IMPORTANT INFORMATION - ONLINE THREATS USING CORONAVIRUS AS BAIT:
There are a number of cyber threat groups seeking to use the coronavirus / COVID-19 outbreak to their own advantage. It is hugely important that people are aware of the threat, which takes many forms.
Be wary of any emails that offer information about the virus. Some are generic, targeting a wide range of people, and others are aimed specifically at organisations that form part of the health sector, or critical national infrastructure.
The following documents have been issued by the National Cyber Security Centre and the US Defence Threat Reduction Agency, and contain some useful advice for individuals and organisations.
Cyber-crime is on the rise, with major data breaches now a regular fixture in the news. Computer hacking, malware and cyber enabled frauds now cost the UK just under one billion pounds every 6 months. The speed, convenience and anonymity of the internet - paired with the staggering rate at which technology is advancing - means that the entry point for cyber crime is lower than ever before, and would-be criminals are able to learn and develop their skills with resources readily available online.
Now, through underground marketplaces on the Dark Web, criminals can sell their skills, putting these capabilities well within reach of anybody with money and a motive, regardless of their technical ability.
Thankfully, cyber security need not be complicated and there are a number of simple steps you can take to help protect yourself from cyber-crime.
Do you run a local business? Or are you part of a local community group?
Our Cyber Protect Officer is on hand to provide free, impartial cyber security advice to small to medium enterprises and community groups across the county.
To arrange a presentation, completely free of charge, email us at firstname.lastname@example.org.
Free resources from the NCSC
If your organisation can't afford cyber security training, you no longer have to miss out. The NCSC have created a training package to help keep your staff, and your organisation safe.
Covering subjects like phishing, passwords, device security and incident reporting, the package can be completed online, or downloaded and incorporated in to a pre-existing training program.
Find out more about it here.
Covering the fundamentals of cyber security, the NCSCs Small Business Guide is packed full of useful information to help bolster your defences.
Download your free copy of the PDF here.
Falling victim to a cyber attack can have devastating consequences. Businesses stand a significantly better chance of getting back on track if they have a tried and tested Business Continuity and Disaster Recovery plan.
Not sure if yours is up to scratch? Or if you have one at all?
Then click here to find out more.
Charities are just as much of a target for cyber crime as a commercial organisation. The difference, of course, being that as not-for-profits, the money sometimes just isn't there for cyber security measures.
That's why the NCSC have taken the time to create the Small Charities Guide, which you can download here.
Not sure where to start with your cyber security? The NCSC have your back with a series of guides, highlight where you might want to focus your attention.
Take a look at the guide here.
Exercise in a Box is an online tool from the NCSC which helps organisations test and practise their response to a cyber attack. It is completely free and you don’t have to be an expert to use it.
The service provides exercises, based around the main cyber threats, which your organisation can do in your own time, in a safe environment, as many times as you want. It includes everything you need for setting up, planning, delivery, and post-exercise activity, all in one place.
Find out more about it, including how to get involved, here.
Boards are pivotal in improving the cyber security of their organisations. The Board Toolkit been created to encourage essential discussions about cyber security to take place between the Board and their technical experts. Board members don't need to be technical experts, but they need to know enough about cyber security to be able to have a fluent conversation with their experts, and understand the right questions to ask.
That’s where the Board Toolkit comes in. It gives a general introduction to cyber security, explaining different aspects of cyber security, and why they are important.
Take a look here to find out more.
Protecting your devices
Should you inadvertently allow malware on to your system, a good antivirus package can be invaluable.
Antivirus software can detect and quarantine any suspicious files, and remove anything of concern. For this reason, we suggest installing antivirus software on your computer, and any smartphones or tablets.
There are a number of antivirus software manufacturers to choose from, so take the time to find one that suits your needs.
A word of warning, though... It is important to ensure that your antivirus suite is kept up to date! Antivirus software can only protect you from the strains of malware that it knows about.
Find out more about viruses and malware here.
