Category Archives: Knowledge

Debunking Common Myths: What You Need to Know About Spam Emails

Debunking Common Myths: What You Need to Know About Spam Emails

Spam emails are a nuisance, but they can also be dangerous. They can contain malware, phishing links, and other harmful content. That’s why it’s important to be aware of the risks and take steps to protect yourself.

Here are some common myths about spam emails:

Myth #1: Spam emails are harmless.

This is not true. Spam emails can contain malware, which can infect your computer and steal your personal information. They can also contain phishing links, which can lead to fake websites that look like legitimate websites. If you enter your personal information on a fake website, it could be stolen by the scammers.

Myth #2: You can’t do anything about spam emails.

This is also not true. There are a number of things you can do to protect yourself from spam emails, such as:

Use a spam filter. A spam filter can help to block spam emails from reaching your inbox.
Be careful what information you share online. Don’t share your personal information, such as your email address, password, or credit card number, with anyone you don’t know and trust.
Be suspicious of emails that ask for personal information. If you receive an email that asks for personal information, such as your personal information, don’t reply to the email. Instead, contact the company or organization directly to verify the request.
Don’t click on links in spam emails. Even if the link looks like it goes to a legitimate website, it could be a fake link that will take you to a malicious website.

Myth #3: Spam emails are only sent to businesses.

This is not true. Spam emails are sent to everyone, including individuals. If you receive a spam email, don’t assume that it was sent to you by mistake. The scammers are hoping that you’ll open the email and click on a link or download an attachment, which could infect your computer with malware.

Myth #4: There’s no way to stop spam emails.

This is not true. While you can’t completely stop spam emails from reaching your inbox, you can take steps to reduce the number of spam emails you receive. By following the tips above, you can help to protect yourself from spam emails and the risks they pose.

If you receive a spam email, it’s important to report it to the sender. You can also report spam emails to your email service provider. By reporting spam emails, you can help to stop the scammers from sending them.

Here are some additional tips for protecting yourself from spam emails:

Here are some additional tips for protecting yourself from spam emails:

Here are some additional tips for protecting yourself from spam emails:

  • Don’t reply to spam emails. This will only confirm that your email address is active, which will make you a target for more spam emails.
  • Don’t open attachments in spam emails. Even if the attachment looks like it’s from a legitimate source, it could contain malware.
  • Don’t click on links in spam emails. Even if the link looks like it goes to a legitimate website, it could be a fake link that will take you to a malicious website.
  • Keep your software up to date. Software updates often include security patches that can help to protect your computer from malware.
  • Use a strong password and change it regularly. A strong password will make it more difficult for scammers to gain access to your account.
  • By following these tips, you can help to protect yourself from spam emails and the risks they pose.
Exposed: The Dark Web's Role in Fueling Spam Epidemics

Exposed: The Dark Web’s Role in Fueling Spam Epidemics

The dark web is a hidden part of the internet that is not indexed by search engines. It is often used for illegal activities, such as drug trafficking and weapons sales. However, the dark web is also used by spammers to buy and sell email addresses and other personal information.

Spammers use the dark web to find email addresses that are more likely to be opened. They can also buy lists of email addresses that have been compromised in data breaches. Once they have a list of email addresses, spammers can send out millions of spam emails per day.

Spam emails can contain a variety of malicious content, such as viruses, malware, and phishing links. When a user opens a spam email, they could be infected with a virus or malware, or they could be tricked into clicking on a phishing link that steals their personal information.

The dark web is a major problem for businesses and individuals. Spam can cost businesses millions of dollars in lost productivity and revenue. It can also damage a business’s reputation. For individuals, spam can be a major source of annoyance and stress.

There are a number of things that businesses and individuals can do to protect themselves from spam. Businesses should use spam filters to block spam emails. Individuals should be careful about what information they share online, and they should never click on links in spam emails.

The dark web is a major problem, but there are steps that can be taken to protect yourself from spam. By being aware of the risks and taking steps to protect yourself, you can help to reduce the impact of spam.

Here are some additional tips for protecting yourself from spam:

Here are some additional tips for protecting yourself from spam:

Here are some additional tips for protecting yourself from spam:

  • Use a strong password and two-factor authentication for all of your online accounts.
  • Be careful about what information you share online. Don’t give out your personal information unless you are sure that it is safe to do so.
  • Be suspicious of any emails that you receive from people you don’t know. Don’t click on any links in these emails, and don’t open any attachments.
  • Keep your software up to date. Software updates often include security patches that can help to protect you from spam and other online threats.

By following these tips, you can help to protect yourself from spam and other online threats.

Unveiling the Elusive Tactics Behind Sophisticated Email Spam

Unveiling the Elusive Tactics Behind Sophisticated Email Spam

In today’s interconnected world, email has become an essential mode of communication for individuals and businesses alike. However, the convenience and speed offered by email also come with a downside: the ever-increasing menace of email spam. While traditional spam filters have become more adept at catching obvious junk mail, sophisticated email spam continues to plague inboxes, duping unsuspecting users and posing significant security risks. This article aims to shed light on the elusive tactics employed by cybercriminals behind these sophisticated email spam campaigns, exposing the inner workings of this cyber threat and offering insights into effective countermeasures.

