CyberScotland Bulletin

DCMS Top Ten Tech Priorities

In March, Department for Digital, Culture, Media and Sport (DCMS) released it’s top ‘10 Tech Priorities’ which lays out what they are focussing on in 2021 and beyond. One of the priorities is ‘Keeping the UK safe and secure online’.

Included within the priorities is the Online Harms legislation which looks at ways to improve internet safety and help to tackle issues like online bullying and harmful content. A draft bill which was called the Online Safety Bill was published last month. This draft bill includes measures to tackle a range of online harms and help safeguard young people. It also includes protection against fraud online including romance scams and fake investment opportunities posted by users on Facebook groups or sent via Snapchat. Ofcom will be appointed as the online harms regulator and be responsible for helping companies comply with the new laws by publishing codes of practice. Also included within the priorities, the Secure by Design work will help to make our networks more secure against cyber threats. You can read more about this work in last month’s bulletin.

ICO Data Sharing Code of Practice

Last month, the Government laid before Parliament a new data sharing code to make it clearer and easier for organisations to share data in a fair, safe and transparent way.

The Information Commissioner’s Office’s (ICO) Data Sharing Code of Practice, provides practical advice and sets out best practice to consider when sharing data. The ICO will take the Code into account when considering questions of fairness, lawfulness, transparency and accountability under the UK General Data Protection Regulation or the Data Protection Act 2018. Once approved by Parliament, this Code will become a required code of practice.

To supplement this Code, the ICO’s data sharing information hub provides clear guidance and practical tools for organisations and businesses on how to share data lawfully, while protecting people’s personal information.

NCSC Threat Report

The NCSC produces weekly threat reports drawn from recent open source reporting. View this week’s report here. The report highlights a further ransomware attack on the UK education sector.

The NCSC has published guidance for organisations looking to protect themselves from malware and ransomware attacks. They have released a blog to explain the basics of ransomware, and suggest relevant questions that board members might want to ask their technical experts to help drive greater cyber resilience against this type of attack.

The NCSC’s Suspicious Email Reporting Service

The Suspicious Email Reporting Tool was launched by the NCSC in 2020 to allow members of the public to report suspicious emails. The public have reported over 6 million suspect emails to the NCSC in this time. As of 31^th May 2021, the number of reports received stands at more than 6,100,000, with 90,000 individual URLs linked to 45,000 sites having been removed.

Please forward any suspicious emails to: report@phishing.gov.uk. Suspicious text messages should be forwarded free of charge to 7726.

HMRC Tax Credit Scam

HM Revenue and Customs (HMRC) has warned tax credit customers to be wary of scams pretending to be HMRC that arrive via email, phone call or text message. The message tricks the customer to share their personal details or even transfer money for an overpayment. The deadline for customers to renew their tax credits is the 31^st July 2021.

HMRC advice is to:

• Take a moment to think before parting with your money or information.
• Don’t give out private information or reply to text messages, and don’t download attachments or click on links in texts or emails you weren’t expecting.
• Do not trust caller ID on phones. Numbers can be spoofed.
• Help and information on tax credits can be found on the Government website

Customers can check GOV.UK for HMRC’s scams checklist to find out how to report tax scams. They also provide information on how to recognise genuine HMRC contact.

Protect your online streaming accounts

The NCSC has urged sport fans to take some basic steps, which form part of the NCSC Cyber Aware behaviours to keep their accounts secure. If you are planning to watch any events, whether on TV, via an app, online or on YouTube, it is important you to do securely. Cyber criminals can attempt to break into your account by guessing your password or using information that has been compromised in the past. This may lead to unauthorised payments and they could steal your data to target you with phishing emails and scam calls.

According to a report from a cyber security firm Webroot, almost 92% illegal football streaming websites contain some form of malicious content, from malware and phishing lures to social engineering scams. Make sure to only stream content using legitimate websites and platforms.

The NCSC advise to choose strong passwords made up of three random words to protect your devices. You can save these in a browser to save you having to remember them. Ensure you download the latest updates for apps on your device. This will help fix any weakness in your device and help keep you safe online.