Most desktop and laptop computers will have some form of firewall and virus protection built in to the operating system. For Windows, there's Windows Defender. For Mac OS, there is XProtect.
The firewall aspect of these programs acts as a barrier between your computer or network, and the rest of the internet. A firewall looks at what is moving in and out of your network, and compares it to a list of "rules". Provided it is correctly configured, if it sees traffic that it doesn't expect (for example, data being leaked by malware), it will prevent it from leaving the network.
Most hardware and software manufacturers release updates to their products on a regular basis. Whilst people are mostly interested in the cosmetic changes and performance improvements, it's worth noting that the majority of updates also contain important security updates.
Cyber-criminals often seek to exploit vulnerabilities in your computer or smart devices operating system, or in the software and apps you use.
When a manufacturer releases an update to their product, it may indicate that there is a potential weakness in the software. Bear in mind that it also acts as an advert to cyber criminals that there is something they might be able to exploit. This is why it is important that we apply patches as soon as they are available.
Find out more about updating your devices here.
Protect your devices with a strong password, PIN code or biometric measure (such as fingerprint scanning or facial recognition). This way, if somebody has physical access to your device, they will be unable to access your personal information.
If you lose your device, many smart devices also allow you to remotely track, lock and wipe any information. If this feature is available to you, make sure it's activated!
Find out more about strong, secure passwords here.
Remember - passwords are essentially the keys to your digital life. Make sure they are strong! If you struggle to think of a strong password, a password manager app may help. They can create and store long, complex passwords. The best part is that you never have to remember your passwords, as the password manager will do so for you.
Your password is the first line of defense for your online accounts. Creating long, strong and unique passwords is an essential part of keeping your personal information safe.
Whilst it may be convenient to use the same password across the board, consider this. If your password is compromised, a cyber criminal can - and will - try every online account they imagine you might have. If the password is the same for every account, they'll take control of every account.
Using a unique password for every site, however, limits the potential damage caused by your password being compromised to just the one site.
Whilst the merits of long, strong, unique passwords are clear to most, we still see the usual suspects appearing in the "Most commonly used and stolen passwords" lists. As an example, the most commonly used and stolen passwords of 2018 are as follows:
These passwords appear in countless data breaches, and are readily available to buy online for very little money. They can be (and often are) used in automated attacks in order to compromise social media accounts, for example. However, if we follow best password practice, we stand a much better chance of keeping our accounts secure.
There are a number of ways you can create strong, secure passwords. We, and the National Cyber Security Centre, advocate the use of a password manager. There are a number of password managers available either as browser extensions, desktop programs or mobile applications. A password manager can create long passwords, comprising upper and lower case letters, numbers and special characters. The two main advantages of a password manager are:
- They are much better at being random - with a password manager, we can avoid any structure in our passwords that may make them easier to guess. As a rule of thumb, computers are much better at this than people.
- They remember the passwords for us - password managers store your passwords securely, often requiring a password or fingerprint to access the app. You can copy and paste the password from the manager to the website or app you are trying to log in to, meaning you never have to remember your passwords.
If a password manager is not for you, then we'd recommend considering a passphrase. 3 random words, strung together to make a long, complex password. To make these passphrases complex, we can replace certain letters with numbers (E for 3, I for 1, for example). To make them unique, we can add an indicator as to which account they refer to (FB for Facebook, added at the start, middle or end for instance).
And there you have it. Two ways to make long, strong, unique passwords for all your online accounts.
Public Wi-Fi is incredibly convenient, however it is worth bearing in mind that it is generally not secure.
Information sent over a public Wi-Fi network can be intercepted by a cyber-criminal, using tools readily available online. For that reason, we do not recommend using public Wi-Fi for anything sensitive, such as online banking.
However, there are programs and mobile applications available which can help make public Wi-Fi secure. Using a VPN, you can encrypt any information going to or from your computer, tablet or smartphone, meaning that cyber-criminals can not steal your information.
There are a number of VPN clients available for computers and smart devices, so take the time to research and find a solution that best suits your needs.
