Category: The Authorities

How Common Are Data Breaches

The Proportion of Businesses That Have Had Breaches in 2017

  Overall Micro Firms Small Firms Medium Firms Large Firms Admin/ Real Estate
% experiencing a cyber security breach or attack in 2017 24 17 33 51 65 39

 

Businesses that invest more in cyber security have more breaches than businesses that invest less. This may seem counter intuitive but it’s partly due to businesses that realise they are more at risk such as finance operations then investing more whereas businesses where the online presence is minimal feel less at risk and invest less. There is also the assumption that businesses that invest more in cyber security will be better at identifying such breaches.

Types of Breaches/Attacks

Viruses, spyware or malware 68%
Other impersonating organisation in emails or online 32%
Denial of service attacks 15%
Hacking 13%
Money stolen electronically 13%
Breaches from personally owned devices 8
Personal information stolen 8
Breaches from externally hosted web services 8
Unlicensed or stolen software downloaded 8
Money stolen via fraud emails or websites 6
Software damaged or stolen 5
Breaches on social media 3
Intellectual property theft 1

 

You can see that attacks of various kinds are very common. All businesses must take steps to protect against data breaches and all common forms of cyber-attack

Do you have an opinion on this matter? Please comment in the box below.

Fightback Ninja Signature

UK Cyber Security Centre One Year On

In November 2016 the National Cyber Security Centre (NCSC) was created as part of GCHQ and given a mandate to pursue the radical action required to better protect the UK’s interests in cyberspace.

A key strand in this new approach is the NCSC’s Active Cyber Defence (ACD) programme, which aspires to protect the majority of people in the UK from the majority of the harm, caused by the majority of the attacks, for the majority of the time. It is intended to tackle the high-volume commodity attacks that affect people’s everyday lives, rather than the highly sophisticated and targeted attacks, which are dealt with in other ways.

One key intervention is the Takedown Service.

The Takedown Service

This service works by requesting that hosting providers remove malicious content that is pretending to be related to UK government and also certain types of malicious content hosted in the UK.

  • In 2017, we removed 18,067 unique phishing sites across 2,929 attack groups that pretended to be a UK government brand, wherever in the world they were hosted.
  • As a consequence, we have reduced the median availability of a UK government-related phishing site from 42 hours to 10 hours. That means that these sites are available for much less time to do harm to UK citizens. 65.8% of those are down in 24 hours, up from 39% before we started takedowns.
  • In 2017, we removed 121,479 unique phishing sites across 20,763 attack groups physically hosted in the UK, regardless of who it was pretending to be. As a consequence, we have reduced the median availability of a phishing site physically hosted in the UK from 26 hours to 3 hours, again giving them much less time to do harm. 76.8% of those were down in 24 hours, up from 47.3% before NCSC started takedowns.
  • In 2017, we worked with 1,719 compromised sites in the UK that were being used to host 5,111 attacks, intended to compromise the people that visited them. As a consequence, we have reduced the median availability of these compromises from 525 hours to 39 hours.
  • Over the year 2017, the month-by-month volume of each of these has fallen, suggesting that criminals are using the UK government brand less and hosting fewer of their malicious sites in UK infrastructure.
  • In 2017, we notified email providers about 3,243 Advance Fee Fraud attacks, pretending to be related to UK government.
  • In 2017, we stopped several thousand mail servers being used to impersonate government domains and sending malware to people, in the expectation that the government link makes them more realistic. We have also removed a number of deceptive domains that were registered with the sole intention of deceiving people.
  • While the volume of global phishing we can see has gone up significantly (nearly 50%) over the last 18 months, the share hosted in the UK has reduced from 5.5% to 2.9%.

That’s a great first year – keep up the good work.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Reporting Data Breaches to the Information Commissioner

Not all organisation data breaches get reported to the Information Commissioner’s Office (ICO).

ICO do recommend that any serious breach is reported to them, but it isn’t mandatory and ‘serious breaches’ are not defined. However, the following should assist data controllers in considering whether breaches should be reported:

 

  1. The potential detriment to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the ICO. Detriment includes emotional distress as well as both physical and financial damage.

Ways in which detriment can occur include:

  • exposure to identity theft through the release of non-public identifiers, eg passport number
  • information about the private aspects of a person’s life becoming known to others, eg financial circumstances

The extent of detriment likely to occur is dependent on both the volume of personal data involved and the sensitivity of the data where there is significant actual or potential detriment as a result of the breach.