Protect your organisation with Cyber Essentials certification

More than 250 Scottish businesses were surveyed as part of SBRC’s research. Findings showed that 38% of businesses do not feel prepared for a cyber attack.

Most cyber crime is not targeted and can be prevented by getting five critical controls in place. The Cyber Essentials scheme is set to help organisations protect themselves from the most common cyber attacks. This is a recognised certification that helps you strengthen your organisation’s cyber resilience by taking you though a self-assessment questionnaire. It will assess your organisation against five basic security controls. On completion you will receive a badge that can be displayed to let your customers and supply chain know that you have achieved a recognised standard and take cyber security seriously. This certification is valid for 12 months.

A new Cyber Essentials Readiness Tool, developed by IASME, is a great starting point for organisations who are unsure where to start their preparation for Cyber Essentials certification. This free tool asks organisations questions related to the main Cyber Essentials criteria. It provides tailored advice and outlines the steps you need to take to achieve Cyber Essentials accreditation. Staff from Police Scotland’s Cybercrime Harm Prevention team are trained in the implementation of Cyber Essentials and are contactable through the email address mailto:ppcwcybercrimeharmprevention@Scotland.pnn.police.uk

More information about Cyber Essentials is available on the CyberScotland website.

Census Scam Alert

The public have reported they are receiving false letters, text messages and emails that are claiming to be from census officials demanding £1000 in fake fines. The messages contain a link to a fake Census website and requests for your personal details. The census in Scotland is not until next year and a warning was issued about this in May.

If you receive one of these messages, forward the suspicious emails to: report@phishing.gov.uk Suspicious text messages should be forwarded free of charge to 7726. Delete the message and do not click on the links within the message.

WhatsApp Scam

Criminals are attempting to log in to WhatsApp accounts by sending victims a message asking for the six digit security code (or verification code) that would allow them to take over an account.

The criminals pose as a contact you have listed on WhatsApp, this could be a friend or family member, send you messages and around the same time will ask you to send them the text or email from WhatsApp with a verification code. This code is used when setting up a new account, or logging in to your existing account on a new device. They pretend to have accidentally got the code sent to you by mistake and will request you to send it to them urgently. Doing this will allow the criminal to take over your account and could be used to scam your other contacts.

You should never share your password or SMS security code with anybody, not even friends or family. Be wary of any unexpected messages asking you for money or codes. If in doubt, call your friend or family member to check. You can enable two step verification on your account for an extra layer of protection.

WhatsApp has a guide on its website to help people keep their accounts safe.

National UK Scams Awareness Campaign 2021

A national campaign for Scam Awareness Fortnight will be running from 14^th – 27^th June 2021. The campaign will be supported by partners in Scotland.

The 2021 campaign objective is about creating a network of confident #ScamAware consumers who are able to recognise a scam, report it to the appropriate agency and talk about their experiences to help raise public awareness of scams.

Get Safe Online

Get Safe Online’s campaign this month is looking at both the positive and negative aspects to gaming. Get Safe Online are providing advice on what the risks are to playing games online and how you can keep young people safe. Get Safe Online are hosting three one hour webinars, tailored for parents of children of different age groups.

Read the CyberScotland blog for more tips to keep your online gaming secure.

NCSC, Small Organisations Newsletter – Coffee Break Cyber

SME’s cover a huge range of businesses and make up 99% of all businesses in the UK. Often SME’s do not have the budget of large organisations to spend on cyber security. This Newsletter aims to break down cyber related issues into bitesize learning which can be read in your coffee break. The NCSC want to provide you and your business with the advice and tools to minimise the risk of a cyber-attack. Each month will cover a different topic and will offer advice and links to further information. This month’s newsletter cover the recently launch NCSC training package and introduces the new Cyber Essentials Readiness tool.

Sign up for the NCSC newsletter

Trading Standards Scam Share

Other scams to be aware of are identified in this week’s Trading Standards Scotland Scam Share newsletter. You can sign up for the weekly newsletter here.