When entering sensitive information on a website, make sure you are doing so on a secure connection.
To determine whether or not your connection is secure, check the URL at the top of your browser. If the web address starts 'http://' then your connection is not secure.
If your connection is secure, then the URL will start with 'https://'. The 'S' literally stands for 'secure'. An HTTPS connection ensures that any data sent is done so in an encrypted form, meaning that only you and the intended recipient can see what was sent. This prevents people from being able to pry on your data whilst in transit.
An HTTPS connection is often accompanied by a little padlock in the URL. If you see this padlock, it should indicate that the connection is secure.
Bear in mind, however, that an HTTPS connection does not necessarily mean the website is genuine. You will still need to check the complete URL to be sure you have navigated to the website you intended to visit.
Find out more about safe internet use here.
Email is thought to be used in around 95% of cyber attacks, and phishing emails make up a large proportion of that. Phishing emails are deliberately crafted to cause a sense of panic, or curiosity. They often imply a sense of urgency, in order to trick the recipient in to acting without thinking. We often see emails that suggest:
- your account has been locked / closed
- there has been unauthorised activity on your account
- you've won some sort of prize
These emails often claim to be from your bank, a utility company, or a software or email provider. Usually, the emails request some form of action or response on your part, and will have a link or a button to follow. These links will often take you to one of two things:
- A website that requests your login details, or other personal information
- A website hosting malware
These emails are designed to encourage you to act quickly, by suggesting you may lose access to your account permanently, or that the prize may only be available for a short time. If you follow the link, and enter any personal information, your credentials are generally recorded and sent straight to the cyber-criminals. From there, they can gain access, and you lose control of your account.
However, there are some things to look out for to help spot a phishing email:
- Poor spelling or grammar - phishing emails often contain spelling mistakes or grammatical errors. Whilst it may be the case that the would-be criminal has been sloppy, more often than not this is a deliberate ploy. The fraudsters will include these errors to weed out the more switched on people, and deliberately target the more vulnerable members of society, who may not have noticed these errors at all.
- Check the email address - with most email providers, there is an option to expand the email address at the top of the page. A common trick used by cyber-criminals is to set their username to look like a legitimate email address. For example, in the case of a PayPal themed email, the username might be 'email@example.com'. This gives the appearance of a legitimate PayPal email address at first glance, but if we expand the box we'd see that this is in fact just a username, and the address is something wildly different.
- Hover your mouse over any links - hovering your mouse over any links or buttons, without clicking. causes a little box to appear. This box contains text that shows the real destination that button or link will take you to. If the link in that box doesn't look like you'd expect, do not click it.
It's not just phishing scams we need to be wary of with email. Take care when you receive an attachment. If you do not know the sender, or were not expecting to receive an attachment, do not open it. Even if it was sent by a trusted contact.
Take the time to verify any attachment you receive. Do so by telephone, SMS or any other channel besides email.
Malicious executable files:
Criminals will often send malicious files as email attachments. Be wary of and file that ends with .exe. Opening a malicious .exe file typically triggers an immediate action whereby your computer downloads and installs malware. Other file extensions to be mindful of include msi, .bat, .com, .cmd, .hta, .scr, .pif, .reg, .js, .vbs, .wsf, .cpl, .jar and many more... If something is masquerading as a music file, photo, office document or otherwise, it should not have any of these extensions!
Malicious Office documents:
Another common means by which criminals seek to infect your machine is the use of Office documents. Microsoft Office documents permit the use of "macros". Macros are essentially a script, or piece of code, which is used to automate a process. In many cases, this process involves automatically downloading malware to your machine.
Macros are disabled by Microsoft by default for security purposes, so if you receive a document that contains instructions on how to enable macros, treat it with caution. It is highly likely to contain malware.
Smishing is a practice that is becoming increasingly common. Fraudsters know that the one place they can always reach us is our mobile phone! Smishing is much the same as phishing, but rather than sending an email, you receive a text message stating there is something wrong with your account.
Typically, these messages claim to be from your bank. The message will suggest your account has been closed, or that someone has tried to access it, and that you can remedy the problem by following a link. The scary part is that these messages can be crafted so that they appear alongside genuine messages from your bank. This, of course, makes it harder to spot a fake.
Remember though, the fraudulent messages often contain a link, and attempt to encourage you to click it. Your bank will never send you a link in a text message. They usually send a message asking that you make contact with them, leaving it to you to call on a number you trust. So, if you receive a message from your bank, check it closely. If there is a link, do not click it. Pick up your phone and verify the text message before you take any action!
Sextortion (a combination of sex and extortion) is where a victim is blackmailed to pay money to prevent intimate videos or photos of them being posted on social networking, photo-sharing or revenge porn websites, or being forwarded to others.
The blackmailer could be an ex-partner or someone who the victim has met or spoken to and has previously shared photos and videos with. But it is also increasingly common for organised gangs to pose as individuals looking for romance and trick victims into capturing intimate webcam footage, often without them even knowing they have been recorded as cameras can be activated by spyware.
A variation on sextortion is revenge porn, where an angry or jealous ex-partner posts intimate photos or videos of a victim online, simply to cause upset or humiliation rather than for any financial gain.
Tips to avoid becoming a victim:
- Be aware of the possible consequences of your online behaviour and the potential outcomes of having intimate photos or videos taken of yourself, even by somebody you are close to.
- Do not take your clothes off or perform intimate acts in front of your webcam at all, whether you think you have switched it to record or not.
- Tighten the privacy settings on your social media accounts and ensure you have security software loaded and switched on. This will significantly reduce the risk of being targeted by sextortion and many other similar forms of cyber-crime, including the possibility of someone remotely controlling your webcam.
- If a compromising photo or video appears on a website or social media site, report the images and ask for them to be removed and the perpetrator to be blocked.
If you have become a victim of sextortion:
- Don’t panic.Contact the police and your internet service provider immediately. The police will take your case seriously, will deal with it in confidence and will not judge you for being in this situation.
- Don't communicate further with the criminals. Take screen shots of all your communication. Suspend your Facebook account (but don’t delete it) and use the online reporting process to report the matter to Skype, YouTube etc. to have any video blocked and to set up an alert in case the video resurfaces. Deactivating the Facebook account temporarily rather than shutting it down will mean the data are preserved and will help police to collect evidence. The account can also be reactivated at any time so your online memories are not lost forever. Also, keep an eye on all the accounts which you might have linked in case the criminals try to contact you via one of those.
- Don't pay. Many victims who have paid have continued to get more demands for higher amounts of money. In some cases, even when the demands have been met the offenders will still go on to post the explicit videos. If you have already paid, check to see if the money has been collected. If it has, and if you are able, then make a note of where it was collected from. If it hasn't, then you can cancel the payment - and the sooner you do that the better.
- Preserve evidence. Make a note of all details provided by the offenders, for example; the Skype name (particularly the Skype ID), the Facebook URL; the Western Union or MoneyGram Money Transfer Control Number (MTCN); any photos/videos that were sent, etc. Be aware that the scammer's Skype name is different to their Skype ID, and it's the ID details that police will need. To get that, right click on their profile, select ‘View Profile’ and then look for the name shown in blue rather than the one above it in black. It'll be next to the word ’Skype’ and will have no spaces in it. DO NOT DELETE ANY CORRESPONDENCE.
Remember that you're the victim of organised criminals - you're not alone and confidential support is available.
If intimate photos or videos of you are posted online against your will report it to Dorset Police online here or by calling 101.
Dorset Police will take your case seriously and will deal with it in confidence. You have been the victim of a sophisticated crime and will not be judged for being in this situation. Even if you don’t want to pursue a prosecution, please still report sextortion as we need information about the criminals to stop them.
Find out more about sextortion here.
Protect your identity and personal information:
- Choose a username that doesn’t let everyone know who you are, don't include your surname.
