Do you know someone who deserves recognition for their support in making UCL a more secure place to study and work? If you do, please nominate them for a UCL Cyber Security and Data Protection Award.

The awards recognise the above and beyond work that our staff and students do to help keep UCL safe and secure.

Award Categories:

• Above and Beyond Award – An individual who has gone out of their way to be helpful or proactive in a cyber security activity.
• Keeping UCL Safe Award – An individual who has made a difference to the cyber safety of UCL.
• Departmental Award for good security citizenship – An individual who has been a good cyber security citizen and role model.
• Data Protection Award – An individual who has gone above and beyond to develop how UCL protects personal data.
• Annual CISO Research Collaboration Award – For the academic or researcher who has done exceptional work in bridging the research to practitioner gap.

How to make a nomination:

Please contact the UCL Information Security Group to make a nomination: MyServices. Include your reasons for nominating and the category.

The deadline for submissions is the 23rd May.

The awards ceremony will take place as part of the UCL Cyber Security and Data Protection showcase event in June. This is an invite only event, award winners will be contacted in advance with an invitation for the event.

Here is Part Two of Week Four’s content for Cyber Security Awareness Month, this is the very last one for this year! This short security related story is all about Preventing identity theft. If you haven’t already entered the Week Four (and Week One, Week Two and Week Three) quizzes to win a £25 Amazon voucher, see the details on how to enter at the bottom of the post.

How to steal an identity

It’s as easy as…

Most of the data needed to steal a person’s identity can be found online. Data can be bought (illegally) from the dark web, or found using free online tools and publicly available information.

Armed with a full set of personal details, a criminal is able to:

• Purchase products or services using the details of the victim.
• Apply for credit cards using the details of the victim.
• Create false identity documents for use in further criminal offences, such as employment fraud, benefit fraud and mortgage fraud.
• Access or open bank accounts to steal money directly or to commit money laundering offences.

Social media

Personal accounts

Social media profiles are an important part of our personal and professional identities (and an important part of staying up till 3am watching YouTube videos).

Unfortunately, criminals also use social media to ‘fill in the gaps’ when researching victims. They look for full names, dates of birth, addresses, education histories, pet names and family members.

This doesn’t mean we shouldn’t use social media. It just means we need to keep a few things in mind. Things like:

• Are you uploading photos to social media?
• Do they contain sensitive information (like details of debit cards or flight tickets)?
• Have you geotagged yourself?
• Geotagging doesn’t just let people know where you are – it lets them know where you’re not!

 

Professional accounts

Information posted to professional social media accounts can be used by criminals to orchestrate social engineering attacks. Before posting, consider if and how your post might be used by a criminal, either in isolation or when combined with other information.

Pro Tip

Use Google’s Manage your reputation tool to see exactly what personal information is publicly available and remove any unwanted content or associated search results.

Mobile phones

SIM swapping

Mobile phones are often used by companies as a means of authentication. You’ll be sent a code by text message as part of the login process. You need to enter the code along with your username and password to authenticate your login.

Because mobile phones are being used more and more frequently for authentication, they’re now being targeted by criminals in a process known as SIM swapping.

 

How’s it done?

SIM swapping sees criminals gain access to your phone by requesting a new SIM card from your network provider.

This is how:

• First, criminals contact your phone company pretending to be you.
• Next, they answer a series of security questions. If successful, they amend your address.
• Then, they request a new SIM card.
• Finally, they activate the new SIM card. Your SIM stops working and all phone calls and text messages are diverted to the criminal.

Once a criminal has access to your mobile phone, they can use it to reset passwords, log in to accounts and treat it as a means of verification when contacting companies.

Pro Tip

Protect yourself from SIM swapping by contacting your network provider and setting a password on your account. In the future, they’ll ask you for your password instead of security questions.

 

Bulletproof your identity

Know the signs!

The following may indicate theft:

• Unauthorised transactions made from your bank account.
• Letters or emails about products or services you do not recognise.
• Letters or emails failing to arrive.
• Phone calls and text messages suddenly cease.
• Goods delivered without being ordered.
• Credit or debit cards being declined, or refusal for credit related services.

Act fast!

If you think you are a victim of identity theft, take immediate action. Criminals will act quickly to exploit your details for maximum gain; you need to act quicker.

• If you notice unauthorised transactions or a credit/debit card is declined, contact your bank or card provider.
• If phone calls or text messages suddenly cease, contact your network provider.
• If you receive letters, emails or goods you weren’t expecting; or letters, emails or goods you were expecting fail to arrive, contact the company or provider concerned.

 

Long-term protection

Sign up to free credit-scoring services

Before committing identity related offences, it’s common for criminals to open free credit scoring services using their victim’s details and an illicit email address. This allows criminals to monitor their victim and know when a new credit service has been granted.

By signing up to a service first, you prevent criminals from opening shadow accounts in your name. Signing up also allows you to monitor your credit history and check for suspicious spending. In the UK, consider Equifax, Experian, and TransUnion.

Register to vote at your current address

Doing so prevents criminals from registering your details at their address so they can redirect and intercept your mail.

Remove yourself from the open voters register

Next time you vote, be sure to tick the box requesting your information be removed from the public electoral register.

Secure your mail

All the information needed to commit identity theft lies in a single bank statement. So, stealing mail is a highly effective way of committing identity theft.

Make sure your mail is secure. Shred any documents containing personal details before disposing of them.

Consider protective registration

Protective registration is a service offered in the UK by CIFAS, a non-profit fraud prevention organisation. Protective registration places a marker next to your name and personal details in the secure National Fraud Database. Companies signed up to the database take extra steps to protect details, making it harder for criminals to apply for products and services in your name.

The one downside to protective registration is it can take longer to gain approval for credit. The service costs £25 and lasts for 2 years.

 

Summary

1. Identity theft is the most prevalent form of cybercrime. Be vigilant. Regularly check bank statements and free credit scoring accounts.

2. Review security settings on your social media accounts. Be mindful of what you post. The internet never forgets.

3. Call your network provider and secure your mobile phone account with a password.

Week Four Quiz

For the chance to win a £25 Amazon voucher answer the following question:

Q: What are the 3 steps needed to protect your devices?

Hint: The answer can be found in the Week Four (Part One) blog post – see below.

Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Four.

If you haven’t entered the Week One quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/03/cyber-security-awareness-month-week-one-part-1/

If you haven’t entered the Week Two quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/10/cyber-security-awareness-month-week-two-part-one/

If you haven’t entered the Week Three quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/18/cyber-security-awareness-month-week-three-part-one/

 

Cyber Security Awareness Month – Week Four (Part One)

If you haven’t already read Week Four (Part One), you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/29/cyber-security-awareness-month-week-four-part-one/

Many thanks to CybSafe for providing the content for this blog post!

It’s already the last week of Cyber Security Awareness Month, where has the last month gone! Here is Part One of Week Four’s content. This short security related story is all about Protecting your devices. Make sure you read all the way to the end to enter our week four quiz for your last chance to win a £25 Amazon voucher. If you haven’t already entered the Week One, Week Two or Week Three quizzes, see the details on how to enter at the bottom of the post.

It’s 7.30am. I’m on the bus. It’s cold and wet and I’m ready for a long shift at the day job.

Then I see him. Professional-looking, middle-aged guy on the way to work. He’s a little too engrossed in a newspaper. He plants his backpack on the seat next to him.

As the bus pulls into his stop, he tucks the newspaper under his arm and nods to the bus driver. Seems like a nice chap.

Then I notice it: he’s forgotten his bag.

I’m Leah. Bus rider, technology fanatic and cybercriminal. And today I earn my living.

The cybercriminal code of conduct

I grab his bag and take a peek. His laptop is there. Jackpot.

But, if I’m going to earn my cash, I have to remember the first rule of being a cybercriminal: don’t get caught.

This means getting rid of the evidence (i.e. the laptop) as soon as possible.

I have 20 minutes till the bus loops back around and I can return the laptop. 20 minutes to grab everything I need and install some nasty ransomware.

Plenty of time.

Pro Tip

Ransomware is a kind of malicious software. It blocks access to information, data, and computer systems until a sum of money is paid. However, there is no guarantee that access will be granted, even after the ransom’s been paid.

Too close for comfort

I’ve already spotted his first mistake: being in the wrong place at the wrong time. And I’m not talking about him. I’m talking about his diary. It’s right next to his laptop. A treasure trove of pet names, important dates and personal information. His name is John.

Using a password profiler, it takes 8 minutes to figure out John’s most important passwords.

With John’s password cracked, his laptop is mine.

Then I hit the first snag. John’s installed multi-factor authentication (MFA). Well played.

Leah 1 – 1 John

 

The good, the bad and the useless

John is clearly well up-to-date with his organisation’s security policies. As with any high-performing professional, he has MFA linked to his phone. That’s the ‘good’.

As I go to log in, John’s laptop sends its access request to his phone. I hear a melodic ping come from John’s bag. Yep, it’s his work phone. You may think that this is a win, but I’m not hopeful.

If John’s set up facial recognition or a fingerprint scanner on his phone, it’s protected. Even I can’t get past a biometric lock.

I look at his phone. John’s turned off notifications. This means no lock-screen pop-up messages to give away the code. Clever. Thankfully, the phone only requires a four-digit pin. That’s the ‘bad’.

I try a few different combos.

‘0000’.

Nope.

‘1234’.

Nope.

‘4321’.

PIN accepted.

That’s the ‘useless’.

Pro Tip

MFA is incredible. It will take your accounts from 50% secure to 99% secure. BUT ONLY if used in conjunction with biometric identification or a strong passphrase while notifications are off.

 

Engage all defences!

The bus swerves round a sharp corner and someone bumps into me. I worry they’ll notice that I’m up to no good, but they don’t.

I log into John’s computer and see that he has the most important defences primed: an antivirus and a firewall.

Antivirus software provides near-complete protection against malware. John’s evidently more cyber-savvy than I give him credit for. I’m almost proud.

Pro Tip

Make sure your devices are protected with antivirus software.

Case study: the computer virus from Outer Space

Ants, cats, frogs and even jellyfish have been sent to space. But in 2008, the first computer virus made its way to orbit. The virus, Gammima.AG, was designed to collect user login details and send them to a central server. Somehow, it found itself on board the International Space Station. How? The astronauts’ laptops didn’t have antivirus software installed.

 

A firewall is just as important. Luckily for John, his is turned on. It decides what his computer lets in and what his computer keeps out. Like his own private virtual bouncer.

Pro Tip

Hey, remember the last pro tip? Yep. Do the same for your firewall. Go on! Check if it’s turned on. I’ll wait.

Unfortunately for John, his software hasn’t been updated.

Who needs updates?

You can tell a lot from someone’s device. Not just their account details and favourite font, but what they’re like as a person.

John dislikes cold weather and vegetables (judging by his most recent takeaway order). He also dislikes updates. I know this because I’m bombarded by update notifications as soon as I open up his system settings. This means there are holes in his devices’ security.

I look at the software version John has installed. Like an open book, I can see every exploit. Every flaw. Total transparency. A cybercriminal’s dream.

Case study: NotPetya

NotPetya was a kind of ransomware that targeted corporate networks. It used the same way in as a previous attack called ‘WannaCry’. It turned out that the Windows update that defended against WannaCry would have also been effective against NotPetya. Unfortunately, many of the companies that fell victim to NotPetya had not updated their operating systems. NotPetya caused roughly $USD 10 billion in financial losses.

 

To think, my plans could have been scuppered if John had just set his security software to auto-update. Everything would be downloaded and installed automatically. What a shame.

John’s favourite font is Helvetica, by the way.

 

The John Files

Ransomware could make me some good money, but only if there’s anything worth ransoming. As the bus begins its journey back toward John’s stop, I treat myself to a look at his work files.

Access denied.

John has encrypted his files. Perhaps I’ll need to extend my journey.

Encryption sounds complex, but it’s actually just a type of lock. It scrambles information when active, and unscrambles it when unlocked. John’s locked his files behind a password. It’s a simple spell, but quite unbreakable.

Thankfully, John keeps all of his passwords in the notes app on his phone. Easy peasy. I now have access to his files. No extra journey required.

Leah 4 – 3 John

 

Permission to enter

You’d think it would be easy to install the ransomware after accessing John’s files, but I have to be wary of permissions.