I. The Evolution of Email Spam

Email spam has come a long way since its humble beginnings as unsolicited advertisements. Today’s sophisticated email spam is designed to deceive users by mimicking legitimate messages, using advanced techniques such as social engineering and personalized content. Cybercriminals meticulously craft these emails to appear trustworthy and convincing, often imitating renowned companies or institutions to exploit the recipient’s trust.

II. Phishing Attacks: The Art of Deception

One of the most common tactics employed in sophisticated email spam campaigns is phishing. Phishing usually attacks involve tricking others into divulging sensitive information, such as login credentials or financial details, by posing as a reputable entity. These emails often contain urgent requests, prompting recipients to click on malicious links or download malicious attachments.

Cybercriminals employ several techniques to make their phishing emails more convincing. This includes forging email headers to make messages appear as though they come from a legitimate source. Additionally, they employ tactics such as domain spoofing, where the email address appears similar to that of a trusted organization, tricking users into believing the email is genuine.

III. Social Engineering: Manipulating Human Vulnerabilities

Sophisticated email spam campaigns leverage social engineering tactics to exploit human vulnerabilities. Cybercriminals exploit psychological triggers, such as fear, urgency, or curiosity, to manipulate recipients into taking a specific action. They often employ emotional appeals, create a sense of urgency, or play on people’s curiosity to entice them to click on malicious links or download infected attachments.

These emails may also target specific individuals or organizations, using personalized information gathered from various sources. By customizing the email content to include personal details, cybercriminals increase the likelihood of recipients falling victim to the scam.

IV. Evading Traditional Spam Filters

Evading Traditional Spam Filters

As email spam becomes more sophisticated, cybercriminals continuously adapt their techniques to bypass traditional spam filters. They employ tactics such as obfuscation, where they intentionally modify certain elements of the email to evade detection. This can include manipulating text, images, or URLs to avoid triggering common spam indicators.

Additionally, cybercriminals leverage botnets, networks of compromised computers, to distribute spam emails. By using these botnets, they can distribute emails from multiple sources, making it challenging for spam filters to identify and block their activities effectively.

V. Effective Countermeasures

To protect against sophisticated email spam, individuals and organizations need to adopt a multi-layered approach to cybersecurity. Some essential countermeasures include:

User Education: Educating users about the various types of email spam and how to identify suspicious emails can go a long way in preventing successful attacks. Organizations should conduct regular training sessions and provide guidelines on recognizing and reporting suspicious emails.

Robust Spam Filters: Employing advanced spam filters that utilize artificial intelligence and machine learning algorithms can help identify and block sophisticated email spam campaigns.

Two-Factor Authentication (2FA): Enforcing two-factor authentication (2FA) adds an extra layer of security by requiring users to provide a second form of verification, such as a unique code sent to their mobile device, when logging into their accounts. This helps prevent unauthorized access even if login credentials are compromised.

Email Authentication Protocols: Implementing authentication protocols like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) can help verify the authenticity of emails and reduce the risk of email spoofing.

Regular Software Updates: Keeping software, operating systems, and antivirus programs up to date is crucial. Software updates often include security patches that address vulnerabilities and protect against evolving spam tactics.

Vigilance and Suspicion: Users should always be cautious when receiving unexpected emails, especially those requesting personal information or urging immediate action. Verifying the authenticity of the sender and scrutinizing email content before clicking on links or opening attachments is essential.

Conclusion

Sophisticated email spam continues to be a significant cybersecurity challenge, evolving alongside technological advancements. By understanding the elusive tactics employed by cybercriminals and implementing effective countermeasures, individuals and organizations can mitigate the risks associated with these attacks. Combining user education, robust spam filters, two-factor authentication, email authentication protocols, regular software updates, and maintaining a vigilant mindset, we can strengthen our defenses and protect against the ever-evolving threat of sophisticated email spam.

Remember, in the digital landscape, staying informed and proactive is crucial to safeguarding our online identities and preserving the integrity of our communications.

Avoid sending spam

Avoid sending spam

If you send or have someone else send your marketing emails or messages, you need to know about spam laws.

How to comply

If you plan to send marketing messages or emails, you must first have consent from the person who will receive them. Even if someone else is sending out your marketing messages for you, you must still have consent from each person who will receive your messages.

After you get consent, you must ensure your message:

  • Identifies you as the sender
  • Contains your contact details
  • Makes it easy to unsubscribe

Get consent

There are two types of consent:

  1. Express
  2. Inferred

Express consent

A person who gives express consent knows and accepts that they will receive marketing emails or messages from you. This is best practice when it comes to consent.

People can give express consent by one of the following:

  • Filling in a form
  • Ticking a box on a website
  • Over the phone
  • Face to face

You cannot send an electronic message to ask for consent, because this is a marketing message. Keep a record when a person gives express consent, including who gave the consent, when and how.

It’s up to you to prove that you have a person’s consent.

Inferred consent

In some circumstances, you may infer that you have consent to send marketing messages if the recipient has knowingly and directly given their address and it is reasonable to believe they would expect to receive marketing from your business.

This is usually when a person has a provable, ongoing relationship with your business, and the marketing is directly related to that relationship.

For example, if someone has subscribed to a service, has an account or is a member, and the marketing is directly relevant to the relationship – such as a person’s savings bank telling them about another savings account with higher interest. It would not cover the bank trying to sell them insurance products.

