Scam Updates: July ’22
Apple launches Lockdown Mode to block spyware attacks on at-risk users
Apple has announced a new security feature to protect high-risk users from spyware cyber-attacks.
Lockdown Mode will be available in the autumn with the next operating system across all of the company’s iPhones, iPads and Macs. This comes as a result of the Pegasus spyware from NSO group, which allowed operators to extract messages, photos and emails, record calls and secretly activate microphones and cameras.
Lockdown Mode will include the following protections:
- Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled
- Web browsing: Certain complex web technologies, like just-in-time JavaScript compilation, are disabled unless the user excludes a trusted site
- Calls: Incoming invitations including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request
- Wired connections with a computer or accessory are blocked when iPhone is locked
To read more about this, click here.
Disneyland investigating compromised Facebook and Instagram accounts
Disneyland officials are investigating an incident that occurred on Thursday morning (7th July) in which the Facebook and Instagram accounts of the theme park were hacked and used to send several offensive messages.
“Disneyland Resort’s Facebook and Instagram accounts were compromised early this morning,” a Disneyland spokesperson said. “We worked quickly to remove the reprehensible content, secure our accounts, and our security teams are conducting an investigation.”
A hacker calling themselves “David Do” posted several pictures of a person with expletive-laden messages attached. The attacker claimed to be a “super hacker” and used the n-word as well as the f-word repeatedly in the messages.
The posts were removed within a few hours after the account, which has about 8.4 million followers, was taken down briefly.
To read more about this story, click here.
Quick-step to securing your data through 2-step Verification (2SV)
This week’s protect tip from the West Midlands Cyber-Crime Unit (WMCCU) is all about 2-Step Verification (2SV), this is because they are trying to raise awareness about how people can secure their accounts.
Turning on 2SV is one of the most effective ways to protect your online accounts from cyber criminals. Having 2SV turned on is an excellent way to secure your most important accounts, such as your banking, email or social media accounts. 2-step verification (2SV), which is also known as two-factor authentication (2FA) or multi-factor authentication (MFA), helps to keep cyber criminals out of your accounts, even if they know your passwords. The NCSC (National Cyber Security Centre) recommend you take time to set up 2-step verification on all your important accounts, even for ones that you’ve protected with strong passwords.
How does 2-step verification work?
2SV provides an additional layer of security that protect your accounts if an attacker knows your passwords, the way this is implemented is by using the following factors:
- Something you know (e.g. PIN, password)
- Something you have (e.g. token, authenticator)
- Something you are (e.g. biometric)
- You should have a separate factor to what you are already using, for example if you already have a password (that is something you know), you now need to have either something you are or have.
Why should I take time to set up 2-Step Verification?
It’s easier than you think for someone to steal your password. Even if you’ve always looked after your passwords (and taken the time to create a strong one and avoided the worst passwords that millions of people still use), they can still be stolen through no fault of your own.
The most common way that passwords are stolen is when an organisation holding your details suffers a data breach. Criminals will use passwords stolen in the breach to try and access other accounts, a technique (known as ‘credential stuffing’) that works because many people use the same password for different accounts.
Criminals may also try and trick you into revealing your passwords by sending you links to scam websites asking you to log in, either by email, text message or direct messages/chat (a term known as ‘phishing’).
Even if your passwords are hard to guess, that doesn’t make them any harder to steal. In other words, even accounts protected with strong passwords will benefit from using 2-step verification.
How to turn on 2-Step verification
For more information on 2-Step Verification and how to implement it on platforms you use, please visit the NCSC website. Also check out the WMCCU YouTube video covering 2SV.
Android users at risk from new wallet-draining attacks
Owners of Android smartphones are at risk of a new type of billing fraud designed to trick them into paying for premium subscription packages, Microsoft has warned.
In an extensive blog post detailing how the entire scheme operates, Microsoft explained that toll fraud malware is “one of the most prevalent types” on Android and that it just keeps evolving. Toll fraud is also quite complex, compared to its close relatives, SMS fraud and call fraud.
To learn more about this, click here.
Amazon Prime Day scams: What to look out for
As Amazon Prime Day approaches on the 12th and 13th of July, Check Point Research (CPR) has warned of the danger of scams around the event.
With Amazon among the top imitated brands, criminals are looking to use interest in Amazon Prime Day in order to create scams and lure in victims.
According to the cybersecurity group, it has already witnessed a 37% increase in daily Amazon-related phishing attacks in the first week of July compared to the daily average in June.
To find out more, click here.
Scammers cash in on the energy crisis
The latest podcast from consumer champions Which? looks at how a 57% increase in energy bills since 2019 has led to scammers trying to exploit our desire to cut costs.
