New cyber tricks

We’ve all (hopefully) heard of multifactor authentication, also known as two-step verification (2SV). But what about two-step phishing? 

So-called two-step phishing (2SP) is gaining increasing prominence as attackers seek to use new methods to gain trust and break into IT systems, and according to some researchers is becoming a “cornerstone of modern cybercrime”.

In essence, the approach involves gaining control of a legitimate email account, sending emails that include links to seemingly trustworthy sites (such as Dropbox, SharePoint or Google Forms), drawing the victim to click the link and either input login details or download a compromised file.

Where the attacks become increasingly clever is the files that are being used to compromise systems. Microsoft Visio files (VSDX) are commonly used by businesses to document processes, organisation charts and IT structures. However, security scanning software does not consistently scan this file type (unlike more commonly used types such as Word and .exe program files). In addition, criminals are advising users to ‘ctrl+click’ when downloading files or accessing links; in some instances, this bypasses the automated virus and malware scanning. Using these two tricks, in combination with 2SP to establish trust, is giving cyber criminals a much higher hit rate.

The solutions to mitigate the risks of these types of attacks are very simple – robust controls over email systems so they are less likely to be compromised, and 2SV for logging into any platforms. And, as always, educating users to be aware of the methods that cyber criminals are employing.

Cyber criminals are never ones to miss a trick, and with Black Friday and the upcoming festive season, NCSC has issued a warning to be extra-vigilant for scams and ‘too good to be true’ offers. More than £11m was lost to online criminals in the festive period last year. Social media and online marketplaces are both frequently mentioned in reports to Action Fraud. Once again, 2SV is considered to play a key role in reducing the risk of falling victim.

Happy birthday, Cyber Essentials!

In the past month or so, NCSC has celebrated the 10th birthday of Cyber Essentials. Launched at Chartered Accountants’ Hall in 2014, this major milestone is seen as an opportunity to reflect on what Cyber Essentials has achieved in the UK, but also what more needs to be done. Nearly 190,000 businesses have completed Cyber Essentials and more than 30,000 certifications are now completed every year. 

However, there are more than five million businesses in the UK. Recent analysis of the Cyber Essentials register, conducted by ICAEW, suggests that less than 2% of ICAEW member firms currently have an active Cyber Essentials or Cyber Essentials Plus certification. 

It’s important to note that Cyber Essentials certificates expire. While completing the certification can be a useful one-time exercise, ongoing maintenance is key to effective security. ICAEW plans to work closely with NCSC and the Department for Science, Innovation and Technology (DSIT) to further raise awareness of Cyber Essentials within the accounting sector.

In other NCSC news, this month it shared details of some of the top vulnerabilities exploited last year, alongside its international partners. Most of these were what’s known as ‘zero-day’ vulnerabilities – weaknesses that have been publicised but vendors have not yet addressed with patches. These are very difficult to defend against, as criminals are acting quickly to exploit gaps. It highlights the need to ensure organisations have multiple layers of cyber defences, so that a single weakness does not leave them exposed. Once patches are released, there should be processes in place to implement those patches as quickly as possible.

NCSC has also recently released guidance for small businesses, tips for leaders in larger businesses and advice on how to communicate effectively during a cyber incident. It has also published guidance for those involved in online advertising.

Cyber and fraud risks in utilities

This month, a Guardian investigation suggested that the infrastructure at Thames Water was subject to regular cyber attacks, due in part to the age of some of the company’s systems. Alarming stories suggest that some parts of their IT systems cannot be turned off, for fear they might not turn on again. 

While Thames Water disputes some of the points raised in the investigation, a failure to invest and build agility into the tech infrastructure can significantly increase the risk of cyber incidents cannot be disputed. It coincides with a warning from the US that as many as 300 drinking water systems, serving around 110m people, have security vulnerabilities that could lead to severe water supply disruption should they be exploited.

AI granny fights scammers

It’s well known that scammers like to prey on older, more vulnerable customers, as they are seen as an easier target. So, O2 made Daisy – an artificial intelligence voice agent designed to mimic an elderly grandmother. Working with security and scam specialists, it has planted a range of telephone numbers on lists commonly used by scammers, all of which connect directly to Daisy. 

By playing on common biases associated with older people, the AI agent holds the scammers on the phone for extended periods, leading them to believe they’ve got a chance to defraud someone, when actually they’re being led up the garden path by a robot. Meanwhile, fraud detection teams can gather valuable information about the scammers that can be used in the fight against cybercrime. While Daisy doesn’t directly prevent scammers from working, it does something that many would consider equally valuable – it wastes their time.

Stay cyber aware

Don’t forget, our extensive cyber resources and guidance can be found at www.icaew.com/cyber.

Got an interesting cyber story for us? Email techfac@icaew.com