It does not cover sending messages after someone has just bought something from your business.

Inferred consent is not as reliable as getting someone’s express consent.

Know your responsibilities for email lists

Take care when you buy or use a marketing list. You are still responsible for making sure you have consent for any addresses you use.

Identify yourself as the sender

In your message, you must:

  • Accurately identify your name or business name
  • Include correct contact details for you or your business

If someone else sends messages on your behalf, the message must still identify you as the business that authorised the message. Use the correct legal name of your business, or your name.

This information must remain correct for at least 30 days after you send the message.

Make it easy to unsubscribe

You need to make it easy for people to unsubscribe from your electronic mailing lists. Every commercial message must contain an ‘unsubscribe’ option that:

  • Presents unsubscribe instructions clearly
  • Honours a request to unsubscribe within 5 working days
  • Does not require the payment of a fee
  • Does not cost more than the usual amount for using the address (such as a standard text charge)
  • Is functional for at least 30 days after you sent the message
  • Does not require the person to give extra personal information or log in to, or create, an account to unsubscribe from marketing messages.

Tip: Remember that if you are using an alphanumeric message header in SMS, these are generally not capable of receiving return messages.

Unsubscribe examples that are clearly worded

Email:

To stop receiving messages from us, simply reply to this email with ‘unsubscribe’ in the subject line.
If you no longer wish to receive these messages, please click the ‘unsubscribe’ button below.

SMS:

Reply STOP
Unsub: (1800-number)

Other actions that may break the spam rules

You cannot:

  • Use or supply a list that has been created with address-harvesting software
  • Use or supply address-harvesting software

It is also against the spam rules to:

  • Help, guide or work with another person to break the spam rules
  • Encourage another person to break the spam rules
  • Be directly or indirectly, knowingly concerned with breaking the spam rules

If a business breaks the rules, law enforcer can take enforcement action.

Ask for or provide information

If you or someone else breaks the spam rules, you can tell us. If you do break the spam rules, telling us may help to fix the issue quickly. We review all cases individually, but it may be resolved without further action.

We value all information because it helps identify trends and spot serious or ongoing issues.

spotting a scam

How to spot a scam

Recognise the signs someone is trying to scam you, and learn how to check if a message you have received is genuine.

Recognising online scams

Cyber criminals may contact you via email, text, phone call or via social media. They will often pretend to be someone (or an organisation) you trust.

It used to be easier to spot scams. They might contain bad spelling or grammar, come from an unusual email address, or feature imagery or design that feels ‘off’. But scams are getting smarter and some even fool the experts.

How to spot scam messages or calls

Scammers try to quickly gain your trust. They aim to pressure you into acting without thinking.

If a message or call makes you suspicious, stop, break the contact, and consider the language it uses. Scams often feature one or more of these tell-tale signs.

Authority

Is the message claiming to be from someone official? For example, your bank, doctor, a solicitor, or a government department. Criminals often pretend to be important people or organisations to trick you into doing what they want.

Urgency

Are you told you have a limited time to respond (such as ‘within 24 hours’ or ‘immediately’)? Criminals often threaten you with fines or other negative consequences.

Emotion

Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.

Scarcity

Is the message offering something in short supply, like concert tickets, money or a cure for medical conditions? Fear of missing out on a good deal or opportunity can make you respond quickly.

Current events

Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you.

How to check if a message is genuine

If you have any doubts about a message, contact the organisation directly. Don’t use the numbers or address in the message – use the details from their official website.

Remember, your bank (or any other official source) will never ask you to supply personal information via email, or call and ask you to confirm your bank account details. If you suspect someone is not who they claim to be, hang up and contact the organisation directly. If you have paper statements or a credit card from the organisation, official contact details are often written on them.

Make yourself a hard target

Criminals use information about you that’s available online (including on social media sites) to make their phishing messages more convincing.

You can reduce the likelihood of being phished by thinking about what personal information you (and others) post about you, and by reviewing your privacy settings within your social media accounts.

How to report suspicious communications

If you have received a suspicious message or call, or visited a suspicious website you should report it.

Report a scam email; text message; website; phone call; advert

Ransomware

Crucial Facilities Companies Targeted Through Ransomware Gangs

Year of 2019 was actually an especially poor year for ransomware assaults, as well as while certainly there certainly was actually a decrease in using ransomware in 2020, assaults enhanced dramatically in 2021, along with the education and learning industry as well as federal authorities companies one of the absolute most assaulted industries, although no market industry is actually unsusceptible to assaults.

There’s expanding issue around the enhance in assaults on crucial facilities companies, which are actually an appealing aim at for ransomware gangs. Inning accordance with the information coming from the Government Bureau of Examination (FBI), the Cybersecurity as well as Facilities Safety and safety Company (CISA), as well as the Nationwide Safety and safety Company (NSA), 14 of the 16 crucial facilities industries in the Unified Conditions stated ransomware assaults in 2021, consisting of the protection commercial foundation, emergency situation solutions, health care, meals as well as farming, infotech, as well as federal authorities centers. Cybersecurity companies in the Unified Empire as well as Australia have actually likewise stated crucial facilities has actually been actually targeted.

