CyberScotland Bulletin

June 2021

The CyberScotland Bulletin is designed to provide you with information about the latest threats, scams, news and updates covering cyber security and cyber resilience topics. Due to the current circumstances we are continuing to circulate information about a much wider range of scams. We hope you continue to benefit from this resource and we ask that you circulate this information to your networks, adapting where you see fit. Please ensure you only take information from trusted sources.

If there are any cyber-related terms you do not understand, you can look them up in the NCSC Glossary.

Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.

National Cyber Security Centre / UK Government

DCMS Top Ten Tech Priorities

In March, Department for Digital, Culture, Media and Sport (DCMS) released it’s top ‘10 Tech Priorities’ which lays out what they are focussing on in 2021 and beyond. One of the priorities is ‘Keeping the UK safe and secure online’.

Included within the priorities is the Online Harms legislation which looks at ways to improve internet safety and help to tackle issues like online bullying and harmful content. A draft bill which was called the Online Safety Bill was published last month. This draft bill includes measures to tackle a range of online harms and help safeguard young people. It also includes protection against fraud online including romance scams and fake investment opportunities posted by users on Facebook groups or sent via Snapchat. Ofcom will be appointed as the online harms regulator and be responsible for helping companies comply with the new laws by publishing codes of practice. Also included within the priorities, the Secure by Design work will help to make our networks more secure against cyber threats. You can read more about this work in last month’s bulletin.

DCMS UK
Image source: @DCMS

ICO Data Sharing Code of Practice

Last month, the Government laid before Parliament a new data sharing code to make it clearer and easier for organisations to share data in a fair, safe and transparent way.

The Information Commissioner’s Office’s (ICO) Data Sharing Code of Practice, provides practical advice and sets out best practice to consider when sharing data. The ICO will take the Code into account when considering questions of fairness, lawfulness, transparency and accountability under the UK General Data Protection Regulation or the Data Protection Act 2018. Once approved by Parliament, this Code will become a required code of practice.

To supplement this Code, the ICO’s data sharing information hub provides clear guidance and practical tools for organisations and businesses on how to share data lawfully, while protecting people’s personal information.

NCSC Threat Report

The NCSC produces weekly threat reports drawn from recent open source reporting. View this week’s report here. The report highlights a further ransomware attack on the UK education sector.

The NCSC has published guidance for organisations looking to protect themselves from malware and ransomware attacks. They have released a blog to explain the basics of ransomware, and suggest relevant questions that board members might want to ask their technical experts to help drive greater cyber resilience against this type of attack.

The NCSC’s Suspicious Email Reporting Service

The Suspicious Email Reporting Tool was launched by the NCSC in 2020 to allow members of the public to report suspicious emails. The public have reported over 6 million suspect emails to the NCSC in this time. As of 31th May 2021, the number of reports received stands at more than 6,100,000, with 90,000 individual URLs linked to 45,000 sites having been removed.

Please forward any suspicious emails to: [email protected]. Suspicious text messages should be forwarded free of charge to 7726.

Scottish Government

HMRC Tax Credit Scam

HM Revenue and Customs (HMRC) has warned tax credit customers to be wary of scams pretending to be HMRC that arrive via email, phone call or text message. The message tricks the customer to share their personal details or even transfer money for an overpayment. The deadline for customers to renew their tax credits is the 31st July 2021.

HMRC advice is to:

  • Take a moment to think before parting with your money or information.
  • Don’t give out private information or reply to text messages, and don’t download attachments or click on links in texts or emails you weren’t expecting.
  • Do not trust caller ID on phones. Numbers can be spoofed.
  • Help and information on tax credits can be found on the Government website

Customers can check GOV.UK for HMRC’s scams checklist to find out how to report tax scams. They also provide information on how to recognise genuine HMRC contact.

 

HMRC scam3
Example of HMRC scam email

You can forward suspicious emails claiming to be from HMRC’s phishing team on [email protected] and texts to 60599 (texts will be charged at your network rate). You can report suspicious HMRC phone calls via the online form.

Trending Topics

Protect your online streaming accounts

The NCSC has urged sport fans to take some basic steps, which form part of the NCSC Cyber Aware behaviours to keep their accounts secure. If you are planning to watch any events, whether on TV, via an app, online or on YouTube, it is important you to do securely. Cyber criminals can attempt to break into your account by guessing your password or using information that has been compromised in the past. This may lead to unauthorised payments and they could steal your data to target you with phishing emails and scam calls.

According to a report from a cyber security firm Webroot, almost 92% illegal football streaming websites contain some form of malicious content, from malware and phishing lures to social engineering scams. Make sure to only stream content using legitimate websites and platforms.