- Don’t include identifying information such as your place of work either in your profile or when you first make contact.
- Keep contact details such as your email address, home address, or phone number private.
- Stop communicating with anyone who attempts to pressure you into providing your personal or financial information or who seems to be trying to trick you into providing it. If this happens, contact the dating provider immediately to not only protect yourself but other users too.
Always report unacceptable or suspicious behaviour.
Play it safe when you meet face-to-face
- Plan it. Say it. Do it.
It’s your date. Agree on what you both want from it before you meet up. Don’t feel pressured to meet before you’re ready or for any longer than you’re comfortable with – a short first date is fine.
- Meet in public. Stay in public.
The safest plan is to meet somewhere public and stay somewhere public. Make your own way there and back and don’t feel pressured to go home with your date. If you feel ready to move to a private environment, make sure your expectations match your date’s.
- Get to know the person, not the profile.
The way people interact online isn’t always the same face-to-face. Don’t be offended if your date is more guarded when meeting in person, or if things don’t progress as fast face-to-face.
- Not going well? Make your excuses and leave.
Don’t feel bad about cutting a date short if you’re not keen. You don’t owe the other person anything, no matter how long you’ve been chatting or what’s been suggested.
- If you’re raped or sexually assaulted on your date, help is available.
No matter what the circumstances, sexual activity against your will is a crime. Police and charities are here to help and support you. Visit: dorset.police.uk/rape-sexual-assault for more information.
Information about stalking and harassment is available here.
A particularly prevalent issue of late, eBay and Gumtree fraud can prove very costly.
Fraudsters will post an item for sale on a major online marketplace, such as eBay or Gumtree, usually at a slightly reduced price. Once they have attracted a buyer, they go through the motions and then state that, for some reason, they cannot accept payment via PayPal.
The fraudster will try to convince the buyer to use an alternative money transfer service to make the payment. Once this is complete, the item is never sent. In the majority of cases, the item actually never existed in the first place.
As the transaction was carried out away from PayPal, there is no recourse for the buyer and they are unable to reclaim their money.
When buying online, there are a few things to bear in mind:
- Using PayPal, or a credit card, offers additional protection for online purchases. If it turns out to be a scam, PayPal often make efforts to remediate, as do most credit card providers.
- Check the sellers ratings - it may be safer to buy from reputable sellers, and those an established history and reputation.
Engineer fraud reports are a common occurrence in Dorset. Scammers will target victims, usually by telephone, and advise them that something is wrong with their account, or their computer.
This scam typically involves the fraudster claiming to be from Microsoft, BT, Talk Talk or some other tech / utility firm. The caller advises there is something amiss with the victims computer. They then go on to offer to resolve the problem. The caller encourages their victim to install a remote desktop application (something which allows them to take control of the computer), at which point they take action.
This action can be anything from pretending to fix something, and asking for payment, or installing malware on the computer. Remember - companies like Microsoft, BT, Talk Talk or any other tech firm will not cold call you to offer support. If you receive such a call, hang up. NEVER let somebody remotely control your computer.
There have been instances where police forces have been impersonated in cases like this. The South West Regional Cyber Crime Unit have been impersonated in a scam in which the fraudster claims to be from the SWRCCU, threatening to disconnect the victims internet connection.
Should you receive such a call, hang up. No police force will cold call you for this sort of matter, and if you do receive a call from a police officer or staff member, they will always offer you a way to verify their identity (generally by calling 101).
Be careful what you share on social media. Oversharing on Facebook, Twitter, Instagram etc may seem relatively harmless, but the information people give away about themselves can be abused by cyber-criminals.
Your name, age, date of birth, like, dislikes, employment history, education history, pets names, holiday destinations and a whole host more are readily available, if you don't secure your account properly. This information can all be appropriated by cyber-criminals to impersonate you, and can even be used to help guess your login credentials. This video from Cifas demonstrates just how easily this can be done.