Crucial Facilities Companies Cautioned Around AvosLocker Ransomware Assaults

Today, a cautioning has actually been actually provided due to the Government Bureau of Examination (FBI), the U.S. Division of the Treasury, as well as the U.S. Treasury Monetary Criminal offenses Administration System (FinCEN) around ransomware assaults utilizing AvosLocker ransomware.

AvosLocker wased initially determined as a risk in behind time June 2021 as well as in spite of being actually a fairly brand-brand new risk, positions a considerable danger. Assaults utilizing the ransomware enhanced in the last fifty percent of 2021, along with spikes in assaults happening in Nov as well as December. Variations of AvosLocker ransomware have actually currently been actually industrialized towards assault Linux in addition to Home windows bodies.

As is actually currently typical, the assailants participate in dual extortion as well as need resettlement for the secrets towards decrypt data as well as to avoid the launch of taken information. The gang runs an information leakage webinternet web site where an example of taken information is actually submitted as well as created available towards the general public. The gang states it after that offers the taken information towards cybercriminals if resettlement isn’t created. AvosLocker is among a handful of ransomware procedures that likewise creates exposure to sufferers through telephone towards motivate all of them towards pay out the ransom money. The gang is actually understood towards problem risks of Dispersed Rejection of Solution (DDoS) towards additional stress sufferers right in to paying out the ransom money.

AvosLocker is actually a ransomware-as-a-service procedure where affiliates are actually hired towards carry out assaults for a portion of any type of ransom money resettlements they produce. As a result, the assault vectors utilized in assaults depend upon the skillsets of the affiliates. Typical susceptabilities are actually understood to become made use of towards increase preliminary accessibility towards systems, consisting of susceptabilities connected with Proxy Covering as well as unpatched susceptabilities in on-premises Microsoft Trade Web hosting servers. Nevertheless, over recent year, spam e-mail projects have actually been actually a main assault vector.

E-mail Filtering System Important for Protecting Versus Ransomware Assaults

Spam e-mail is actually a typical assault vector utilized through ransomware gangs. Spam e-mail projects work as well as offer inexpensive accessibility towards sufferer systems. Phishing as well as spam projects either utilize harmful accessories or even installed hyperlinks in e-mails, together with social design methods towards persuade point individuals towards available the accessories or even click on the web links.

The main protection versus these assaults is actually e-mail filterings system. E-mail filterings system check all of incoming e-mails as well as accessories as well as avoid harmful notifications coming from being actually provided towards inboxes. Because cyber stars are actually continuously altering their lures, social design techniques, as well as techniques towards bypass e-mail safety and safety services, it is actually important towards have actually an e-mail safety and safety service in position that can easily react to altering strategies.

E-mail safety and safety services that utilize expert system as well as artificial intelligence towards determine as well as obstruct risks outperform services that depend on anti-virus motors as well as blacklists of understood harmful IP addresses.

Do Not Overlook Safety and Safety Understanding Educating for The Labor Force

It is actually likewise essential towards offer safety and safety understanding educating towards all of participants of the labor force coming from the CEO down. The FBI as well as the U.S. Treasury Division suggested in the most recent notify towards “Concentrate on cyber safety and safety understanding as well as educating,” as well as “Routinely offer individuals along with educating on info safety and safety concepts as well as methods in addition to general arising cybersecurity dangers as well as susceptabilities (i.e., ransomware as well as phishing frauds).”

Here are the new Emotet spam campaigns hitting mailboxes worldwide

The Emotet malware kicked into action yesterday after a ten-month hiatus with multiple spam campaigns delivering malicious documents to mailboxes worldwide.

Emotet is a malware infection that is distributed through spam campaigns with malicious attachments. If a user opens the attachment, malicious macros or JavaScript will download the Emotet DLL and load it into memory using PowerShell.

Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as TrickBot or Qbot that commonly lead to ransomware infections.

Emotet spamming begins again

Last night, cybersecurity researcher Brad Duncan published a SANS Handler Diary on how the Emotet botnet had begun spamming multiple email campaigns to infect devices with the Emotet malware.

According to Duncan, the spam campaigns use replay-chain emails to lure the recipient into opening attached malicious Word, Excel, and password-protected ZIP files.

Reply-chain phishing emails are when previously stolen email threads are used with spoofed replies to distribute malware to other users.

In the samples shared by Duncan, we can see Emotet using reply-chains related to a “missing wallet,” a CyberMonday sale, canceled meetings, political donation drives, and the termination of dental insurance.

Attached to these emails are Excel or Word documents with malicious macros or a password-protected ZIP file attachment containing a malicious Word document, with examples shown below.

Excel Email

Emotet email with Excel attachment Source: Brad Duncan

Missing Wallet

There are currently two different malicious documents being distributed in the new Emotet spam campaigns.

The first is an Excel document template that states that the document will only work on desktops or laptops and that the user needs to click on ‘Enable Content’ to view the contents properly.

Excel Attachment

The malicious Word attachment is using the ‘Red Dawn’ template and says that as the document is in “Protected” mode, users must enable content and editing to view it properly.

How Emotet attachments infect devices

When you open Emotet attachments, the document template will state that previewing is not available and that you need to click on ‘Enable Editing’ and ‘Enable Content’ to view the content properly.