You see, users need permissions to make changes to an account. Permissions decide what can enter and what can alter computer files. If John has set up his devices properly, his user account won’t have permission to install software.

As this was John’s work laptop, he had already been granted all the permissions he needed. And since I was already in his account, I had all the permissions I needed.

Thanks John!

Home Tip

The best way to securely set up your personal devices is to separate User and Admin accounts (using unique passphrases for each). You should use the User account for day-to-day activities, then switch to the Admin account when installing software.

To be even more secure, set up 2 Admin accounts (with different passphrases). That way, you always have a backup if anything happens to the other accounts.

Head in the Cloud

After installing the ransomware, I use John’s phone to contact his boss.

I tell him that John left his bag on the bus. ‘Oh thank you so much, you’ve saved the day!’

Don’t I know it.

It’s time to finish up and play the hero.

But there’s one thing left that can stop my ransomware attack from working: a backup.

Backups are extra copies of data. They can be copies of a file, a picture, or a video. Anything really. They can be stored anywhere, but are only useful when separate from the original device. USB sticks, external hard-drives, and even ‘cloud’ services are all great places to backup important data.

As the bus hurtles towards John, I pray his data isn’t backed up. If it is, I’ll have nothing to ransom.

I check cloud services: none. I check his bag for USB sticks: none. Then I find it: an external hard drive.

Pro Tip

Cloud storage is great. It’s affordable, and most providers encrypt all information stored on their servers. However, each provider is different. It’s worth researching cloud service providers as Clouds outside of your locale may follow different data protection laws.

Though external hard-drives can be secure, John left the hard-drive in his bag. This means his data was mine to destroy. I plug it in and delete the lot.

Problem solved.

Pro Tip

Whilst external hard-drives can be a great place to backup your data, there are a few things you should always do.

1. Keep your external hard-drive separate from your device.
2. Only use trusted external hard-drives. An infected USB stick or hard-drive could harm your device.
3. Encrypt the drive if it contains personal or confidential data.

Prepare to launch

The bus skids into the last stop. The doors slide open. I pop everything back into John’s bag as if they never moved. I walk 3 minutes to John’s work. It’s a huge financial company.

Perfect.

John’s waiting outside. He shakes my hand and thanks me profusely. What would he do without me? How could he ever repay me?

I tell him it was nothing and wave goodbye. John has his laptop back, and he’s already going about his day as if nothing is wrong.

I jump back onto the bus.

Time to launch the ransomware attack.

3….

2…

1…

Summary

1. Do your best to prepare for the worst. Backup all of your data and encrypt all of your files. And keep your backups separate from your devices!

2. Our phones contain our most personal details. So keep them secure! Use a strong passphrase combined with MFA to keep people out. Keep your phone and apps updated and your files encrypted.

3. Set up separate User and Admin accounts on your personal devices.

4. It only takes one hole in your device security to leave your accounts vulnerable. Make sure you have an antivirus installed, your firewall turned on, and your security software set to auto-update.

Week Four Quiz

For the chance to win a £25 Amazon voucher answer the following question:

Q: What are the 3 steps needed to protect your devices?

Hint – check out the 4th point of the summary.

Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Four.

If you haven’t entered the Week One quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/03/cyber-security-awareness-month-week-one-part-1/

If you haven’t entered the Week Two quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/10/cyber-security-awareness-month-week-two-part-one/

If you haven’t entered the Week Three quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/18/cyber-security-awareness-month-week-three-part-one/

Cyber Security Awareness Month – Week Four (Part Two)

If you haven’t already read Week Four (Part Two), you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/29/cyber-security-awareness-month-week-four-part-two/

Many thanks to CybSafe for providing the content for this blog post!

If you receive a suspicious email and wish to raise it with ISG to determine if it is something to be concerned about, there are several routes you can take. In this guidance, we will walk you through some common types of malicious emails that are sent and which route would be best to report each kind of email.

Common Types of Emails Received

Although phishing and spam often take new forms, there are some common templates that are consistently reused. Here are some examples:

1. Spoofing: This occurs when a scammer pretends to be someone or something else to gain your trust. A common version is an email from a “colleague” asking if you’re free and requesting something like Amazon gift cards if you reply. They can also take the form of a third party asking you to review a bill or receipt or informing you that a package has been delivered. If you receive an unexpected email like this, please check with the sender (via a different route than email or however they contacted you) to verify if it is a genuine communication.
2. Blackmail Scam: These scam emails claim to have gained access to your computer via malware and to have access to sensitive files on you (such as having recorded you without your knowledge), asking you to pay them in Bitcoin or they will release the files publicly. They often provide “evidence” of the breach, such as spoofing your own email address or providing you with a password that was leaked in a public data breach. Please be aware that these are rarely evidence of an actual compromise of your account. While it is good to report these emails and change any passwords provided in the scam email, they are not necessarily a cause for worry.
3. Lottery or Prize Scams: These emails claim that you have won a large sum of money or a prize, often requiring you to provide personal information or pay a fee to claim it. Legitimate lotteries do not ask for payment to receive winnings. Treat such emails with scepticism and do not provide any personal information.

Reporting Suspicious Emails

If you receive an email that you wish to have investigated, you can take the following steps:

1. Send the Email to phish@ucl.ac.uk: When you send an email to this address, it will automatically scan the email and provide you with an automated response with the result. You can also click on the “Report Phishing” or “Report Junk” buttons (instructions shown here), which will provide you with the same automated response.
2. Raise it Directly with ISG: If you believe that the classification given was wrong, or you still want a security analyst to directly review the email, you can raise a ticket with ISG with the email included, which can be done here.

Non malicious emails

You may receive spam or junk emails which, whilst annoying, will have no harmful links or documents within them.  In these cases, you will not need to report them via Outlook – you can block the sender and safely ignore the email. If you are worried that the email may have been sent to multiple people in UCL, you can report it to ISG, where we can explore if it was sent to multiple addresses and, if it is a large enough campaign, can request the address be blocked university wide.