Internet connected devices are now a part of our daily lives. Smartphones, smart watches, smart fridges, toasters and toilets. Seriously… smart toilets…
The ways in which IoT devices can improve our lives are many and varied. For example, you can turn your lights off, turn your heating up, see who’s at your front door or check the contents of your fridge, all from your smartphone or tablet.
The problem with all this convenience is that it can come at a cost. With increasing regularity, we see failings in IoT devices where functionality and features take priority over basic security. IoT devices are just as vulnerable to attack as the average PC or laptop. As such, it is important that we make smart choices with our smart tech.
- Is it secure?
- What information is it sending? And who is it sending it too?
- Can you download security updates if something goes wrong?
- Is there a default password and username? If so, can it be changed?
These are just a few of the considerations we need to take in to account when we bring a connected device into our homes and offices. Luckily, there are some simple steps we can take to ensure we are using them safely. Click here to see the advice from the National Cyber Security Centre.
Tell me more
Safe web surfing:
- Check that a websites address is genuine by looking for misspellings, or a completely different name from what you would expect.
- Roll your mouse pointer over a link to reveal its real destination. Beware if this is different from what is displayed in the text.
- Check the address in the browser address bar to ensure it matches the address you typed.
- Do not enter personal information on a website that has no padlock in the browser or https:// at the beginning of the address.
- Promises online of high returns are often fraudulent.
- Be wary of websites which promote schemes that involve the recruitment of others, receiving money for other people or advance payments.
- Be wary of websites that are advertised in unsolicited emails from strangers.
- Some cookies can be used by criminals to build a profile of you with a view to fraud;
- Use an anti-spyware program that scans for so called tracker cookies
- UK websites must gain your permission to enable cookies.
- Secure and encrypt wireless networks when using WiFi (Wireless Internet access).
- Use reputable companies when shopping online.
- Use secure payment methods, such as PayPal or credit cards for online purchases.
- Do not enter personal information on a website that has no padlock in the browser or https:// at the beginning of the address
- Be aware of scams: criminal gangs operate ‘scams’ and use the internet as one of the methods to defraud people and business, i.e. asking for money to pay for travel, finance a sick relative, or winning the lottery;
- They may try passing off as your bank and ask for your banking details
- They may also pretend to be Microsoft or your internet provider stating your computer has been corrupted and they want you to click on a link or download some software.
Remember: If it’s too good to be true – then it probably is!
If you think your local community would benefit from a cyber-crime prevention input please contact Dorset Police's Cyber-Crime Prevention Officer by emailing firstname.lastname@example.org.
Cyber bullying includes bullying via text message, instant messenger services, social network sites and email, as well as via images or videos posted on the internet or spread by mobile phone.
Cyber security has never been more important.
Small and medium enterprises, SMEs, face particular difficulty in balancing their cybercrime prevention activities with the resources they have available.
If you think your business would benefit from a cyber-crime prevention input please contact Dorset Police's Cyber-Crime Prevention Officer, by emailing email@example.com
Download your free copy of the South West Regional Cyber Crime Units Little Book of Cyber Scams here.
For information on what small businesses need to know about cyber security - download the Small Business Cyber Security Information Booklet (943kb PDF).
The prevention of cyber-crime is a key priority for Dorset Police and the Dorset Police Cyber Crime Unit is focused on ensuring a response to all forms of cyber-crime impacting on our communities.
The objective of the Cyber-Crime Unit is to ensure that investigations carried out by Dorset Police into such offences, are supported with specialist knowledge by appropriately skilled officers, as this type of criminality is often complex in nature and methodology.
We want to ensure that victims of such offences receive a high level of service and appropriate crime prevention advice to lessen the impact of the crime and reduce the likelihood of them being victims again in the future.
The unit works in conjunction with regional and national units to ensure that they remain skilled and equipped to face the challenge of fighting crime in Cyberspace.
Small business? No training budget?
Good news! The NCSC have created a free Cyber Security training package!
Staff can complete the training online, or it can be downloaded and added to your existing training program.
Check it out here.