed. Macros in Short articles about cyber security, published by the ncSc some files can be used to deliver a nasty message have resources to help with your cyber security procedures to deal with files from unknown authors l Boundary firewalls and gateways: these govern what gets in and out, and you need one; change the admin Credit: dr Stephen Wright, general manager of the national Cyber Skills Centre For further information please contact your local Trading Standards Service