CyberScotland Bulletin

Bring Your Own Device Guidance

NCSC have recently have updated their Bring Your Own Device (BYOD) guidance.

At the start of the pandemic, many organisations allowed for employees to use their personally owned devices to access work information as an initial response to home working. NCSC are encouraging organisations to revisit their BOYD policy and undo some of those quick-fixes and start afresh.

The updated guidance provides an overview of the technical controls that are available for the different types of BYOD deployment, and describes the key issues that you will need to consider in balancing usability and risks that come with BYOD.

The NCSC’s Suspicious Email Reporting Service

The Suspicious Email Reporting Tool (SERS) was launched by the NCSC in 2020 to allow members of the public to report suspicious emails. The public have reported over 6 million suspect emails to the NCSC in this time. As of 31^st October 2021, the number of reports received stands at more than 8,100,000, with 124,000 individual URLs linked to 67,000 sites having been removed.

• Please forward any suspicious emails to: report@phishing.gov.uk.
• Suspicious text messages should be forwarded free of charge to 7726.
• If you have come across a website that you think is fake or trying to scam you, you can report it to the NCSC by filling out the online form.

Shopping Securely Online

Shopping online is easy and convenient, but it’s important to stay vigilant about your online security. Over the next number of weeks, many people will be shopping online and taking advantage of some great promotions and discount deals on offer from retailers.

Watch out for suspicious email, calls and text messages. Some of the emails, posts on social media accounts or texts you receive, about amazing offers may contain links to fake websites, designed to steal your money and personal details. Instead, you can type in the website address directly in to your browser, or look this up on a search engine and follow the results.

Read our blog for more tips to help you shop securely online.

• If you’ve been a victim of fraud, scams or cyber crime you can report this to Police Scotland by calling 101 and contact your bank to seek advice.
• Vistalworks online tool allows you to check for fakes and illicit good online. This technology is currently restricted to a range of products on sale on eBay and Amazon. Simply paste in an eBay or Amazon listing URL here and they’ll give you an indication of whether the product appears to be legitimate or not.

Payment Diversion Fraud

We’re all familiar with fraudulent emails in our inboxes that seem to offer far-fetching promises like winning the lottery or a brand new car. These attempted scams are often straightforward enough to see through.

However, other frauds are well crafted and involve criminals deliberately targeting a specific individual. Payment Diversion Fraud, also known as Business Email Compromise or Mandate Fraud, involves criminals impersonating others, creating invoices and diverting payments to bank accounts under their control. This can target both businesses and individuals. However, due to the targeted nature of this fraud type, small and medium sized businesses, which often have less comprehensive IT security, are particularly vulnerable. In addition, individuals that are purchasing houses and are involved in large financial transactions are also at risk. Read our case study below for more details on conveyancing fraud.

If you have any doubt, do not transfer the money and double check the payment request with the recipient using details from another source (such as text message, a phone call or in-person).

We have more information about dealing with targeted phishing emails. If you been a victim of fraud, contact Police Scotland by calling 101.

Free Vouchers and Gift Card Scams

Criminals are impersonating some of the UK’s most well-known brands in emails and texts, including supermarkets, Primark, Amazon and food outlet Toby Carvery.

The emails suggest that you have won free items, vouchers or food as ‘gestures of good will’ on the run up to Christmas. Fake marketing surveys posing as supermarket brands such as ASDA, Morrisons, Tesco and Sainsbury are promising gift cards of up to £100 for completing them.

These messages contain common phishing tactics where they are designed to make you click on the link within the email. This will take you to a malicious website that could trick you into revealing your contact information and payment details.

Take a moment to think if the offer sounds too good to be true. Be wary of any texts or emails you receive, even if it appears to come from an organisation you know and trust. Don’t follow links in text messages or phone any numbers provided within the message. If you have any doubts, call them directly or visit the official website instead by typing their genuine web address into your browser.