The NCSC advise to choose strong passwords made up of three random words to protect your devices. You can save these in a browser to save you having to remember them. Ensure you download the latest updates for apps on your device. This will help fix any weakness in your device and help keep you safe online.

wesley-tingey-dKCKiC0BQtU-unsplash (1)
Photo by Wesley Tingey on Unsplash

Protect your organisation with Cyber Essentials certification

More than 250 Scottish businesses were surveyed as part of SBRC’s research. Findings showed that 38% of businesses do not feel prepared for a cyber attack.

Most cyber crime is not targeted and can be prevented by getting five critical controls in place. The Cyber Essentials scheme is set to help organisations protect themselves from the most common cyber attacks. This is a recognised certification that helps you strengthen your organisation’s cyber resilience by taking you though a self-assessment questionnaire. It will assess your organisation against five basic security controls. On completion you will receive a badge that can be displayed to let your customers and supply chain know that you have achieved a recognised standard and take cyber security seriously. This certification is valid for 12 months.

A new Cyber Essentials Readiness Tool, developed by IASME, is a great starting point for organisations who are unsure where to start their preparation for Cyber Essentials certification. This free tool asks organisations questions related to the main Cyber Essentials criteria. It provides tailored advice and outlines the steps you need to take to achieve Cyber Essentials accreditation. Staff from Police Scotland’s Cybercrime Harm Prevention team are trained in the implementation of Cyber Essentials and are contactable through the email address mailto:[email protected]

More information about Cyber Essentials is available on the CyberScotland website.

Census Scam Alert

The public have reported they are receiving false letters, text messages and emails that are claiming to be from census officials demanding £1000 in fake fines. The messages contain a link to a fake Census website and requests for your personal details. The census in Scotland is not until next year and a warning was issued about this in May.

If you receive one of these messages, forward the suspicious emails to: [email protected] Suspicious text messages should be forwarded free of charge to 7726. Delete the message and do not click on the links within the message.

Census Scam 2021
Examples of scam message

WhatsApp Scam

Criminals are attempting to log in to WhatsApp accounts by sending victims a message asking for the six digit security code (or verification code) that would allow them to take over an account.

The criminals pose as a contact you have listed on WhatsApp, this could be a friend or family member, send you messages and around the same time will ask you to send them the text or email from WhatsApp with a verification code. This code is used when setting up a new account, or logging in to your existing account on a new device. They pretend to have accidentally got the code sent to you by mistake and will request you to send it to them urgently. Doing this will allow the criminal to take over your account and could be used to scam your other contacts.

You should never share your password or SMS security code with anybody, not even friends or family. Be wary of any unexpected messages asking you for money or codes. If in doubt, call your friend or family member to check. You can enable two step verification on your account for an extra layer of protection.

WhatsApp has a guide on its website to help people keep their accounts safe.

WhatsApp Scam
Example scam message

News / Campaigns

National UK Scams Awareness Campaign 2021

A national campaign for Scam Awareness Fortnight will be running from 14th – 27th June 2021. The campaign will be supported by partners in Scotland.

The 2021 campaign objective is about creating a network of confident #ScamAware consumers who are able to recognise a scam, report it to the appropriate agency and talk about their experiences to help raise public awareness of scams.

For partners taking a supportive role, where possible, please use the signposting information below for  campaign material as this will help to ensure Scottish consumers are directed to the most appropriate sources of information, advice and/or scams reporting helplines.

  • If you feel threatened or unsafe, contact Police Scotland on 101 or 999 in an emergency.
  • Report scams to Advice Direct Scotland on 0808 164 6000. https://consumeradvce.scot/
  • Suspicious email? Forward it to the National Cyber Security Centre – Suspicious Email Reporting Service (SERS) [email protected]

Get Safe Online

Get Safe Online’s campaign this month is looking at both the positive and negative aspects to gaming. Get Safe Online are providing advice on what the risks are to playing games online and how you can keep young people safe. Get Safe Online are hosting three one hour webinars, tailored for parents of children of different age groups.

Read the CyberScotland blog for more tips to keep your online gaming secure.

GSO Gaming

NCSC, Small Organisations Newsletter – Coffee Break Cyber

SME’s cover a huge range of businesses and make up 99% of all businesses in the UK. Often SME’s do not have the budget of large organisations to spend on cyber security. This Newsletter aims to break down cyber related issues into bitesize learning which can be read in your coffee break. The NCSC want to provide you and your business with the advice and tools to minimise the risk of a cyber-attack. Each month will cover a different topic and will offer advice and links to further information. This month’s newsletter cover the recently launch NCSC training package and introduces the new Cyber Essentials Readiness tool.

Sign up for the NCSC newsletter

Trading Standards Scam Share

Other scams to be aware of are identified in this week’s Trading Standards Scotland Scam Share newsletter. You can sign up for the weekly newsletter here.