However, once you click on these buttons, malicious macros will be enabled that launch a PowerShell command to download the Emotet loader DLL from a compromised WordPress site and save it to the C:\ProgramData folder.

Powershell command

Once downloaded, the DLL will be launched using C:\Windows\SysWo64\rundll32.exe, which will copy the DLL to a random folder under %LocalAppData% and then reruns the DLL from that folder.

DLL folder

After some time, Emotet will configure a startup value under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run to launch the malware when Windows starts.

Registry Editor

The Emotet malware will now silently remain running in the background while waiting for commands to execute from its command and control server.

These commands could be to search for email to steal, spread to other computers, or install additional payloads, such as the TrickBot or Qbot trojans.

Emotet attack flow

At this time, BleepingComputer has not seen any additional payloads dropped by Emotet, which has also been confirmed by Duncan’s tests.

“I have only seen spambot activity from my recent Emotet-infected hosts,” Duncan told BleepingComputer. “I think Emotet is just getting re-established this week.”

“Maybe we’ll see some additional malware payloads in the coming weeks,” the researcher added.

Defending against Emotet

Malware and botnet monitoring org Abuse.ch has released a list of 245 command and control servers that perimeter firewalls can block to prevent communication with command and control servers.

Blocking communication to C2s will also prevent Emotet from dropping further payloads on compromised devices.

An international law enforcement operation took down the Emotet botnet in January 2021, and for ten months, the malware has not been active.

However, starting Sunday night, active TrickBot infections began dropping the Emotet loader on already infected devices, rebuilding the botnet for spamming activity.

The return of Emotet is a significant event that all network admins, security professionals, and Windows admins must monitor for new developments.

In the past, Emotet was considered the most widely distributed malware and has a good chance of regaining its previous ranking.

Why phone scams are so difficult to tackle

Many of us now refuse to answer telephone calls from an unknown number, for fear that it could be a scam.

And we dread receiving a text message, purportedly from our bank or a delivery firm, again due to concerns that it might be from fraudsters.

A recent report suggests that we are right to be cautious. In the 12 months to March 2021, phone call and text message fraud across England, Wales and Northern Ireland was up 83% from the previous year, according to consumer group Which?.

Which? analysed data from Action Fraud, the UK’s national reporting centre for fraud and cyber crime, and says this was the biggest rise across all types of fraudulent attacks.

It adds that the jump was fuelled by more people getting things delivered during the pandemic, which led to a corresponding huge rise in fake parcel delivery text notifications.

In these “smishing” attacks, fraudsters send a person a message, seemingly from a legitimate number, to claim that a small payment is needed before a package can be delivered. Then when you click on the link they try to steal your banking details.

Telecom firms and authorities faces difficulties

But how exactly are the fraudsters able to do this, and why is it so difficult for telecoms firms and authorities to tackle the problem?

Matthew Gribben, a cyber security expert, says that criminals are able to make it look like their phone call or text is coming from the real telephone number of a bank or delivery firm, due to continuing vulnerabilities in the UK (and other countries’) telephone network systems.

“There’s no way for the current UK phone network to guarantee 100% that the presentation number it is being told is the actual originating number – it has to take your word for it,” says Mr Gribben, who is a former consultant to GCHQ, the UK government intelligence agency.

Protocol’s problem

The core of the problem is a telephone identification protocol called SS7, which dates back to 1975. It is a little complicated, but bear with us.

SS7 tells the telephone network what number a user is calling or texting from, known as the “presentation number”. This is crucial so that calls can be connected from one to another. The problem is that fraudsters can steal a presentation number, and then link it to their own number.

The issue affects both landlines and mobile phones, with SS7 still central to the 2G and 3G parts of mobile phone networks that continue to carry our voice calls and text messages – even if you have a 5G-enabled handset.

One theory is that the vulnerabilities of SS7 cannot be fixed because the telecoms firms need to give national security agencies access to their networks, but Mr Gribben says GCHQ (Britain’s intelligence agency) can monitor communications without using SS7 loopholes.

The problem, he says, is that SS7 is still used in telecoms networks globally. And it needs to be replaced rather than patched up.

“SS7 was developed assuming there would always be legitimate activity [and] goodwill around the use of it,” explains Katia Gonzalez, head of fraud prevention and security at BICS, a Brussels-based telecoms firm that connects and protects mobile phone networks.

personal information stolen

“There’s too much legacy technology [reliant upon it] that we can’t move away from – we’re going to have these SS7 2G/3G networks for at least another 10 years.”

Jon France, head of industry security at the GSMA, the trade organisation that represents mobile network providers around the world, says that “a lot of these problems will disappear” after 5G networks have been fully rolled out. This will mean that SS7 – and 2G and 3G – can be totally replaced.

Ms Gonzalez agrees: “It took some time to understand these flaws, and how they were exploited. Now with 5G there will be security from [the centre] of it.”

However, Mr Gribben cautions that even when SS7 is replaced by something “entirely brand new and sparkling, there will still be other vulnerabilities [that fraudsters can exploit]”.

The GSMA says that telecoms firms are putting “a large amount of effort and investment” into tackling scams.

For its part, BICS is using artificial intelligence systems to try to detect and block incoming fraudulent calls and texts.

Ms Gonzalez adds the only way to prevent text message scams is to enable telecoms firms to use AI to scan texts for links to fake websites before they are sent. Yet privacy regulators are unlikely to ever agree to that.

So instead BICS is calling for “greater collaboration between telecoms firms and governments, better relations between countries, and more effort from the companies on sharing information on the latest vulnerabilities”.

When it comes to fraudulent telephone calls, there has been a big increase in so-called “robo-calling” – automated voice calls in recent years.

Call authentication systems do exist that can help stop them, and the UK’s telecommunications regulator Ofcom says it is consulting with the telecoms industry to see what can be implemented, and how soon.

“These criminal scams are becoming more sophisticated and tackling them requires efforts from a range of bodies,” says an Ofcom spokesman.

“We’re working closely with the police, industry and organisations such as NCSC [the National Cyber Security Centre] – which is responsible for cyber-security standards in the UK – to help tackle the problem.”

New protocols developed

An international standards body, the US-based Internet Engineering Task Force (IETF) has also developed new protocols to prevent robo-calling.

In a nod to James Bond, the system is called “Stir and Shaken”. US authorities have ordered mobile operators to implement the protocols by the end of 2021, but Ofcom says UK providers can’t do so until networks are sufficiently upgraded, by 2025.

As phone and text scams are not going away anytime soon, Amanda Finch, chief executive of professional body, Chartered Institute of Information Security, says: “There’s always more that telecoms firms could do”.

“But, security is a continually moving target… basically everyone has to be vigilant,” she adds.

Meanwhile, Robert Blumofe, chief technology officer of cloud security firm Akamai, says: “I don’t think there’s a world anytime soon where we can train people not to be fooled, so the solution has to include a way to block the response the text messages are trying to elicit.”

How to report online scams

How to report online attempts to steal your money

With scams spiking during lockdown, here are some of the ones to know about – and how to get support

Fresh warnings have been issued over a new scam that claims payment is required for a package to be delivered.

The latest con involves the victim receiving a text message from “Royal Mail”, claiming that a parcel is ready for delivery, but that an additional fee of £1.99 or £2.99 is required.

A link is shared for the recipient to click through and pay the alleged fee, only to be directed to a copycat website operated by fraudsters.

One victim revealed on social media in a tweet that went viral that such a con had left her “scammed out of every penny I had” after fraudsters telephoned her pretending to be her bank and asking her to move money around.

The Chartered Trading Standards Institute (CTSI) and Royal Mail have both warned that such messages are fraudulent, with the CTSI adding that such scams have surged over the past year.

“This delivery scam is yet another example of fraudsters attempting to make money out of the unsuspecting public,” said Katherine Hart from the CTSI.

“Due to the lockdowns, many millions of people rely on product deliveries, so scammers have focused their efforts on this theme.

“If you have any suspicions, contact Royal Mail to verify before you click any links or share details,” she added.

A spokesperson for Royal Mail said the service would only ever ask for payment by email or text message if a parcel had been sent to them from overseas and a customs payment was due.

“In such cases, we would also leave a grey card telling customers that there’s a Fee to Pay before we can release the item.”

But what other scams exist and what should you look out for? Here’s everything you need to know.

National Insurance

Action Fraud, the UK’s national reporting centre for fraud and cybercrime, is warning the public about a National Insurance scam after it received over 34,000 more calls last month compared with February 2020.

Victims have reported receiving an automated telephone call telling them their “National Insurance number has been compromised” and that they must “press one on their handset to be connected to the caller” in order to resolve the issue.

Once connected to the “caller”, victims are pressured into giving over their personal details in order to receive a new National Insurance number. In reality, they’ve been connected to a criminal who can now use their personal details to commit fraud.

Pauline Smith, head of Action Fraud, said: “We are asking the public to remain vigilant and be cautious of any automated calls they receive mentioning their National Insurance number becoming compromised.

“It’s important to remember if you’re contacted out the blue by someone asking for your personal or financial details, this could be a scam.

“Even confirming personal details, such as your email address, date of birth or mother’s maiden name, can be used by criminals to commit fraud. If you have any doubts about what is being asked of you, hang up the phone. No legitimate organisation will rush or pressure you.”

HMRC (tax scams)

With the end of the tax year approaching, scams relating to tax payments, bills and rebates are on the rise. Her Majesty’s Revenue & Customs (HMRC) received over 900,000 reports of HMRC scams in 2020, with more than half of these offering fake tax rebates.

Common scams include messages claiming you are owed a tax rebate, that you’ve missed an important deadline, or warning that you have an outstanding fee to pay. Scams exploiting the Covid-19 pandemic have also been reported, with people receiving texts stating that they are owed a “goodwill payment” due to the coronavirus. Others demand a £250 payment after individuals are accused of “breaching lockdown restrictions”.

HMRC has said that it will never send notifications by email about tax rebates or refunds and advise recipients not to open any attachments, click any links or share any personal or payment information. It adds that if you are unsure about the legitimacy of a message you receive by email, text message, WhatsApp, social media or telephone, you can forward the details to the National Cyber Security Council at phishing@hmrc.gov.uk.

Genuine emails from HMRC should all end in ‘gov.uk’ only. Any additional words, letters or numbers following this are likely to be fraudulent. Don’t click links contained in emails or messages claiming to be from HMRC – log in to your account, email or telephone them directly to be certain it’s safe.

You can also see examples of HMRC scams by following this government link.

Investment fraud

Fraud

Investment fraud occurs when you receive a cold call from someone claiming to offer you an opportunity to invest in a scheme, service or product that is actually worthless or doesn’t even exist. It’s also known as share sale fraud, hedge fund fraud, land banking fraud or bond fraud. The majority of investment frauds are run out of offices known as boiler rooms. Victims may also be offered “special discounts”, “insider info” or “exclusive” stock tips.

Boiler room operations often contact victims out of the blue and pressure them into making rushed decisions with no time to consider the nature of the investment. Callers often sound extremely knowledgeable and professional, and may produce polished-looking websites, certificates or brochures to “prove” their authenticity.

As well as never providing bank account details or sensitive information, never accept investment offers on the spot from cold callers. Instead, look at the Financial Conduct Authority’s ScamSmart warning list which acts as a barrier between unscrupulous scammers and you.

Sadly, boiler room operations tend to target people aged 65 and older, so it’s important to talk to older family members and vulnerable people to help them spot bogus callers.

Netflix

Action Fraud received over 400 reports in just one week from people reporting fake emails purporting to be from Netflix. The emails state that the recipient needs to “finish signing up” by clicking the link provided before they can use the online streaming service. Doing so, however, takes victims to phishing websites that steal your Netflix login, personal and financial information.

Netflix says that it will never ask you to enter personal information in a text or email. This includes credit or debit card numbers, bank account details and Netflix passwords. If you think your account has been compromised, Netflix advises you to contact it directly using the details on this page.

Romance fraud

Romance fraud occurs when a person you’ve met through an online dating website or app uses a fake profile to build a relationship and gain your trust before asking you for money or information to steal your identity.

Tell-tale signs include asking you lots of personal questions but disclosing very little about themselves; and exploiting your trust by inventing a reason to ask for your financial assistance, such as money to pay for a flight to visit you, or money for medical treatment for them or a family member. “Perfect” profile pictures can also be a giveaway and may have been stolen from a model or actor. Using the reverse image search tool on Google can help you find the original source of photos.

To avoid getting caught out by romance fraud, avoid revealing too many personal details when dating online, such as your date of birth or home address, which may result in your identity being stolen. Never send or receive money or share your bank details to someone you’ve met online, no matter how convincing their story is. And, if you’re online dating, choose a reputable site or app and use their messaging service, rather than switching to social media or texting, where messages can be deleted more easily.

According to Action Fraud, women are twice as likely to fall victim to romance fraud and investment fraud twice as men.

Paul Davis, retail fraud prevention director at Lloyds Bank, said: “Scammers do this for a living – they’re in it for the long game and will often spend a lot of time building up a ‘relationship’ and trust – they can invent convincing stories, waiting for the right moment to start tricking people into sending them money.

“If you’ve struck up a conversation or begun a relationship solely online and the discussion moves on to sending money, that’s the time to stop.”

Fraud recovery

As if being scammed once isn’t bad enough, data from the National Fraud Intelligence Bureau (NFIB) found that over £373 million was lost by repeat victims of fraud in the 2019/20 financial year, with the average victim losing £21,121. However, when someone reported at least one investment fraud, this figure jumped a staggering 300 per cent to £84,604.

A fraud recovery scam is when criminals contact victims pretending to be from their bank, a law enforcement agency, solicitors or “specialist recovery firm” claiming to be able to help them get their money back or compensation. Incredibly, this is often the same criminal targeting the victim again, or the victim’s personal details may have been sold on the dark web to other fraudsters. Scammers will usually ask for a fee for this “service” and may ask victims for their bank account details so they can “deposit” the recovered funds.

Mark Steward, executive director of enforcement and market oversight at the Financial Conduct Authority said: “Consumers should always be wary of cold calls and promises to recover funds lost to a scam, as these are often signs of an attempted recovery fraud taking place. If you’re under pressure to make a quick decision or a payment, there’s a very good chance you’re talking to a scammer.

“Be ScamSmart and check the FCA Register to make sure that the firm you are dealing with is authorised to perform the service they are providing for you, and use the contact details on the FCA Register.”

TV Licensing

While this particular scam was first identified by the NFIB in September 2018, scam emails purporting to be from TV Licensing resurfaced again in October 2020. Victims receive an email which states that there is a problem with their Direct Debit that needs addressing in order for them to continue watching TV legally at home.

Victims are then urged to click a link, which directs them to an authentic-looking website that prompts them to enter their home address and bank details, which are duly stolen by scammers.

TV Licensing say that in emails, it will include your name and part of your postcode, compared with scam emails which often just use your email address or “Dear customer”. All legitimate emails from TV Licensing come from donotreply@tvlicensing.co.uk (or donotreply@spp.tvlicensing.co.uk). If you think you’ve been a victim of a TV license scam, contact Action Fraud or email the government’s fraud service at report@phishing.gov.uk.

What can I do if I think I’ve been a victim of fraud?

If you think you’ve been a victim of fraud, you can contact Action Fraud for help and advice. You can also forward details of suspect scammer to the National Cyber Security Centre.