Where there is little risk that individuals would suffer significant detriment, for example because a stolen laptop is properly encrypted or the information that is the subject of the breach is publicly-available information, there is no need to report.

  1. The volume of personal data lost / released / corrupted: There should be a presumption to report to the ICO where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm.
  2. The sensitivity of the data lost / released / corrupted:

How to Report a Breach

Serious breaches should be reported to the ICO using the DPA security breach helpline on 0303 123 1113 (open Monday to Friday, 9am to 5pm). Select option 3 to speak to staff that will record the breach and give you advice about what to do next or report in writing using the  DPA security breach notification form, which should be sent to the email address casework@ico.org.uk or by post to the office address at:- Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

When a breach is reported, the nature and seriousness of the breach and the adequacy of any remedial action taken will be assessed and a course of action determined.

ICO may:

  • Record the breach and take no further action, or  Investigate the circumstances of the breach and any
  • remedial action, which could lead to further action;
  • Set a requirement on the data controller to undertake a course of action to prevent further breaches;
  • Start formal enforcement action which could lead to a fine of up to £500,000

For further information see https://ico.org.uk

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Why You Need Double Opt-In Marketing

With single opt-in, you let people sign up to your newsletter, subscription or whatever by simply clicking once on a link or filling in a contact form etc.

But double opt-in takes this a stage further and you have to get the person to either return an email confirming their registration or  click on another link in an email to confirm.

Hence it is a two-step process to register.  This extra step will mean you lose some people, who would have otherwise registered with just the single opt-in, but there are advantages to double opt-in and it becomes law in May 2018 with the European Directive General Data Protection Regulation (GDPR).

From May 2018, consent for processing personal data and any Marketing communications must be freely given and unambiguous i.e.no pre-ticked boxes, generic descriptions or over complicated terms and conditions.

GDPR also states that companies must keep a record of how and when the customer gave such consent. The double opt-in method is considered the easiest way to comply.

If you’re offering incentive to get people to sign up to your subscription or newsletter etc. then there are likely to be many people who sign up but with fake email addresses and spambots that try to sign up.  This means that many of the email addresses on your list will be bogus and hence you will be wasting your time sending out emails to them.

Double opt-in takes care of this as only people who give correct email addresses will sign up and if the second stage of confirmation has not put them off then you have a better quality email list.

So, double-opt-in as well as becoming a legal requirement may actually help you.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Keurboom Communications Stopped

Keurboom Communications Ltd has been handed the highest ever fine of £400,000 for nuisance calling after more than 1,000 people complained about automated calls.

The calls, made during an 18 month period, including road traffic accident claims and PPI compensation. Some people received repeat calls, even on the same day and during unsociable hours. The company also hid its identity, making it harder for people to complain.

The law says that companies can only make automated marketing calls to people if they have given consent. Keurboom ignored this and called without consideration.

The government is working on a new law to allow prosecution of Directors and fine them up to £500,000. This is because some companies deliberately closed down to avoid the fines imposed on them.

Following the ICO’s investigation, Keurboom Communications Ltd has been placed in voluntary liquidation. The ICO says it is committed to recovering the fine by working with the liquidator and insolvency practitioners.

How to Block Nuisance Callers

  1. Register with the Telephone Preference Service (TPS) then reputable companies will no longer make sales and Marketing calls to your number.
  2. Use your phone to block repeated unwanted callers and caller ID withheld numbers. Some phones allow you to do this and some services such as BT Call Protect enable this.
  3. Use the magic phone number when a website demands your number. (More information at https://fightback.ninja/a-magic-phone-number-and-call-blocking/)

If you have any experiences with scammers, spammers or time-waster do let me know, by email.

Fightback Ninja Signature

 

HMRC Warn of Tax Threat Calls

Scammers target vulnerable and elderly in cold call tax voucher fraud, warns HM Revenue and Customs (HMRC).

HMRC say that scammers call the victims and impersonate an HMRC member of staff.

“They tell them that they owe large amounts of tax which they can only pay off through digital vouchers and gift cards, including those used for Apple’s iTunes Store”.

