The dangers of cyber crime were brought home recently to subscribers of BT, (the UK's flagship telecommunications company), through a series of socially engineered phishing scams using the name of the telecoms giant to lend credibility.
The attacks are symptomatic of a larger problem facing private individuals and institutions alike - that of the evolving sophistication of cyber crime, and the multitude of channels within which cyber-criminals can now operate.
In this article, we'll be looking at how business users can beef up the security of their operational and communications networks, to protect themselves from the hazards of cyber crime.
Evading Credible Lures
Indirect methods of assault like phishing and social engineering ploys often target potential victims via email, SMS text messaging, push notifications, or pop-ups on a website. At their most effective, they're eye-catching, compelling, personally relevant, and seem to originate from a reputable and/or authoritative source - often with an enticing or intimidating message.
For the UK telecoms market, BT fits the bill for this description - so it's little wonder that unscrupulous operators are now choosing to exploit that name as an avenue for cyber crime.
In April 2017, users took to Twitter to report on a phishing email supposedly originating from BT CEO ‘Erin Rose’ (not the current title-holder) bearing the corporation's logo and containing fake and often extortionate bills for the recipients - who are informed that BT “will take your payment from your account as usual by Direct Debit”.
There's a bogus link provided in the message to authorise this payment, which downloads malware (probably Emotet, or one of its variants) that can capture data as you enter it, and siphon off your financial details.
Following the recent outbreak of WannaCry ransomware in May 2017, another scam email began doing the rounds: a well-designed and malicious spoof supposedly highlighting the efforts that BT is making on a global scale to avoid such a crisis in future. There are links to click on for further information and help - which if followed, will land the unfortunate recipient in hot water.
May 2017 also revealed a phone scam run by perpetrators claiming to be official representatives of BT or the service provider TalkTalk. Here, targeted victims were telephoned out of the blue and presented with one of several variants ("Someone's hijacked your internet", "Your connection needs fixing", "You owe us money") on an attempt to get them to visit a (booby-trapped) website where they should click on a link to grant the company's technicians remote access to their system.
This remote access request may also be made by phone, where you're asked to enter a special code. If it's granted in either way, the fraudsters are at liberty to install spyware or other malicious software, at will.
It's not only the BT name that's being bandied around in this way. Fraudsters in the USA have been crafting scams by posing as representatives of the Federal Bureau of Investigation (FBI), the Internal Revenue Service (IRS, the US tax authority), and various others. Bogus calls and messages are typically designed to be intimidating, or authoritative and helpful - and it can be difficult for recipients to distinguish them from the real thing.
Knowing the Warning Signs
With the global reach of digital communications, it's not uncommon for the organisers of scams like these to be resident in countries far removed from the nation of origin of their intended victims - and to have only a passing knowledge of the language, culture, and social mores of their targets.
Because of this, written and verbal communications from such people will often contain anomalies. Look for misspelled words, unconventional greetings ("My Most Dearest", "Attn: Recipient"), bizarre sentence structures, and poor grammar.
These people are supposed to represent a large organisation. The least you should expect from them is spell check.
Most internet-enabled systems now have a feature that shows a pop-up with the true URL of origin, when you hover your mouse pointer over the Sender's name in an email message header. If this doesn't match up with the official contact address of the organisation the message is supposed to come from (which you can find on their official website, or by contacting them by phone or in person), this should throw up a red flag.
The same precaution holds for the caller ID and number of origin for any suspicious phone calls - though it's possible for more sophisticated purveyors of cyber crime to spoof these quite accurately.
Large corporate and institutional bodies like BT will have a specific protocol for how their communications are handled - which you can again verify through in-person contact, phone, or a visit to their official website (on another phone or system to the one that receives a suspicious message). For example, BT and TalkTalk have a standing policy to never request funds via bank transfer - and they have a list of approved phone numbers for contacting subscribers.
Protecting Your Network & Infrastructure
With technologies like VoIP (Voice over Internet Protocol) and cloud-hosted PBX (private branch exchange) based in the digital realm, telecommunications systems now throw themselves open to many of the same risks as other data networks on the internet. And some of the same security defence mechanisms apply.
Firewalls may be used to guard network perimeters by analysing packets of data passing into or out of the system, and blocking or accepting them according to pre-defined security rules. Firewalls may be deployed in the form of dedicated hardware, network software packages, and personal firewall apps for individual users.
Anti-virus and anti-malware software is available for desktop systems, networks, and as mobile apps to provide real-time scanning and protection against malicious software, with options to repair the damage caused by any malware that inadvertently gets through.
Since phishing and social engineering scams are largely perpetrated via email, phone, and messaging applications, this particular breed of cyber crime may be reduced in its effect by using email, call, or message filters with rules set to prevent certain types of communication, blacklisted contact names, or specific subject lines from getting through. Again, there are dedicated hardware devices, mobile apps, and desktop software available.
Taking Proactive Security Measures
Common sense, knowledge, and security awareness training are key, here.
Articles like this one and the collective wisdom of organisations like LG Networks and others in the cyber-security sector, can provide best practices and check-lists enabling users to recognise a potential scam when they see it.
Security intelligence databases and web resources can provide up to the minute news and information on the latest scams and cyber crime threats doing the rounds.
Periodic sessions of security education can help reinforce these factors, and drive home the importance of precautions like strong password policies, email etiquette, and due diligence.
Keeping the Record Straight
The call monitoring and call recording features of VoIP telephony systems can be of great value in the fight against cyber crime, together with the monitoring and archiving of email and web browsing activities.
At one level, monitoring and recording tools can provide material for evaluating the reaction of workers to socially engineered encounters, and throwing up best and worst practices for dealing with potential threats.
At another level, logs and transcripts provide documentary evidence in the unfortunate event of a successful scam, and resulting security breach. This evidence can assist the enterprise in any subsequent legal disputes, furnish law enforcement and regulatory authorities with a clearer picture of what's happened, and provide forensic investigators more material to analyse in repairing any damage.
Knowing Who to Call
The good news is, you don't have to suffer the uncertainty or anguish of a threatening call or email from some faceless organisation alone.
- If there's any doubt in your mind about the authenticity of a call, message, or email, contact the organisation directly to verify - in person at their nearest branch office, at their official contact number on a different phone, or at their official website on a different internet connection
- The UK has a national fraud and internet crime reporting centre known as Action Fraud, where victims or potential victims of cyber crime can report suspicious communications and receive advice on various aspects of how to deal with the phishing threat or its after-effects
- Those who've suffered losses from the effects of cyber crime in the UK can register with the CIFAS Protective Registration Service, which works with financial services institutions to limit the damage caused by identity theft, credit card compromise, and related crimes
- On the official website of BT, there's a page dedicated to intelligence and advice on Scams and cyber crime, which also features a list of the organisation's approved telephone numbers that subscribers should expect to receive calls from
If you have any further questions on cyber crime and the measures you should take to avoid it, contact the voice, data and security networks specialists at LG Networks.