Best Practices for Email Security

• Verify the Sender: Always check the sender’s email address carefully. Scammers often use addresses that are similar to legitimate ones but may have slight variations.
• Hover Over Links: Before clicking on any links, hover your mouse over them to see the actual URL. Ensure it matches the legitimate site. If the end site asks you to input any details, only do so if you have already ensured the email and the site are both genuine.
• Check with the Sender: If you were not expecting the email, check with the sender (via a different mode of communication, such as Teams) to verify if they sent the email.
• If in Doubt, Report: If you have any doubts, report the suspicious email via the methods provided.

In today’s digital age, it should come as no surprise that many data breaches stem from the improper use of email. Email is one of the most common methods of communication due to its ease and convenience. However, this ubiquity also means that simple mistakes can have significant repercussions.

One common mistake is using Cc instead of Bcc for large bulk emails. For day-to-day emails involving communication between a few team members who are already aware of each other, using Cc is generally acceptable. However, significant problems can arise when you start bulk emailing people who do not know each other.

It’s important to note that it’s not always “just an email address” being exposed in these situations. Consider the case of a clinical trial studying a particular health issue or a bulk email to students who have recently used university-provided counselling services. Sending an email to all participants and using Cc instead of Bcc will reveal the sensitive information of everyone in the email thread. An example of this is shown in this article written by the ICO, where 166 people’s HIV status was breached due to the use of Cc instead of Bcc.

For more on the importance of using Bcc over Cc, you can refer to this article from the ICO, which includes advice and case studies on relevant breaches: ICO Guidance on Email Security. Additionally, you can learn about how to use Bcc and how to mitigate any mistakes here: Preventing Email Data Breaches.

The use of Bcc should be encouraged as much as possible. Unless you’re certain that all recipients are aware of each other and need to communicate with everyone in the email chain, Bcc should be the standard practice.

Here is Part Two of Week Three’s content for Cyber Security Awareness Month. This short security related story is all about Sophisticated Attacks. If you haven’t already entered the Week Three (and Week One and Week Two) quizzes to win a £25 Amazon voucher, see the details on how to enter at the bottom of the post.

Meet Sophie. Sophie is a security consultant. She gets paid to think like a criminal and break into buildings.

Organisations hire Sophie to test their security.

Sophie uses fake emails, phone calls and text messages to pretend to be someone she’s not. Much of the time, she approaches people in person and manipulates them to help her.

Sophie’s attacks are “sophisticated” because she targets individuals. Sophisticated attacks work by getting people to do things they wouldn’t usually do, like provide access to restricted information or areas, pay “invoices”, or break policy.

Sophisticated attacks are often called “social engineering” attacks.

Recently, a client hired Sophie to test two of their facilities: a manufacturing plant and a nearby office.

This is how she did it…

 

Stage 1: Research

Your social media accounts are Sophie’s best friend. The more information you share, the more options you give her.

Sophie has several fake profiles. You might even be connected to one. (A good reason to always verify who people are before accepting requests.)

Sophie started by using one of her accounts to look for people who worked at the facilities. She found a Facebook account of a young woman, “Mary”.

Mary worked as a front desk assistant at the manufacturing facility.

Mary’s Facebook profile showed pictures of her volunteering at a maternity support centre. Sophie could tell Mary cared for children and new mothers. Of course, she would use this to her advantage.

Stage 2: Setting the scene

Sophie knew she would more likely be welcomed into the facility if staff were expecting her. So, she went about setting the scene for her arrival.

Armed with the knowledge about Mary, Sophie picked up the phone.

Before dialling, Sophie disguised her phone number so it looked like she was calling from head office. This process is known as “spoofing”.

Spoofing: When emails, phone calls and text messages are made to look like they’re from someone else.

By spoofing her client’s head office phone number, Sophie added credibility to her attack. Spoofing works because people don’t always verify who they’re talking to.

Pro Tip

What to look out for: Phone calls

All phone numbers can be faked. This includes internal extensions.

Criminals pose as legitimate people, like bank staff or IT teams. Their aim is to convince targets to do things they wouldn’t usually do.

Control your emotions, especially if the caller tries to get you to panic, worry, or act under pressure. Don’t do things you wouldn’t normally do. Stick to policy.

When necessary, verify. Call back using a known contact number (either that you know or that’s published online).

 

What to look out for: Text messages

Criminals also use fake text messages to encourage people to:

• Click links that lead to fake websites. Fake websites are set up to steal personal details or install malware.
• Call numbers that connect to criminals, or premium-rate lines.

Fake text messages can even drop into ongoing conversation threads with genuine contacts!

It’s rare for us to advise never to do something. Text messages are the exception. There’s no way to determine the real sender of a text message, so:

• Never click links in texts.
• Never follow directions sent via text.
• Don’t do things you wouldn’t normally do. Stick to policy.
• Verify if you need to, search online for legitimate details.

All suspected fake phone calls and text messages should be reported.

“Hi Mary! My name is Barbara.”

Sophie got right to it. She explained she was “Barbara”, a project coordinator arranging the refurbishment of company offices.

Sophie told Mary she was sending an interior designer out the next day. The interior designer, Sophie said, was putting together a facility-update proposal.

Mary was cautious, “Well, that’s great! But why the short notice?”

It was time for Sophie to play her trump card.

 All phone numbers can be faked. This includes internal extensions.

Sophie explained she should have called sooner. But she was overloaded with work and was due to give birth in six weeks, “If my boss finds out I messed this up he’s going to flip.”

Mary cut her off. “Oh, it’s ok. We’ll work this out! Tell me about the baby! Is it your first? Boy or girl?!”

Mary was hooked. She was a good person, who just wanted to help.

The two talked babies and birth plans for a while. Mary then took down the name of the designer who would visit the next day, “Claire”.

If only Mary had verified who she was talking to. If only she had hung up and called back.

But she didn’t…

Stage 3: Attack

Sophie showed up the next day as “Claire” the interior designer. Claire had her own business cards and website! (Sophie had made them the night before.)

Mary and her boss were waiting to welcome Sophie. She shook hands and handed them each a business card. Mary gave Sophie a visitor badge and invited her in.

Sophie gained rapport with the staff by asking them what they wanted from an office space. “You want a standing desk? New chairs over here?! Ergonomic keyboards for all!!”

Everyone was very excited.

Sophie took forever looking around. Eventually Mary and her colleagues had to get back to work. They left Sophie, giving her complete, unaccompanied access to both facilities.