Victims are then told to go to a local shop, buy these vouchers and then read out the redemption code to the scammer who has kept them on the phone the whole time.

The conmen then sell on the codes or purchase high-value products, at the victim’s expense.

HMRC said the scammers frequently use intimidation to get what they want, threatening to seize the victim’s property or involve the police.

The scammers use vouchers because they are easy to sell on and hard to trace once used.

HMRC would never request the settling of debt through any such method.

The vast majority of the victims are aged over 65 and suffered an average financial loss of £1,150 each.

As these scammers often prey on vulnerable people. HMRC urge people with elderly relatives to warn them about this scam and remind them that they should never trust anyone who phones them out of the blue and demands they pay a tax bill.

If you suspect that you or a vulnerable or elderly relative has been the victim of this scam or a similar one, you should report it immediately to Action Fraud on 0300 123 2040.

 Do Share this post on social media – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

Western Union to Repay Scammed Money

The U.S. Department of Justice (DOJ) and the US Postal Inspection Service have been investigating Western Union who are a wire transfer company.

Western Union is often used by fraudsters as payments through Western Union cannot generally be tracked.

Western Union has admitted to aiding and abetting wire fraud and failure to maintain an effective anti-money-laundering programme and agreed to pay $586 million. That money is now being used by DOJ to give refunds to people who were tricked into using Western Union to pay scammers.

Victims of fraud who paid money to scammers via a Western Union wire transfer between 2004 and 2017 can apply for a refund .

This was thought to only apply to U.S. citizens but the US Department of Justice has recently confirmed that victims of fraud who live anywhere in the world – including the UK – can apply for a refund if they lost money transferred via Western Union between 1 January 2004 and 19 January 2017. There is a limited refund pot and there are thought to be 100,000s of victims, so they may not get all of their lost money back.

Fraudsters use a variety of methods to trick people into wiring them money – romance scams, friend in distress, fake online purchases etc.

The refund scheme covers any form of wire transfer fraud which involved making a payment via Western Union, so if you sent money to someone who wasn’t who they said they were, or you didn’t get what you were promised in return for a transfer you made, you can apply for a refund.

How To Apply For a Refund

You can apply online at www.westernunionremission.com/ or by post – the deadline is 12 February 2018.

To apply online, fill in the Western Union remission claim form. You’ll be asked for contact details, details of the payment you made to a fraudster, whether you’ve previously managed to recover some of your lost money and if so, how much. If you’ve already had some money back, you can only claim for the amount you haven’t recouped.

The form asks for a social security number – for people no in the U.S.A. put that you don’t have one as you are not a U.S. citizen.

If you have receipts or other supporting documentation such as a police report, then upload copies of these to support your claim. You can still apply if you don’t have any documentation.

Make sure you apply through the official site and don’t respond to emails from people claiming they can get your money back – these are almost certainly fraudsters. You do not have to pay anything to get your money back  and you will not be called and asked for your bank account or credit card number as part of the claims process.

The process may take a year or more because of the number of claims that will have to be dealt with. The Department of Justice has already identified 500,000 potential victims in the US and many more are expected to apply from overseas.

Do Share this post on social media – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

 

Take Five Stop Fraud

https://takefive-stopfraud.org.uk

Financial Fraud Action UK is part of UK Finance and is responsible for leading the collective fight against financial fraud on behalf of the UK payments industry. The membership includes banks, credit, debit and charge card issuers, and card payment acquirers in the UK.

They provide a forum for members to work together on non-competitive issues relating to financial fraud. The  primary function is to facilitate collaborative activity between industry participants and with other partners committed to fighting fraud.

Financial fraud losses in the UK totalled £768.8 million in 2016. FFA UK and Her Majesty’s Government believe  encouraging people to take a moment to stop and think can make a difference.

Many people may already know the dos and don’ts of financial fraud- that no-one should ever ask them for their PIN or full password, or ever make them feel pressured into moving money to a ‘safe account’. But, it can be easy to forget this when in a hurry.

After all, trusting people on their word is something everyone tends to do instinctively. If someone says they’re from your bank or a trusted organisation, why wouldn’t you believe them?

Take Five is a national awareness campaign led by FFA UK backed by the Government and delivered with and through a range of partners in the UK payments industry, financial services firms, law enforcement agencies and others.

