Back in September I received an email claiming to be from the courier firm DPD and that an attempt to deliver a parcel was unsuccessful. In order to get the item redelivered I would need to reschedule the delivery and confirm the address details are correct. Unfortunately as there had already been three failed attempts there would be a small charge. The link provided also included the tracking code embedded into it for convenience.

But wait, switching from my phone to my laptop showed that it was coming from a Hotmail address instead of a DPD email address and also that the payment was in euros, not pounds sterling. But more to the point, why is it that someone can register the web domain ‘tracking-128673.dpd-co-uk-servicedelivery-supportuser-info .com’ without raising alarm bells? I checked and saw that it was registered using namecheap.com so I reported it to them via their live chat feature and was told to submit a ticket to the Abuse Reports department via the Support option on their website and choosing the relevant abuse type. …

As part of the cyber security awareness training for many organisations, the IT department simulates phishing emails via a third party service to help educate their users and report on who is more likely to click on a phishing email. Some of these third party phishing services are even free like Gophish and Duo Security, and yet, I have a policy of not phishing my own staff. Let me explain why.

The reason is, that for the past 5 years I have been encouraging all my colleagues to forward suspicious emails they receive to the IT department or to contact IT if they are unsure about the validity of an email. This feeds into the quarterly cyber security group training sessions so that it is based on actual ‘real world’ phishing emails we have received and allows us to update and tweak the email filters as part of a continuous improvement cycle. Most of the phishing emails that make it past the email filters are via compromised business email accounts of our third party suppliers (or even clients) trying to get us to enter Microsoft Office 365 credentials for a bogus file sharing service, or download a malicious payload. …

For over 20 years we have been on a never-ending cycle of being told that the software we use has bugs or security issues and that it has been fixed in an update or patch. But those updates have had a tendency of breaking something else, and the whole cycle begins again. In the worst cases, a bad operating system update has left users completely in the lurch without a working computer and so people have become weary of updates, even to the point of refusing to install them. How many times have you restarted a computer only to realize that there were updates pending, and now you have no idea how long it will be before you can use it again to get on with some work? …

The GDPR legislation at 57,500 words long is not the easiest of things to get your head around if your business processes personal data (for which the majority do). But one of the smallest steps in GDPR compliance that so many forget to do, can land you a £400 or £600 fine, going up to £4350.

This small step is nothing more than to pay the annual £40 or £60 data protection fee, which is required by law to the data protection authority, which in the UK is the Information Commissioner’s Office or ICO. If you are lucky enough to warrant an annual fee of £2900 then it means you have more than 250 members staff and a turnover of over £36 million. If you receive a warning letter and ignore it, you could be fined. …

Everything we do online is based on trust, we trust our email providers, our cloud services, our search engines, software developers and online stores. We give them personal and financial information, ranging from our pet’s names and first school, to our credit cards and bank details. So, as a result, it is very easy for the criminals to abuse that trust, because the opportunities to do so seem endless. …

Targeted email attacks are an increasingly difficult problem to stop through technology alone, requiring both processes and people (via education) to effectively combat. Commonly called ‘spear phishing’ and for high profile targets ’whaling’ the core of the attack is via social engineering and elements of truth from our recent online activities.

So why are they so difficult to block? Firstly, many targeted phishing emails do not contain anything immediately malicious. Some will not have anything at all that gives the game away, building a rapport over time. Others rely on shortened hyperlinks and attachments that contain hyperlinks like an Adobe PDF file. These may reach out to fake login sites, fake banking sites or a whole host of scenarios that the criminals can think of. …

Cybersecurity training in many organisations is seen as chore, a tick box exercise that needs to be done when we get time, maybe next week. Or it is mandatory, regardless of the deadlines you face, but mostly irrelevant to your role or to risks the organisation faces. Yet, in today’s world of highly sophisticated data breaches, does all this training actually make a difference?

Firstly, cyber security training is a bit like studying history; every month that goes by adds another month to the pool of history to possibly learn. There is no end to the subject matter because it is constantly evolving. Secondly, when teaching any subject, if the students are not interested, then given the limited amount of time available, they are unlikely to learn anything or already know what you are teaching and resent having to go through the process. Lastly, the security technologies in place do most of the work, protecting users from 99.9% …

Over the past few years there has been a paradigm shift in the world of computer gaming, whether on a consoles, computers and mobile devices, where the focus is no longer on just selling you a game. Instead, the focus has shifted on you buying an in-game currency or virtual currency that allows you either unlock additional content or offers some advantage or cosmetic difference on how your game character(s) look within the game. As a result, this is raking in hundreds of millions for some game developers and the criminals have taken note.

Many of the games are technically free, and there are millions of players that do not buy in-game currency, but the downside is that progress within the game is extremely slow. So, the criminals offer as bait, free in-game currencies like Fortnite’s V-Bucks or Robux from the gaming platform Roblox, potentially worth hundreds of pounds. So, what do the criminals get out it? Many of the scams have a survey component, gleaning personal information that many would not normally give, followed by your username and password for the gaming account concerned. To top it off, you may be asked to share your friends email addresses with the promise of more in-game currency or to buy (via a credit card) reduced rate currency. …