The company had a policy of escorting visitors. But because Sophie had been seen with trusted insiders, no one questioned her. She was free to do as she pleased.

Pro Tip

What to look out for: In-person approaches

In-person approaches rely on our desire to help. This shouldn’t be discouraged.

We should trust the people around us, but we also need to be comfortable checking if something doesn’t look or feel right.

Procedure is well thought out. It’s there to support and protect. A genuine person without ID won’t be annoyed or angry if you politely ask who they are and why they’re in the building. Trust, but verify.

 

What to look out for: Shoulder surfing

“Shoulder surfers” are opportunists who check screens or listen to private conversations.

When working in a shared space:

• keep your desk clear to prevent loss of physical assets,
• and consider who’s around before discussing sensitive topics.

Just like you would be with your PIN at an ATM, or whilst on the phone to your bank.

A privacy screen is a thin piece of plastic that’s placed over your monitor. It stops people seeing what’s on your screen.

 

What to look out for: Fake USB devices

Fake USB devices are USB devices that damage or steal data from computers or networks.

Any USB device can be harmful. This includes charging cables.

Labels like “bonus payments” can make USBs enticing. Letting curiosity take over can be risky.

Report any stray USB devices you find. Plugging them in isn’t worth it.

Sophie took her time. She gained network access and stole several thousand dollars worth of computer equipment.

Once she’d finished, Sophie found the office of the person who’d hired her…

“Who?…. Wait, what? How? How did you get in here?!”

Sophie sat down and smiled, “Let me start from the beginning…”

Summary

Everyone should be able to do their job without worrying about sophisticated attacks.

Trust those around you. But recognise when you’re being steered by emotions. Be comfortable checking when things aren’t right.

Don’t panic if you accidentally click, say, or do something unwise in an odd moment. It’s okay as long as it’s reported. Reporting buys time. It prevents further damage.

 

Stopping sophisticated attacks: “Trust, but verify”

1. All emails, phone calls and text messages can be made to seem as if they’re from someone else.

2. If you receive a request you weren’t expecting, or one that has an undue sense of urgency, slow down. Verify and follow policy.

3. If you think you’ve identified a sophisticated attack, report it. Reporting prevents cyber crime.

 

 

“Sophie” is a real person. Her story was adapted from the original published on vice.com on 20th October 2017.

Week Three Quiz

For the chance to win a £25 Amazon voucher answer the following question:

Q: Not doing what, is like leaving the front door unlocked for criminals?

Hint: The answer can be found in the Week Three (Part One) blog post – see below.

Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Three.

If you haven’t entered the Week One quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/03/cyber-security-awareness-month-week-one-part-1/

If you haven’t entered the Week Two quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/10/cyber-security-awareness-month-week-two-part-one/

Cyber Security Awareness Month – Week Three (Part One)

If you haven’t already read Week Three (Part One), you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/18/cyber-security-awareness-month-week-three-part-one/

Thanks to CybSafe for providing the content for this blog post!

Here is Part One of Week Three’s content for Cyber Security Awareness Month. This short security related story is all about Working Remotely. Make sure you read all the way to the end to enter our week three quiz to win a £25 Amazon voucher. If you haven’t already entered the Week One and Week Two quizzes, see the details on how to enter at the bottom of the post.

“Invite to Saleena’s virtual leaving drinks? Awesome. It’s not like there’s anything else to do!”

Sarah has been working remotely for nearly a year.

At first, she enjoyed her new environment. Cool home-office gadgets, cosy blankets, and a fresh obsession with plants.

The novelty quickly turned frustrating. No distractions, no water-cooler chats, no social interaction.

Like most people, Sarah’s desire for social interaction skyrocketed.

So, Sarah enthusiastically clicked on the Zoom invite for Saleena’s event!

Before she had a chance to read the details, the doorbell sounded. She rushed to open the door for a delivery.

By the time she came back, the invite had disappeared, and the computer had turned off.

Strange.

 

Where did Sarah go wrong?

Checking emails

Whether it’s the desire to feel connected or the anticipation of a precious delivery, criminals take advantage.

Unsurprisingly, fake emails more than doubled when working remotely became the new normal.

And the invite for Saleena’s leaving drinks was indeed a fake email with a fake link to a fake Zoom event. All communications can be faked to make it look like they’re from someone else.

Pro Tip

Check sender’s email address. Do you recognise it? Does it match the name of who the email is from? If not, verify using an alternative contact method.

Check email content. Is the email unexpected? Is it too good to be true? If something doesn’t feel right, slow down and report it to your IT department.

Check links and attachments. Do you recognise them? Hover your mouse over a link to see its true destination. Use a reliable search engine to check whether it’s safe to open.

If you suspect an email, report it to your IT department or security team.

You can also report it to the NCSC.

Policies, procedure, guidance, winning

Approved technology, whether it’s hardware (e.g. a work device) or software (e.g. antivirus) is set up to have the best protection possible.

By clicking the fake Zoom link, Sarah unknowingly downloaded malicious software onto her personal computer. She didn’t have the same protection in place on her own device as on the one given to her by Liteify, her organisation.

Pro Tip

Work devices often have a lot of security layers in place. If you can, make sure your work and personal devices are separate. Keep work emails on work accounts and personal emails on personal accounts. Avoid forwarding emails from one to the other, just in case.

Personal devices: Updates

If you’ve been allowed to work on a personal device, make sure you have the following protections in place.

Antivirus

Antivirus protects devices from malware and viruses. It checks links, files, software and applications against known threats and monitors suspicious activity from programs running on your device.

As with any product or service, make sure to review several options before purchasing and only buy from reputable sources. It may be that your organisation recommends, uses, or is partnered with, a chosen provider.

Check first, as you might be able to gain access to a reputable provider for free!

Updates

Not installing software updates is like leaving the front door unlocked for criminals.

Outdated devices or apps can be an entry point for malware into home networks. Updates keep them secure by fixing newly discovered vulnerabilities.

Enable auto-updates for as many other pieces of software as you can.

Firewalls

A firewall is a set of virtual rules that tell the computer what data to let in, let out, and keep out. Here is how to turn it on

Apple

Windows

After restarting her device, Sarah noticed nothing wrong with it. She had no idea about the malware, until she got a strange email from a colleague.