It urges you to stop and consider whether the situation is genuine – to stop and think if what you’re being told really makes sense.

What FFA UK does

  • Sponsor the Dedicated Card and Payments Crime Unit, an operational police unit, with a national remit.
  • Manage the Industry Strategic Threat Management Process, which provides an up-to-the-minute picture of the threat landscape.
  • Deliver UK-wide awareness campaigns to inform customers about threats and how to stay safe.
  • Manage intelligence-sharing through the industry fraud intelligence hub (Financial Fraud Bureau) and the Fraud Intelligence Sharing System (FISS) which feeds intelligence to police and other agencies in support of law enforcement activity.
  • Inform commentators and policy-makers through a press office and public affairs function.
  • Provide expert security assessments of new technology, as well as the impact of new legislation and regulation.
  • Publish the official fraud losses for the UK payments industry, as well as acting as the definitive source of industry fraud statistics and data.

All of this sounds useful in the fight against fraud.

Take care.

Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja.

Fightback Ninja Signature

Bank Transfer Scam Compensation

In 2016, Which? Consumer Magazine launched a Super Complaint to the Payment Systems Regulator. Which? is one of only a few organisations empowered by government to raise super complaints on behalf of the general public.

The super-complaint said:- “We think banks need to do more to protect customers who are tricked into transferring money to a fraudster.”

Which? thinks banks should shoulder more responsibility for money lost to bank transfer scams. Customers who lose money due to scams via direct debit or credit and debit cards are reimbursed, for example, but not bank transfers. This would give banks an incentive to develop better mechanisms to prevent the fraud in the first place.

Which? Say “You only have to read the harrowing real life stories in our super-complaint to realise that these scams are often so sophisticated that it’s impossible for people to be savvy enough to completely protect themselves. And the people being scammed are not only the stereotypical vulnerable groups; they are often financially and technologically literate.”

Which? did some research by asking more than 1,000 members of the public if they could spot the difference between real and spoof emails and found that 50% of people were fooled by these sophisticated scam emails.

At last check, 359,823 people had signed the petition about this matter.

The Payment Systems Regulator has announced it is consulting on plans to reimburse victims of bank transfer scams. From the 1 January 2018, people who’ve been victims of a bank transfer scam will only need to deal with their bank when making a complaint – not the bank the fraudster was with. This means that banks will provide access to a dedicated team of staff trained to deal with scams.

However, the Regulator is also consulting on a reimbursement scheme for people who are tricked into transferring money to a fraudster when their bank failed to do enough to protect them. This is very good news.

The Regulator’s actions in response to the super-complaint will go a long way to tackling these scams. However, if banks are going to solve this problem and really protect their customers, they must also look at what other steps they can take to stop these scams from happening in the first place.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

Netsafe in New Zealand

https://www.netsafe.org.nz/

Netsafe is New Zealand’s independent, non-profit online safety organisation. It provides online safety help, support, expertise and education to people in New Zealand. But that information is useful to people of every country.

Netsafe was founded in 1998 to help New Zealand internet users stay safe online.

After noticing the growing influence of technology in their respective areas, the New Zealand Police, Ministry of Education and several not for profits teamed up with telecommunication organisations and IT industry partners to create an independent body focussed on online safety.

Together they created the Internet Safety Group which was rebranded Netsafe in 2008.

Netsafe was given the remit to build an internet safety organisation that didn’t scare people away from technology, but instead encouraged people to adopt it by promoting the tools and techniques they could use to minimise their online risks.

Today Netsafe is an internationally renowned organisation with an unrelenting focus on online safety practice.

As digital technology use grows and evolves at a rapid pace in society, it becomes more important for Netsafe to help people manage and reduce the risk of online harm, so that they feel more confident being online.

Netsafe’s remit is wider than just online security. They aim to cover  Online Bullying & Harassment,  Scams,  Security,  Parenting,  Business.  Educators and  Young People.

There is a reporting tool for anyone wishing to report an online incident that happened to themselves or someone close to them.

There is a wealth of information about common online scams and those in New Zealand are pretty much the same as in other advanced countries. (Developing countries typically face different types of scams.)

There is a lot of security advice but also advice for parents and education workers and sections for young people.

This is a great service offered in New Zealand but also useful to everyone, wherever they live, as scams and other online problems exist the world over.

Do Share this post on social media – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature