CyberScotland Bulletin

NCSC Threat Report

The NCSC produces weekly threat reports drawn from recent open source reporting. View this week’s report here.

The NCSC’s Suspicious Email Reporting Service

The Suspicious Email Reporting Tool (SERS) was launched by the NCSC in 2020 to allow members of the public to report suspicious emails. The public have reported over 6 million suspect emails to the NCSC in this time. As of 31^st July 2021, the number of reports received stands at more than 6,900,000, with 105,000 individual URLs linked to 55,300 sites having been removed.

Please forward any suspicious emails to: report@phishing.gov.uk. Suspicious text messages should be forwarded free of charge to 7726.

NCSC have released guidance aimed at system owners on how to configure the Office 365 ‘Report Phishing’ add-in for Outlook, so that users can report suspicious emails to the NCSC’s Suspicious Email Reporting Service.

Importance of Software Updates

A security issue has been found that lets hackers access Apple devices through the iMessage service, installing spyware, even if you don’t click on a link or file. Apple have issued a security update in response to this and are encouraging all users to install the latest software update on their device as soon as possible. This is a highly sophisticated attack and the risk of being a target for the majority of users is low.

Microsoft have also released over 60 security fixes and updates resolving recent issues.

Companies fix any weaknesses by releasing updates. You should always make sure to install the latest software updates to protect your devices from vulnerabilities. Take some time to review your security settings on all your devices and make sure you’re protected against the latest threats.

• How to update the software on your iPhone, iPad or iPod touch
• Check and update your Android smartphone and tablets
• Securing your devices
• All sorts of electronic devices can hold personal or financial data so it’s important to make sure you secure these devices with strong passwords and update the software regularly. Check out the CyberAware tips for staying secure online.

Phone Fraud – Parcel Delivery Scams

According to consumer group Which?, phone fraud has increased by 83% between April 2020 and March 2021.

Phone fraud includes scams delivered by text message and can be increasingly convincing. Criminals will impersonate a well-known company or bank to trick you into revealing sensitive or financial information. There was a huge increase in the number of scam emails and texts relating to fake ‘missed parcel delivery’ texts, as more consumers turned to online shopping during the pandemic.

Scam text messages appeared claiming to be from Royal Mail or a delivery company saying that a parcel is awaiting delivery, but a small payment is required. Another similar text, asks you install a delivery tracking app, which is in fact malicious and contains spyware. If installed, it can steal your banking details, passwords, and other sensitive information. The app also accesses your contacts and sends them to the criminals, and sends additional text messages from your device to other people’s contacts, further spreading itself.

A student who operated a text message scam claiming to be from the Royal Mail and HMRC made £185,000 from the campaign. Police working with mobile phone providers and the banking industry were able to identify the student. He has been sentenced to 22 months in prison after pleading guilty to committing fraud.

Fake delivery scam texts are still circulating. NCSC has produced guidance on how to spot the most obvious signs of a scam and what to do if you’ve already responded. They also have advice specifically on scam sent via ‘missed parcel’ messages.

If you do get one of these texts you can help others by reporting suspected scam texts to your mobile network provider by forwarding texts free of charge to 7726. This will help them take action if needed, including blocking malicious numbers. Phishing emails can be forwarded to the NCSC’s reporting service: report@phishing.gov.uk

Prepare your response to a cyber attack – Incident Response Pack

Businesses and charities must be proactive in preparing themselves against cyber threats. CyberScotland have released a Cyber Incident Response Pack to provide practical advice on handling a cyber incident.

This resource is excellent for small organisations and charities who may not have in house incident response teams or do not have a response plan in place. These documents will help to start preparing their response to a cyber-attack in a structured and managed way.

The Incident Response Pack contains:

• Incident Response Guide Introduction
• Prepare Your Business Checklist: Use this checklist to help prepare for, respond and recover from cyber incidents.
• Emergency Contact List Template: Use this word document to capture business emergency contact details.
• Incident Response Communications: Core questions you need to address when planning and dealing with a crisis.
• Legal Implications of a Cyber Incident: Awareness of key commercial and legal implications of a cyber incident. Who do you need to report to and by when?

Safe Student

Students across Scotland will be returning back to universities and colleges, with many attending online sessions. It’s important for students to be aware of potential cyber risks and put in place some basic cyber security steps to help protect themselves and their data online.

HMRC is warning university students taking on part-time jobs to be wary of potential tax scams that may appear to come from the department. Fraudsters will try to trick you into sending money or reveal personal information. These may appear as scam texts, email or calls offering a ‘refund’ or demanding unpaid tax. HMRC will never email or text you about a tax rebate or grant, ask for personal information like bank details or threaten you over unpaid tax.

HMRC have information on how to recognise genuine HMRC contact and how to avoid and report scams on their website.

• Get Safe Online have produced this leaflet aimed at parents that includes online safety tips to help advise your child before they go to university or college.

Take Five Week – The Art of Saying No, 13^th – 17^th September

Criminals are experts at impersonating people, organisations and the police so it can be difficult to spot scam texts, emails and phone calls. However, there are things we can all do to protect ourselves. As Brits we aren’t renowned for being direct – new research from Take Five reveals 92% of Brits have said ‘yes’ because they don’t want to appear rude saying ‘no’. However, Take Five is warning that when it comes to fraudsters, being indirect could have serious financial and emotional consequences. If someone contacts you asking for your personal or financial information, it’s important to say ‘no’. It’s ok to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.