She definitely did not send that email. After a short panic, Sarah reported the suspicious email she purportedly sent to her colleague.

Other colleagues had reported the unusual emails from Sarah, too. Thanks to these reports, the company’s security team successfully identified the fake email that attackers used to infiltrate Liteify’s systems and hijack Sarah’s email account.

Routers and passphrases

Though she felt uneasy and embarrassed, Sarah was also relieved. She understood the impact an accidental click and the absence of antivirus could have and decided to take action.

Routers

Unsecured routers can put both personal and work devices at risk.

Wi-Fi networks can be vulnerable if the default router settings aren’t changed as it makes it easy for criminals to gain remote access.

Secure your home routers for protection when working from home.

 

Strong and separate passphrases

Securing home routers is only effective if they’re protected with strong passphrases. Stronger and easier to remember, passphrases are passwords but better!

Reusing passphrases is risky. Using unique passphrases for each account is one of the easiest ways to protect your accounts in the event of a data breach.

Pro Tip

The most effective action to prevent cyber crime on a personal level is to use strong and separate passphrases on valuable accounts and home routers. If the systems or policy allow, use separate passphrases on workplace accounts.

How to – passphrases

An easy way to set a passphrase is to use three random words, such as:

workHOMEsecure2022

Join the words together to create your passphrase. You can include special characters, capital letters and numbers in memorable positions, like at the end:

workHOMEsecure2022!!

Passphrases should be at least 12 characters long – but the longer, the better.

Working from anywhere

Just like Sarah, 1 out of every 2 people worldwide work remotely at least once a week. Whether working from a beach in Bali or a local coffee shop, there are additional things to consider when working away from home.

Public Wi-Fi

Public Wi-Fi hotspots can be used to monitor web use and intercept personal information. You can protect yourself by tethering or using a VPN.

Tethering is sharing a device’s (phones, most often) internet connection with another device.

VPNs can be downloaded as an app which creates a secure connection to the Wi-Fi hotspot.

Being aware of your environment

• Lock unattended devices to prevent unauthorised access, especially when living with others or working in a shared space.
• Use privacy screens if needed.
• Avoid discussing sensitive work topics in public.

Week Three Quiz

For the chance to win a £25 Amazon voucher answer the following question:

Q: Not doing what, is like leaving the front door unlocked for criminals?

Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Three.

If you haven’t entered the Week One quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/03/cyber-security-awareness-month-week-one-part-1/

If you haven’t entered the Week Two quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/10/cyber-security-awareness-month-week-two-part-one/

Thanks to CybSafe for providing the content for this blog post!

Here is Part Two of Week Two’s content for Cyber Security Awareness Month. This short security related story is all about passphrases and MFA. If you haven’t already entered the Week Two quiz to win a £25 Amazon voucher, see the details on how to enter at the bottom of the post.

I was sipping my latte when I overheard her.

“It was a bargain! Only $700 at xyz-style.com!! Just look how cute it is!!!”

The dress is alright… Judith Harris. That’s her full name. A glance at her employee ID was all I needed.

Judith is clearly well-off. Who else describes a $700 dress as “a bargain”?

So what’s next?

I start looking online to see what other personal information I can find.

 

It takes just a few minutes.

Her Facebook and LinkedIn accounts are both public. In a few minutes, I know a lot about her: date of birth; home and work email address; family members; recent holidays; hobbies; and the dog’s name, obviously.

I bet I can use the information to break into her email account. From there I can access other accounts and services linked to it, like PayPal, Amazon, and her credit cards.

To start, I’ll need to crack her password. To do this I need a “wordlist”. A wordlist is just a file containing passwords. Hundreds of thousands of them.

You can download generic wordlists online. In my experience though, they don’t work as well as ones you build yourself.

I use a piece of software called CUPP (short for Common User Passwords Profiler). CUPP generates a custom wordlist using the information I know about Judith.

This is what it looks like, if you’re interested.

There are other ways to hack accounts.

I chose to crack Judith’s password. It’s not the most effective way to hack an account. But it keeps my skills sharp. It’s also fun!

The dark web: It’s easier to buy stolen account details from the dark web. People rarely use different passwords for different accounts. I take the details from one stolen account, and use them to access other accounts belonging to the same person. It’s child’s play.

Public Wi-Fi: Public Wi-Fi is also a helpful friend. Shared networks, like the ones in coffee shops, can be used to intercept passwords.

Personally, I never use public Wi-Fi to do things I wouldn’t want other people to see, like access accounts containing personal info, send emails, or make payments. You shouldn’t either.

Fake emails, messages & phone calls: If I get stuck, or if I’m going after a cautious individual, I’ll reach out directly. My message will look similar to something they’d normally receive, like a delivery notification or a message from a colleague.

The message will contain a link to a fake website that looks genuine. The website will be set up to steal their password. These “sophisticated attacks” are great at tricking people into giving away their passphrases.

Right, I have Judith’s email address and 203,462 potential passwords. But I can’t just bang on Gmail’s front door. Google will lock the account if the wrong password is entered too many times.

What about xyz-style.com…? The website she got her “bargain” of a dress from. I wonder if it has the same security controls in place.

…bingo! I’m in.

(I say “bingo” as if it happened instantly. It didn’t. It took about 8 minutes. Had to get another coffee and everything.)

Scared now, huh? No need to be.

People don’t realise they can check if passwords or account details have been leaked online. haveibeenpwned.com is a website that lets you check if you have an account that has been compromised in a data breach. It’s owned by Troy Hunt. Troy is a respected security professional and Regional Director at Microsoft.

Check it out: haveibeenpwned.com

It can be scary, but it’s worth doing. You can also sign up to an alerts system which will notify you if your details appear in future breaches.

Back to Judith.

I’m in to xyz-style.com. There’s not much to see. The site doesn’t store card details, unfortunately.

Doesn’t matter. The reason I hacked into xyz-style.com was to attribute a password to Judith. People frequently reuse passwords. Let’s try the same one to login into her email account…

 

Forget about passwords.

In the past, you may have been advised to use a complex password. Something like this…

~2EnQ4#t?

It’s bad advice.

Complex passwords are very difficult for humans to remember. They’re also very easy for computers to guess, or “crack”.

Something like the above would take just 8 days for a computer to crack.

Using personal information in your passwords is also a bad idea.

So what should you do?

 

Use a passphrase.

Passphrases are similar to passwords. They’re just stronger and easier to remember.

Pro Tip

An easy way to set a passphrase is to use three random words, or a simple but memorable saying, for example:

• linguini pencil london
• dogs eat meat dogs play beats

 

Join the words together to create your passphrase.

 

You can include special characters, CAPITAL LETTERS and numbers.

 

Place them in simple, memorable positions, like at the end:

• linguiniPENCILlondon2020!!
• DOGSeatmeatDOGSplaybeats2020!!

 

Your passphrase should be at least 12 characters long, but longer is better, if you can.

Extra protection.

…It works!

I’ve hacked into Judith’s email. She’s made it so easy for me.

You might be wondering what the value of this exercise is. Let me show you.

Many people do not realise how much they have invested in their email accounts until those accounts are in the hands of criminals.

In nearly all cases, the person in control of an email address can reset the password of any associated service or account.

By then it’s too late.

Stealing, cracking or buying passphrases is challenging. But it’s not impossible.

I’d suggest using extra measures to protect your accounts. That’s what I do.

Step 1: Protect your valuable accounts with multi-factor authentication (MFA)

MFA is a powerful tool to protect your main email and other high-value accounts. It takes an account from about 50% secure to 99% secure.

MFA lets you verify your identity twice when logging in, using your passphrase and a unique code from your phone.

This means if I have access to your passphrase, I cannot get into your account unless I also have access to your phone.

Many believe you have to enter MFA codes every time you login. You don’t! After logging in for the first time, the device and the account become “linked”. Once the device is linked, it’ll usually log in automatically. Easy.

Setting up MFA

Step 2: Use biometric readers

Biometric readers are things like fingerprint scanners and facial recognition cameras. They bolster the effectiveness of your passphrases.

Biometric readers are a real time saver. But they’re only as strong as the passphrase they represent. If you have access to, say, a fingerprint scanner, only use it in conjunction with a strong passphrase!

The four-digit pin you’ve “protected” your phone with? That’s not secure even with a biometric reader. You can do better!

Step 3: Use a password manager

A password manager stores all your passwords (or passphrases) in one place. They’re great if you have lots of different passwords to remember.

The passwords stored in the password manager are secured with one “primary passphrase”.

You can get them as standalone apps or you can use the one in your web browser. Both are good.

If you don’t feel comfortable using a password manager, you can write passwords down. Store them somewhere safe, out of sight and, most importantly, away from your computer.

Summary

I’m not real, obviously.

I serve a purpose though. I represent real people.

I am online criminals, nation-state hackers, and every person who doesn’t have a job or means to make money legally. If you make it easy for me, I will eventually get you.

I do this because I can. And because people make it easy for me

1. Using strong passphrases is the most effective thing you can do to prevent cyber crime.

2. Use a strong and separate passphrase for your most valuable accounts, like your home and work email accounts.

3. MFA takes an account from about 50% secure to 99% secure. If it’s available, use it!

4. If you’re struggling to remember multiple passwords, consider a password manager.

Week Two Quiz

For the chance to win a £25 Amazon voucher answer the following question:

Q: What are the three steps to spotting a fake email?

Hint – the answer is in Week Two Part One (see below for a link).

Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Two.

Cyber Security Awareness Month – Week Two (Part One)

If you haven’t already read Week Two (Part One), you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/10/cyber-security-awareness-month-week-two-part-one/

Thanks to CybSafe for providing the content for this blog post!

Here is Part One of Week Two’s content for Cyber Security Awareness Month. This short security related story is all about spotting fake emails. Make sure you read all the way to the end to enter our week two quiz to win a £25 Amazon voucher.

One slow day, whilst sitting in his office, James Linton noticed something. Emails don’t show the sending email address by default. He realised he could put any name there he wanted.

So he did, for five months.

He started by pranking his colleagues. He sent them emails that looked like they were from their CEO. He loved the excitement and wanted more.

James’ first real victim was the CEO of a large British bank. James sent him an email purportedly from the bank’s chairman. Suspecting nothing, the CEO engaged in an exchange praising the chairman.

James leaked the email exchange, embarrassing the CEO and prompting the bank to reconfigure their email systems. SINON_REBORN – James’ prankster alter ego – had arrived!

The pranking spree continued.

The Governor of the Bank of England.

A British politician.

And the White House!

Sending fake emails was exhilarating. James compared the excitement of it to the high of gambling –“You fire out three emails, and one of them comes up. When it does, you realise you have one on the line.”

James’ emails worked. Over and over again.

They worked because they won his victims’ trust.

That’s exactly what targeted fake emails do.

What are fake emails?

Fake emails look like they’re from legitimate or known sources, like a person or company you know.

These days, fake emails are difficult to spot.

The idea that most fake emails come from “long-lost relatives” is a myth. Today’s fake emails are more convincing. For the most part, they’re free from spelling and grammatical errors.

Fake emails can be either generic or targeted.

Generic fake emails are low in complexity but high in volume. Criminals send out millions of them. They usually look like they’re from a well-known company, like Apple or Amazon.

Targeted fake emails are harder to recognise and are increasingly common. They’re unique to the recipient and usually reference information found on platforms like LinkedIn.

Pro Tip

You may have heard some people refer to fake emails as “phishing”. They’re exactly the same thing. Targeted fake emails are sometimes called “spear-phishing”.

Creating legitimate-looking fake emails isn’t as hard as you might think.

How did James Linton create fake emails?

James decided on his target first. Then he picked his character based on his target’s professional and personal connections.

The next step was to find a hook. The hook was usually an interest both James’ target and character shared.

James then created a fake email address using his character’s name.

Finally, James added extra credibility to his fake emails. For example, he might hand type a second “email” below his message. This additional text, James believed, made his emails seem as though they had been forwarded.

James also favoured adding “Sent from my iPhone” to the end of messages. This made it seem like his messages were sent by an ordinary person, not “somebody huddled over a laptop in their hoodie.”