Read our blog for more tips on spotting the tell-tale signs of a phishing attack.

Trading Standards Scotland – Misleading Energy Marketing #Green&Wise 15 Nov – 22 Nov 2021

Following the COP26 summit in November 2021, homeowners are likely to become more aware of steps they can take to make their homes more energy efficient. However, rogue traders and companies may also take the opportunity to scam consumers by mis-selling energy efficiency products and posting misleading adverts on social media. As such, the aim of this year’s ‘Consumer Awareness Campaign’ will be to raise awareness of how people can protect themselves from misleading energy efficiency and environmental claims, such as “green scams” and rogue traders.

Organisations can help support this campaign by downloading the social media toolkit. The following social media messaging has been developed for Scottish partners and points Scottish consumers towards the relevant sources of information on energy efficiency products and grants/funding.

You can find more information and advice on how to spot Energy Scams by visit Trading Standards Scotland website.

Other scams to be aware of are identified in the latest’s Trading Standards Scotland Scam Share newsletter. You can sign up for the weekly newsletter here. Check out their #ScamShare Spotlight PDFs focusing on frequently reported email, phone, text and cyber scams in Scotland.

CyberScotland Week  28^th February – 6^th March 2022

CyberScotland Week, Scotland’s annual week-long festival of events on cyber awareness, cyber careers, and innovation in cyber security is taking place from 28th February 2022 – 6th March 2022.

The week will bring together influencers, experts, educators and the next generation of talent for the third consecutive year to increase awareness of staying safe and secure online. There are many ways you can get involved in CyberScotland Week and you don’t need to be a cyber security expert to host an event. The CyberScotland Week team can match you up with a great speaker and help to promote your event. To find out more information visit CyberScotlandWeek.com

Join us for an opportunity to get to know the CyberScotland Partnership on 29th November (in person – Glasgow), as well as connecting with other organisations in the run up to CSW2022.  Book your space here. Get in touch via info@cyberscotlandweek.com

Internet Safety Day – 8^th February 2022

The theme for Safer Internet Day (SID) on 8th February 2022 is ‘All fun and games? Exploring relationships and respect online’. Celebrated annually in February in 170+ countries, #SaferInternetDay supports the safe, responsible and positive use of digital technology by young people.

The SID team are organising an online event on the 23^rd November to help you explore how your organisations can get involved in Scotland. You’ll hear from a variety of organisations about their plans for the day and what you can do too. Book your spot here.

NCSC, Small Organisations Newsletter – Coffee Break Cyber

• This SME Newsletter aims to break down cyber related issues into bitesize learning which can be read in your coffee break. The NCSC want to provide you and your business with the advice and tools to minimise the risk of a cyber-attack. Each month will cover a different topic and will offer advice and links to further information. Sign up for the NCSC newsletter

DCMS Cyber Security Newsletter

• DCMS have relaunched their Cyber Security Newsletter as a new monthly publication to help you keep up-to-date from all the latest news, projects, workshops and call for views from DCMS and across wider government. If you want to receive the newsletter at the beginning of each month please sign up here.

WATCH: Cybercrime: Ready, Resilient and Responsive

Scottish Environment Protection Agency, which was hit by a ransomware incident on Christmas Eve, led a public webinar. Cybercrime: Ready, Resilient and Responsive webinar which sought to communicate the ‘lessons learned’ to private, public and third sector organisations across Scotland. Watch it here.

(Video by Scottish Environment Protection Agency, feat, Police Scotland, Scottish Government, Scottish Business Resilience Centre and the National Cyber Resilience Advisory Board)

WATCH: Creating a cyber incident response plan for your business

At this webinar you’ll learn how to use the Cyber Incident Response Pack to plan the steps your business should take if you are involved in a cyber attack or data breach. Watch it here. 