Oren Etzioni: Fighting Spam with Spam

Oren Etzioni: Fighting Spam with Spam

Even though I’m a Professor of computer science, I have failed to protect myself from the daily nuisance of unsolicited and unwanted commercial e-mail known as “spam”. It’s time to fight back. Last week, a consumer association called for new legislation to combat spam, but the legal process is cumbersome and ineffectual in this case.

Although more than ten states have enacted anti-spam laws, courts in at least two states have ruled that the laws are unconstitutional. Furthermore, spam is a global phenomenon, and much of the spam we receive originates outside the United States.

I say let’s fight spam with spam!

Spammers rely on most of us to quietly delete their unwanted e-mail and go about our daily business. They hope to lure the few who are potentially interested in their dubious propositions (“URGENT AND CONFIDENTIAL BUSINESS PROPOSAL”…”Watch Monika live”). What would happen if many of us responded to each spammed message? Unlike viruses, whose authors can hide in the shadows of the Internet, each piece of spam has to have a simple trail for recipients to follow so that the spammer can ultimately make money. Faced with hundreds of thousands of responses, the spammer would have to employ substantial resources to find genuinely responsive individuals — the cost of successful spamming would shoot up and its frequency would naturally drop. Of course, responding to spam requires more effort than merely deleting it, but fighting back is also more satisfying. More important, if doing so will result in a chilling effect on spam, the effort will pay off over time.

Spammers will inevitably cower behind walls of automation. However, anti-spammers could find a receptive ear at their payment processor be it Visa or Paypal. Also, we could contact a spammer’s ISP. Web sites could spring up that would direct anti-spammers to the appropriate contact points. In the rare cases where there is no person to contact, anti-spam activists could mount a legitimate grass roots “denial of spam” attack on spammer web sites, flooding them with requests which would grind them to a halt.

One might question whether anti-spam forces could muster large enough numbers of volunteers. But remember that the Internet community is huge, and none of us get a free pass from spam. To bolster the effort, we could build anti-spam amplifiers that take each bona-fide individual request and turn it into ten or even one hundred requests directed at the spammer. We would need safe guards to prevent the abuse of such amplifiers, but the small “volume” of the amplifier ensures that only a large group of individuals could have any real impact. This sort of approach may need further refinement, but it has a satisfying symmetry to it — any spammer can count on a powerful torrent of counter-spam directed right back.

The effort to fight spam is also justified by its growing cost.

The most immediate cost of spam is the momentary irritation of identifying and deleting it; multiplied by literally billions of e-mail readers, this cost is substantial. Spam also results in a financial burden to the companies that operate the Internet infrastructure.

Hotmail estimates that it receives over a billion spam messages per day, and that number is growing rapidly. Finally, spam has an intangible cost that arises from its negative impact on electronic discourse. For instance, people obscure their e-mail addresses, or refrain from posting their address in public forums to try and avoid spiders that collect e-mail addresses as grist for spam-spewing mills.

There are some measures already in place to fight spam. America Online, for example, enables users to elect to only receive e-mail from designated, pre-approved e-mail addresses. If you’ve tried sending a legitimate message to such a user, then you’re aware of how annoying this measure can be. Moreover, users are forced to continually update such lists and inevitably fail to receive important messages. A cottage industry has sprung up of companies attempting to filter e-mail and prevent spam from reaching its target. However, filters run the risk of inadvertently blocking desirable e-mail. As a result, the filters are conservative in blocking messages and often let spam through. Spammers have also become increasingly adept at creating spam that masquerades as ordinary e-mail.

One of the more promising technical proposals for blocking spam is the use of mini Turing tests. Turing tests are puzzles that are intended to discriminate people from programs. Such schemes work as follows. Whenever I receive an e-mail message from an unknown recipient, my mailer automatically sends a message back politely requesting that the sender solve a simple puzzle to demonstrate that they are a person and not a spam machine. The original e-mail is transmitted to me only if the sender does indeed reply with a solution to the puzzle. In that case, the sender’s e-mail is placed on a list of approved senders so that the sender does not have to solve a puzzle every time they send a message. Nevertheless, this process is awkward, potentially insulting to the sender, and far from fool proof.

The limitations of blocking and filtering approaches have led experts to consider a range of economic remedies. Such remedies focus on the fact that the cost of sending e-mail is close to zero. Increasing that cost, by paying the recipient of a message or by introducing a post office of some sort into the Internet, would clearly “can” much of the spam we receive. The downside of such remedies is that they take a free service and attempt to charge for it. History shows that such attempts meet overwhelming resistance from people. My colleague Fernando Pereira has suggested that each Internet Service Provider (ISP) ought to compensate other ISPs for the spam that they send. Thus, if a Korean ISP sends Hotmail more spam than it receives from Hotmail (a spam surplus) then it would have to pay Hotmail, or Hotmail would refuse to receive e-mail from that ISP. This innovative proposal would incent ISPs to better police their accounts and cut down on spam, but would require multi-lateral agreements that may be difficult to achieve and enforce.

Yesterday, I created a new e-mail account, and within twenty four hours I received over twenty five pieces of spam. The Internet is drowning in spam, and it stinks! Virtually all of us simply hit the delete button on our key board. Let’s distribute software that automatically converts that single key stroke to a clear response to the spammers — stop spamming or taste your own medicine.

By Oren Etzioni