 

Neighbourhood Watch Scotland

Sign up to the Neighbourhood Watch Alert system to receive timely alerts about local crime prevention and safety issues from partners such as Police Scotland.

Training and Webinars

NCSC Digital Loft, 17th June 12pm

The NCSC is the UK’s technical authority on cyber security.

This virtual event that will offer innovative guidance, discuss topical cyber issues and outline new tools. It will consist of two presentations which will be followed by Q&A, an opportunity for you to ask the experts about your topic of choice. Register here.

Exercise in a Box, Scottish Business Resilience Centre, June 24th, 29th, 30th

SBRC are encouraging organisations to sign up for one of their free ‘Exercise in a box’ online sessions.

A FREE, 90-minute non-technical workshop which will help organisations and charities find out how resilient they are to cyber attacks and practise their response in a safe environment. The June scenario is ‘Phishing attack leading to a Ransomware infection’. Find out more information on SBRC’s website.

Book to join an upcoming session here. Workshops are available on Zoom and Microsoft Teams platforms.

excersie in a box

Get Safe Online, Gaming 4 Good

Get Safe Online are hosting three free one-hour webinars where you can hear from experts in family gaming, psychology, gaming risk and finance.

  • Thursday June 17, 10am – 11am: parents and guardians with children 2–12yrs
  • Thursday June 24, 10am – 11am: parents and guardians with children aged 12–15yrs
  • Wednesday June 30, 10am-11am: parents and guardians with children aged 15–18yrs

Find out more and register online

Case Study

Each issue, we aim to bring you real-life examples of scams, phishing emails and redacted case studies. If you have had an issue and would like to share your experience and what you have learned with others, please contact us to discuss:  [email protected] We are happy to anonymise case studies.

Case Study – Investing in crypto currency

At the beginning of the year, ‘Greg’ thought he would watch the markets as we recovered from COVID 19.

Having looked over the internet for Bitcoin projects, he decided to invest in ‘Traderschool’. He made contact with the company and was given assurance that he would be covered by the banking ombudsman. The minimum investment was 250 euros. Reassured by what he heard, he decided to invest £229 with the aim of exploring cryptocurrency and seeing how this market performed. Greg’s investment grew very quickly, almost on a daily basis. He regularly received calls from Traderschool asking him to invest in more companies such as Tesla but he stuck with his initial investment.

When his account had more than doubled its initial investment, he decided it was the time to withdraw his balance. This withdrawal was denied.

After further investigation, Greg became aware that Traderschool had used ‘Anydesk’, a remote desktop application that allows you to connect to computers from anywhere in the world, to set up Greg’s account. Greg was becoming more suspicious and decided to change all his passwords.

Over the course of two month his investment soared to £2000. Unfortunately, Greg wasn’t able to access any of his investment and make any withdrawals. When he tried to log in all he got was ‘Access denied’.

Advice:

There are deceitful organisations out there focusing on crypto currency, which makes it difficult to know which ones to trust. If you plan to invest in crypto currency it is advised that you do some research on the company and proceed with caution. You should seek independent professional advice before making significant financial decisions. Even genuine investment schemes can be high risk.

Recent trends have seen online investment scams target a younger audience through the use of social media. Be wary of adverts online and on social media promising high returns on investments in cryptoasset or cryptoasset-related products. The Financial Conduct Authority has information about investment scams and how to avoid them.

If you become a victim of fraud or cyber crime you can report it to Police Scotland on 101.

Technical Annex

The CyberScotland Technical Intelligence Bulletin is designed to provide information about emerging or escalating cyber threats and is created in conjunction with SBRC’s Cyber Incident Response team. You can sign up receive the technical bulletin. Read the latest bulletin here

Scottish Government
Police Scotland
Scottish Business Resilience Centre
Scottish Council for Voluntary Organisations

Related content

March 2021

The CyberScotland Bulletin will provide you with information about the latest cyber threats, scams, news and updates.

This month’s topics include:
• Strategic Framework for a Cyber Resilient Scotland

• CyberScotland Partnership

• Fake Job Adverts

• Free call blocking devices and more..

April 2021

The CyberScotland Bulletin will provide you with information about the latest cyber threats, scams, news and updates.

This month’s topics include:
• Practical advice for early years educators

• Ransomware attacks on the UK education sector

• Facebook Data Leak

• Phishing text messages and more..

May 2021

The CyberScotland Bulletin will provide you with information about the latest cyber threats, scams, news and updates.

This month’s topics include:
• New NCSC cyber security training package for schools, small businesses and charities

• Secure by Design

• Ticket Fraud

• Holiday Scams and more..