(Video by Scottish Business Resilience Centre, feat. Police Scotland and CMS Scotland)

WATCH: Ransomware’s impact on charities

It may not pose the biggest cyber-risk to charities, but ransomware can have the biggest impact. Learn about how to prevent it.

(Video by Prevent Charity Fraud, feat. National Cyber Security Centre, Charity Digital and Mary Stevens Hospice.)

STOic TTX Facilitator Training Series

STOic TTX is a cybersecurity table-top exercise framework to exercise the strategic, tactical and operational teams in organisations for various types of cybersecurity incidents. Funded by Scottish Government, the framework trains facilitators and provides a framework to run table-top exercises quickly, easily and efficiently.

The series is a comprehensive course in being an effective tabletop exercise facilitator and provides tips for any tabletop exercise facilitator as well as training specifically for the STOic approach. Supporting documents are being reviewed and will be made available soon.

View the course here.

Practical Cyber Resilience Skills: Tools for Staying Secure Online, 15th & 29th November, 5pm – 7pm

Learn how to stay safe online at these short online free workshops. This session is delivered remotely and is available to all workers in Scotland. This is a great way to up your cyber security knowledge and confidence. You don’t need any technical knowledge or experience to take part.

The course will be run over two 2-hour sessions (4 hours in total). You’ll get a certificate to recognise your learning and earn a practical cyber security badge.

Find out more and register here.

Exercise in a Box, Scottish Business Resilience Centre, November

SBRC are encouraging organisations to sign up for one of their free ‘Exercise in a box’ online sessions.

A FREE, 90-minute non-technical workshop which will help organisations and charities find out how resilient they are to cyber attacks and practise their response in a safe environment. Find out more information on SBRC’s website.

• Exercise in a Box ‘Digital Supply Chain’ MS Teams, 24^th November
• Exercise in a Box ‘Ransomware’ MS Teams, 25^th November

Each issue, we aim to bring you real-life examples of scams, phishing emails and redacted case studies. If you have had an issue and would like to share your experience and what you have learned with others, please contact us to discuss:  CyberFeedback@gov.scot We are happy to anonymise case studies.

Conveyancing Fraud

Criminals are actively targeting property purchases, with the aim of tricking you into transferring them your house deposit and/or the balance of purchase monies to them.

A house-buyer was scammed into handing over £640,000 as part of a conveyancing fraud. Emails between the buyer and their solicitor had been intercepted by criminals. As a result, the criminals were able to collect all of the information relating to the house purchase.

The criminals then used a spoofed email account (made to look like that of the solicitor) to request payment. Payment details were provided on headed solicitors paper via the spoofed email, and the amount requested was exactly what the house-buyer had expected to pay. The victim was later advised by the genuine solicitor that these payments had not been requested. The majority of the money was never recovered, all-but wiping out the victim’s equity and savings, and leading to the collapse of their purchase. The fraud had a devastating life-long impact on the house-buyer and their personal finances.

Advice

Be extremely vigilant if there appears to be any change of payment details, and always double check by calling your lawyer before you transfer your money, as emails can be intercepted or diverted. You can test the account by sending a small sum to the account details provided and check that your lawyer has received this before transferring all of the money.

• Confirm you have the correct bank details from your law firm either in person or over the phone.
• Law firms rarely change their bank details. If you receive an email or telephone stating a change in details, question its authenticity.
• If you are making a payment to an account for the first time, transfer a small sum first and then check with the law firm using known contact details that the payment has been received.
• If you have any doubt about the transaction then do not transfer your money until you are satisfied it is correct.

If you suspect you have been a victim of conveyancing fraud you should seek advice from your bank and report this to Police Scotland on 101.

Technical Bulletin

The CyberScotland Technical Intelligence Bulletin is designed to provide information about emerging or escalating cyber threats and is created in conjunction with SBRC’s Cyber Incident Response team. You can sign up receive the technical bulletin.

Read the latest bulletin here

• Cyber Security Information Sharing Partnership
• NCSC launches early warning notification service