From pretending to offer energy bill refunds to providing fake government grants, we look at how you can spot and avoid them.
Community Safety Charter Launched To Tackle Crimes In Public Spaces
On 11th July 2022 Neighbourhood Watch launched their new Community Safety Charter, encouraging everyone from individuals, Neighbourhood Watch groups, businesses, and organisations to take an active stance against crimes in public spaces, such as harassment, hate crime, and antisocial behaviour.
The Charter tagline is #BETHECHANGE, focusing on the role of active bystanders in leading the change within their communities. The Charter supports greater understanding about how we recognise and deal with community safety issues and support victims by knowing where to get help, how and who to report to, enabling a more positive, proactive approach by the whole community when witnessing or experiencing confrontation, hostility, or harassment.
Do I need to make a pledge?
We are delighted to invite you to sign up to the Charter.
By signing up individuals, businesses, organisations, and groups pledge to four actions:
- PROMOTE – promote a culture that does not tolerate harmful language, antisocial behaviour and hostility towards others
- ENABLE – enable others to identify and take an active stance to prevent harassment, antisocial behaviour and intimidation within their community
- REPORT – actively encourage and support others to report harassment, antisocial behaviour and intimidation and share intelligence about these crimes with the relevant authorities
- SUPPORT – support those affected by harassment, antisocial behaviour and intimidation and refer victims to the appropriate support agency
What will I receive when I sign up?
You will receive a printable poster, individual pledges to share on social media, and a comprehensive information pack on a specific topic or crime every two months which you can share with your staff/volunteers/colleagues/friends. The topics covered in the first year are:
- harassment
- hate crime
- antisocial behaviour
- being an active bystander
- dealing with confrontation
- leading the change in our communities
Where can I find out more?
- Attend the Community Safety Charter and ASB Webinar on the 21st July at 5pm. Book your online place here
- Watch an interactive presentation here
- Contact the Neighbourhood Watch Community Safety Charter Leads – Cheryl Spruce, Head of Membership and Engagement, or Jayne Pascoe, Head of Partnerships and Projects
How do I sign up?
Simply complete the online form on ourwatch.org.uk/charter. Once you have signed up, Neighbourhood Watch will contact you within 5 working days to share the first information pack and other resources.
Please share the details of the Charter with your networks and encourage them also to sign up and share it.
Beware of ‘ghost broking’
Our friends at consumer champions ‘Which?’ are warning the public to be on the lookout for ghost brokers offering fake insurance services.
In their latest investigation, ‘Which?’ found social media sites rife with ads for fake insurance. They seem professional, with reams of feedback from happy customers, so – as anyone would when getting any car insurance quote – you enter your details.
Moments later you’re offered a price that undercuts everything else by hundreds of pounds.
Unfortunately, in this case, you might not be dealing with a real broker. The scam is known as ‘ghost broking’ – and it’s estimated to have put tens of thousands of motorists unwittingly onto the roads with fraudulent cover.
Read more about the latest research and how to spot ghost brokers on social media.
NCSC urges organisations to prepare for the long haul on Russia-Ukraine
Cyber security experts have urged UK organisations to prepare for an extended period of heightened threat in relation to the Russia-Ukraine conflict as they published new guidance aimed at supporting staff resilience.
The guidance from the National Cyber Security Centre (NCSC) – a part of GCHQ – is the latest in a series of interventions which began in January with advice to help organisations bolster their cyber defences in response to the developing situation in and around Ukraine.
It sets out eight steps for sustaining a strengthened posture when systems, processes and the workforce remain under pressure, focusing on staff welfare as a direct contributor to maintaining an organisation’s resilience.
The NCSC assesses the cyber threat to the UK as a result of the conflict remains heightened and organisations are urged to not let their guard down and to consult the new guidance to prepare for longer-term resilience.
The guidance is designed to be applicable to any period of sustained heightened cyber threat, including the one arising from events in and around Ukraine. A recently published blog post, sets out how the advice relates to the current geopolitical situation.
It advises that increased workloads for cyber security staff over an extended period can harm wellbeing and lead to lower productivity, with a potential rise in unsafe behaviours or errors.
The recommended actions in the guidance include:
- Getting the basics right by following our ‘actions to take when the cyber threat is heightened’ guidance.
- Revisiting risk-based decisions taken during the initial phase of heightened threat.
- Empowering cyber staff to make day-to-day decisions about the threat response without requiring additional oversight.
- Ensuring workloads are spread evenly across individuals and teams and that frontline cyber staff can take breaks to recharge.
- And accelerating planned action to harden networks and boost defence capabilities.
It also points to other NCSC guidance and resources to help organisations improve their longer-term resilience, including the 10 Steps to Cyber Security collection and Cyber Security Toolkit for Boards.