Pro Tip

How to create legitimate-looking fake emails

A guide by James Linton:

1. Pick your target.

2. Pick your character.

3. Create a hook.

4. Create a fake email address.

5. Add extra credibility.

Ian Levy: a target too far

After tricking the White House, James’ search for worthy prey continued. That was when he landed on the Technical Director of the UK’s National Cyber Security Centre (NCSC) – Dr Ian Levy.

Posing as a colleague – the Director of Operations – James “accidentally forwarded” an email from another colleague – the Director of Communications – to Ian, including a link to an article.

After inspecting the link on this phone (by a good old “touch-and-hold”), Ian suspected the emails were fake.

How to spot fake emails

You can use Ian Levy’s 3-step checklist:

Pro Tip

How to spot fake emails

1. Check sender’s address.

2. Check content.

3. Check links or attachments.

Step 1: Check sender’s address

Email inboxes show sender names, but they don’t always show addresses.

You can click on the sender’s name to reveal their actual email address. Pay attention to the information that comes after @.

Right after Ian had noticed the link protection of mail.com – instead of ncsc.gov.uk – he examined the sender’s address:

paul.chichester.ncsc.gov@mail.com

It didn’t look right. It was supposed to end with @gov.uk. He was intrigued, so he played along, humoring his adversary. Eventually, Ian Levy convinced James Linton to reveal his identity.

Pro Tip

Do you recognise the sender or the sender’s email address?

• Click on the sender’s name to reveal the email address.
• Contact the person you think the email is from – using anything but that email address.

Step 2: Check content

Fake emails use emotional manipulation to trick people. Notice the different types of emotions evoked:

Panic

Make a payment – your manager needs you to make an urgent payment.

Worry

Verify some information – someone has tried to access a company or service you rely on (such as a bank, phone provider or TV service).

Curiosity

Open an attachment – you’ve been sent a confidential document to read.

This is how James Linton attempted to trick Ian Levy. The emails “accidentally forwarded” from his colleague evoked curiosity.

Kindness

Visit a website – a colleague needs you to visit a website to check the content and provide your opinion.

Trust

Provide sensitive information – a colleague needs you to reveal sensitive information to help them with a task.

Pro Tip

Is the email unexpected? Does it convey an undue sense of urgency? Does it ask you to break policy?

• Slow down and think.
• Check the sender details.
• Call the person you think the email is from and ask them. Call them using a known contact number.

Step 3: Check links or attachments

Links can be displayed in their raw format (www.google.com) or as a hyperlink (this). They can also be disguised or shortened, like this https://bit.ly/3yJanNJ.

To see the true destination of a link, hover your mouse over it.

Or, if on your phone, do what Ian did. Touch & hold the link to reveal its true destination. This is how Ian noticed the link for mail.com, instead of ncsc.gov.uk.

File extensions – the last 3 or 4 letters after the dot [.] at the end of the file – tell you what a file does. So make sure you inspect them before opening attachments.

Pro Tip

Does the email include a link or attachment you don’t recognise?

• Hover your mouse over a link to see its true destination.
• If you are using Google Chrome, the browser has a built-in safe browsing feature that will show a warning before taking you to a dangerous site – keep an eye out for these warning messages.
• You could also use a reliable URL scanner to check whether or not a link is safe to open.

Bonus content: File extensions

Files ending .exe, .vbs and .scr are more likely to be dangerous. If you see a file that contains any of these extensions, especially if what you think you are opening is meant to be a read only file, such as a document, photo or video, be cautious.

Enable “Show file extensions” on your computer as it allows you to check file types before opening them.

Make sure the file you think you’re opening is what it claims to be:

• PDF – .pdf .fdf .xfdf
• MS Word – .docx .doc
• MS PowerPoint – .pptx .ppt
• MS Excel – .xlsx .xls
• Image – .jpeg .jpg .jp2 .jpx .png .gif .tif .tiff
• Video – .avi .flv .wmv .mov .mp4

Can you spot fake emails?

Below are four emails – see if you can spot the fake ones.

Real or fake?

Fake!

Check links or attachments.

Hovering over “Open in Docs” shows you its true destination, a look-alike link – http://drive—google.com/samandrews/fdhh9w8qr5lioe55.

 

Real or fake?

Real!

This is a legitimate Dropbox email.

Check the sender’s address.

The sender is “dropboxmail.com” – although this looks unusual, a quick search reveals it’s legitimate.

Check links or attachments.

The link is to a secure site https://www.dropbox.com.

 

Real or fake?

Fake!

Check links or attachments.

Hovering over “this” shows you the link’s true destination – a look-alike website address https://drive.google.com.download-photo.balootec.net/AONhfnfeuG. The real address is “balootec.net” which is disguised to look like Google Drive.

Check the sender’s address.

Do you know AK? Clicking on the sender’s name reveals their actual email address. Does the email address “AKumar62457@gmail.com” seem familiar?

Check content.

Is the email unexpected? What emotions does it evoke? Someone addressing you as “friend” and sending you a “cute photo” likely evokes curiosity.

 

Real or fake?

Fake!

Check links or attachments.

Hovering over “CHANGE PASSWORD” shows you its true destination – http://myaccount.google.com-intro.help-secruity.org/signinoptions. The link actually points to the website of “help-secruity.org”, not Google.

And “secruity” in the link is misspelled.

Check the sender’s address.

Clicking on the sender’s name reveals their actual email address. The sender address “google.support” isn’t actually used.

Check content.

The email contains poor grammar – “You’re account” and “Suspicious signon”.

 

Summary

After Ian Levy coaxed James Linton out of hiding, the pair teamed up. They co-authored a blog about their experience.

Their aim was to help people spot future fake emails.

After completing this module, you’ll have everything you need to do just that.

 

How to spot fake emails

1. Check the sender’s address. Click on the sender’s name to reveal it. Contact the person you think the email is from using a known contact number.

2. Check the content of the email. Is the email unexpected? Is it asking you to do something unusual? What emotions does it evoke?

3. Check links or attachments. Hover over them to see their true destination. If they look suspicious, search for verifiable online information.

Week Two Quiz

For the chance to win a £25 Amazon voucher answer the following question:

Q: What are the three steps to spotting a fake email?

Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Two.

Thanks to CybSafe for providing the content for this blog post!