NCSC Digital Loft, 17th June 12pm

The NCSC is the UK’s technical authority on cyber security.

This virtual event that will offer innovative guidance, discuss topical cyber issues and outline new tools. It will consist of two presentations which will be followed by Q&A, an opportunity for you to ask the experts about your topic of choice. Register here.

Exercise in a Box, Scottish Business Resilience Centre, June 24^th, 29^th, 30^th

SBRC are encouraging organisations to sign up for one of their free ‘Exercise in a box’ online sessions.

A FREE, 90-minute non-technical workshop which will help organisations and charities find out how resilient they are to cyber attacks and practise their response in a safe environment. The June scenario is ‘Phishing attack leading to a Ransomware infection’. Find out more information on SBRC’s website.

Book to join an upcoming session here. Workshops are available on Zoom and Microsoft Teams platforms.

• Exercise in a Box, ‘Ransomware’ MS Teams, 24^th June
• Exercise in a Box, ‘Ransomware’, Zoom, 29th June
• Exercise in a Box, ‘Ransomware’, MS Teams, 30^th June

Get Safe Online, Gaming 4 Good

Get Safe Online are hosting three free one-hour webinars where you can hear from experts in family gaming, psychology, gaming risk and finance.

• Thursday June 17, 10am – 11am: parents and guardians with children 2–12yrs
• Thursday June 24, 10am – 11am: parents and guardians with children aged 12–15yrs
• Wednesday June 30, 10am-11am: parents and guardians with children aged 15–18yrs

Find out more and register online

Each issue, we aim to bring you real-life examples of scams, phishing emails and redacted case studies. If you have had an issue and would like to share your experience and what you have learned with others, please contact us to discuss:  CyberFeedback@gov.scot We are happy to anonymise case studies.

Case Study – Investing in crypto currency

At the beginning of the year, ‘Greg’ thought he would watch the markets as we recovered from COVID 19.

Having looked over the internet for Bitcoin projects, he decided to invest in ‘Traderschool’. He made contact with the company and was given assurance that he would be covered by the banking ombudsman. The minimum investment was 250 euros. Reassured by what he heard, he decided to invest £229 with the aim of exploring cryptocurrency and seeing how this market performed. Greg’s investment grew very quickly, almost on a daily basis. He regularly received calls from Traderschool asking him to invest in more companies such as Tesla but he stuck with his initial investment.

When his account had more than doubled its initial investment, he decided it was the time to withdraw his balance. This withdrawal was denied.

After further investigation, Greg became aware that Traderschool had used ‘Anydesk’, a remote desktop application that allows you to connect to computers from anywhere in the world, to set up Greg’s account. Greg was becoming more suspicious and decided to change all his passwords.

Over the course of two month his investment soared to £2000. Unfortunately, Greg wasn’t able to access any of his investment and make any withdrawals. When he tried to log in all he got was ‘Access denied’.

Advice:

There are deceitful organisations out there focusing on crypto currency, which makes it difficult to know which ones to trust. If you plan to invest in crypto currency it is advised that you do some research on the company and proceed with caution. You should seek independent professional advice before making significant financial decisions. Even genuine investment schemes can be high risk.

Recent trends have seen online investment scams target a younger audience through the use of social media. Be wary of adverts online and on social media promising high returns on investments in cryptoasset or cryptoasset-related products. The Financial Conduct Authority has information about investment scams and how to avoid them.

• Use the Financial Service Register and Warning List to check who you are dealing with.
• Be wary of any unsolicited investment offers.
• Information from Police Scotland on the different types of fraud and advice on how you can avoid becoming a victim.

If you become a victim of fraud or cyber crime you can report it to Police Scotland on 101.

The CyberScotland Technical Intelligence Bulletin is designed to provide information about emerging or escalating cyber threats and is created in conjunction with SBRC’s Cyber Incident Response team. You can sign up receive the technical bulletin. Read the latest bulletin here

• Cyber Security Information Sharing Partnership
• NCSC launches early warning notification service