This Take Five Week, we encourage you to perfect the art of saying ‘no’ by making sure you Stop, Challenge, Protect.

Trading Standards Scam Share

Other scams to be aware of are identified in the latest’s Trading Standards Scotland Scam Share newsletter. You can sign up for the weekly newsletter here.

Check out their #ScamShare Spotlight PDFs focusing on frequently reported email, phone, text and cyber scams in Scotland.

NCSC, Small Organisations Newsletter – Coffee Break Cyber

SME’s cover a huge range of businesses and make up to 99% of all businesses in the UK. Often SME’s do not have the budget of large organisations to spend on cyber security. This Newsletter aims to break down cyber related issues into bitesize learning which can be read in your coffee break. The NCSC want to provide you and your business with the advice and tools to minimise the risk of a cyber-attack. Each month will cover a different topic and will offer advice and links to further information. This month’s newsletter covers advice for avoiding banking malware and how to report scam websites directly to NCSC.

Sign up for the NCSC newsletter

Get Safe Online

This month’s Get Safe Online’s campaign ‘Auto Fraud’, looks at the risks associated with buying or selling a vehicle online. Their experts share some safety tips to consider before you buy or sell online.

Practical Cyber Resilience Skills: Tools for Staying Secure Online, 30^th September

Learn how to stay safe online at these short online free workshops. This session is delivered remotely and is available to all workers in Scotland. This is a great way to up your cyber security knowledge and confidence. You don’t need any technical knowledge or experience to take part.

The course will be run over two 2-hour sessions (4 hours in total). You’ll get a certificate to recognise your learning and earn a practical cyber security badge.

Find out more and register here.

Exercise in a Box ‘Supply Chain’, Scottish Business Resilience Centre, September

SBRC are encouraging organisations to sign up for one of their free ‘Exercise in a box’ online sessions.

A FREE, 90-minute non-technical workshop which will help organisations and charities find out how resilient they are to cyber attacks and practise their response in a safe environment. The September scenario goes over a mock ransomware infection, through a phishing email and how your organisation is prepared to respond. Find out more information on SBRC’s website.

• Exercise in a Box ‘Ransomware Sessions’ – Teams, 30th September

View all upcoming sessions here.

Helping you to protect your business from cyber fraud, Bank of Scotland Academy, 22^nd September

Fraud and cyber attacks are an increasing threat. It’s essential that you and your business are aware of current scams so that you can take steps to avoid becoming a victim.

Hear from fraud experts sharing the latest threats faced by today’s businesses and gain an understanding of frauds committed by business email compromise, phishing and cyber enabled fraud. You will also receive guidance on what you can do to keep your business safe.

Register of this webinar here.

Royal Bank of Scotland Fraud Awareness Webinars

The Royal Bank of Scotland (RBS) are running another series of their excellent Fraud Awareness webinars.

Tackling topical subjects like bankline security, cyber response and recovery, as well as general fraud awareness, these free events are a great opportunity to hear from the RBS fraud experts.

• Bankline security webinar with the National Cyber Security Centre, 22^nd September
• Fraud awareness webinar, 22^nd September
• Fraud awareness webinar, 30th September

Open to non-RBS customers with a range of dates available.

Cyber Security Awareness Videos

CyberScotland Partner Scottish Business Resilience Centre have released a selection of cyber security awareness videos. These short videos offer up simple and easily digestible information on some of the most common terms and issues arising in the cyber world. Check out the 10 explainer videos for some tips to help you stay secure online.

Each issue, we aim to bring you real-life examples of scams, phishing emails and redacted case studies. If you have had an issue and would like to share your experience and what you have learned with others, please contact us to discuss:  CyberFeedback@gov.scot We are happy to anonymise case studies.

The Chartered Trading Standards Institute (CTSI) has been informed of a newly emerging scam on WhatsApp, where scammers attempt to impersonate family members to steal money.

A member of the public named Alison received a message on the popular messaging platform WhatsApp: “Hi mum, I’ve dropped my phone down the loo (sad emoji) this is my new number.”

Alison replied to the message and asked if it was her son, Will, to which the scammer replied in the affirmative. The very next day, Alison’s ‘son’ messaged her asking for £2,600 and explained that he had got mixed up with loan sharks and needed to pay up. Alison didn’t doubt the message for a moment.

Alison tried to call her ‘son’ back, but the person on the other end kept saying they couldn’t take the call and continually put pressure on her to make the payment quickly. This worried Alison, who agreed to make the payment. The person gave the bank details of the alleged loan shark to pay.

Fortunately for Alison, she forgot to click the final payment confirmation and, after some time, the scammer messaged asking for a picture to prove the payment had been made. This caused a wave of scepticism in Alison’s mind. She managed to get in touch with her son, who confirmed that he had not messaged her to for money.

When receiving a message out of the blue like this, always be suspicious, especially if money is involved.  Fraudsters are skilled at influencing quick action, so always take steps to verify the identity of anyone asking you send money or provide financial details.

You can report suspicious texts by forwarding them to 7726 – a free service by Ofcom which enables authorities to analyse messages.

• Report all scams to Advice Direct Scotland on 0808 164 6000or via their website. 
• If you fall victim to fraud, you can call Police Scotland on 101.

The CyberScotland Technical Intelligence Bulletin is designed to provide information about emerging or escalating cyber threats and is created in conjunction with SBRC’s Cyber Incident Response team. You can sign up receive the technical bulletin.

Read the latest bulletin here

• Cyber Security Information Sharing Partnership
• NCSC launches early warning notification service