Did you know that over 80% of data breaches are caused by Human error? With so many emails and so much data to send and process, it can be easy to mistakenly send an email to the wrong person which is the cause of many data breaches. It’s just as easy to click on a link without considering whether it came from a safe sender, or to not see the signs of a spoofed email that appears as if it’s from a colleague.

Increasing awareness of these issues and others like them can be one of the most effective ways to promote defence against cyber attacks and to reduce data breaches. For this reason, at UCL we are recruiting Security Champions who will help us with promoting awareness, as well as providing us with a link to all the different faculties and departments within UCL.

What is a Security Champion?

A Security Champion is someone who works within their department in order to promote cyber security awareness. This is done in a variety of ways, including distributing messages, content and reminders locally to their department.

In order to prepare for this role, a Security Champion is given a briefing from the Information Security Group and the Data Protection team so that they can familiarise themselves with the available resources, objectives and themes of the programme. Following this they can introduce themselves to their department in their new role and outline their plans. Throughout the role, periodic training and briefings are provided  to ensure that they can stay up to date on available content and resources.

As part of the ongoing role, Security Champions are expected to:

• Attend meetings within their departments to promote security and raise any discovered issues.
• Deliver messages and other content throughout the term as friendly reminders to remain vigilant against suspicious communications.
• Attend Security Champions network meetings with other departments in order to report back, share ideas and receive updates.

If this sounds like something you would be interested in, then please contact us at ISG via our email address: isg@ucl.ac.uk. Please be aware that this role is expected to take up approximately one day  per term. At present, this role is for staff only.

One of the key dangers in the world of cybersecurity are phishing emails. Even with all the defensive tools available, it’s easy for any person to slip up and click on a file or a link by accident. In this post, we’ll talk about a particular kind of phishing we’ve recently seen an increase in: hiding malware in fake financial documents. 

How to spot a phishing email 

Attached below is an example of one of these phishing emails we have had reported to us recently: 

Looking at this, there are a few details that would indicate it’s phishing to someone who knows what to look for. 

Firstly, the email is addressed to “Customer” – quite often, phishing emails will use generic greetings such as this, as they’ll send the same email to hundreds of people or more. However, it should be noted that not all phishing emails use this tactic, and many will be more personalised in their attacks. 

Secondly, the email is vague about what it is about, besides the fact it is related to a payment. This has the effect of making the recipient more curious, and therefore more likely to click on the malicious file. On top of this, by keeping it vague, fewer people who receive it will dismiss it as unrelated to them. 

On top of these, there are quite a few markers as well that might distinguish a message as phishing: 

1. A sense of urgency and fear – a phishing email may try to make you feel rushed or suggest that you may be in trouble. This is so that you don’t have the time to wonder if it might be legitimate. 
2. A promise of reward – often, emails will get people to click on their links with a promise of reward, such as claiming they have won the lottery. 
3. Suspicious sender – often the address sending the email will not look right, or might try to mimic a well-known company address, perhaps with a few typos or extra characters. 
4. Typos – legitimate, professional emails, especially those concerning financial transactions, will be proofread carefully by the company sending them. Too many typos can be a sign of phishing. 
5. Suspicious web links – alongside attachments, phishing emails may include links that take you to harmful sites. These can often be made to look like legitimate links, so always be sure to hover over the link to see where it is taking you before clicking on it. 
6. Asking for information – phishing emails will often ask for information that no legitimate email would ask for, such as usernames or passwords. 

How to protect yourself from phishing 

1. Verify the sender – if you receive an email from a company regarding a payment that you’re not confident in, be sure to contact the company to verify this. You should contact them via a trusted number or email, rather than responding to the email directly. 
2. Don’t open URLs or suspicious attachments – don’t open attachments or links in an email you have doubts about. You can send it to ISG at isg@ucl.ac.uk for help determining if an attachment or link is malicious. 
3. Keep your computer’s operating system, antivirus and applications up to date – this will increase the chances of catching any malware if it gets on to the computer, and updating the operating system will reduce the number of vulnerabilities the malware will be able to exploit. 

Remember, staying safe online is a continuous process that requires ongoing vigilance – it is better to be safe and report any suspicious emails to ISG (isg@ucl.ac.uk) than to accidentally fall victim to a phishing email. 

In this age of digital work, it is easy to see the benefits of having recordings, especially for an educational institute such as UCL; it allows students to return to materials in their own time, researchers to keep records of any interviews, and lets staff save any meetings they find important. However, it is important to be aware of some of the security issues that come with recordings, so that you can get the most benefit out of them for the least amount of risk; we recently had some privacy concerns raised around the use of recordings. 

The heart of the issue were the worries that either a recording might go on too long and capture something personal when people have forgotten they’re being recorded, and the concern that someone might be able to see a recording of a private meeting. Consider a student discussing academic worries to their lecturer after a lecture whilst Lecturecast is still recording, or someone accidentally getting access to the full Teams recording of a disciplinary hearing when they were only meant to be witnesses. 

In light of these concerns, ISG would like to remind all staff, students, and lecturers the importance of ensuring that all recordings are used responsibly and securely. It is crucial to protect the privacy of our staff and students, and we hope that by remaining aware of these issues, we can avoid making any mistakes. 

To help reduce the likelihood of an incident happening, when you are recording for a lecture, make a habit to stop a recording immediately after the lecture has ended. Before having a conversation that may include sensitive information, try to find a more private spot to talk; if this is not possible, then make completely sure no recording is taking place. When recording a teams meeting, remember that everyone in the meeting will have access to the recording; if someone was only there for part of the meeting, and should not have access to the full recording, remember to remove them from the meeting chat before the end of the meeting so they won’t have access to the recording or the transcript. You should also check who has access to the recording, and make sure that only people who need access have it. 

We wish to remind all of the need to remain vigilant around the privacy of our staff and students – we hope by keeping these practices in mind, we can prevent any occurrences from happening. 

Recently, we have had seen a new kind of spam email being reported to us that is done over PayPal. These are messages from service@paypal.com (a legitimate PayPal address) but with a message about account activity that often involves large sums of money, telling you to phone a number if you do not recognise the activity. Here is an example of what this might look like: 

 

The name, number, amount of money and what the “purchase details” will change from request to request. However, despite coming from a real PayPal email address, the message itself will be a scam. The phone number will be the scammer’s number, who will then try to gather more information on you.  

Unfortunately, we can’t block these phishing attempts, as the phishing happens over the PayPal website. As such, please forward these emails on to phishing@paypal.com so they can investigate the account further. 

 

How to distinguish between a real PayPal request and a fraudulent one 

In general, if you receive an email from PayPal to your address that is not connected to a PayPal account, even if it comes from a legitimate PayPal address, this is almost certainly spam (unless you were expecting someone to request money from you). If your address is related to a PayPal account, you can still easily pick up on the signs that mark this out as a scam: notice how this is a money request from someone rather than a notification, and that it’s the person sending the request who has left the note. On top of that, you should always look up the phone number before phoning it back, and only phone the numbers on the PayPal website. 

When looking for software to download, it is important to remain aware of the threats that we might encounter. Today I’ll be talking about a type of threat that can quite easily trip up any user if they’re not paying attention: malware.

What is malware?

Malware (malicious software) is software designed to cause disruptions, steal passwords and data, explore your files, gain unauthorised access to systems and other behaviours an attacker wants.

There are various types of malware: for example, some of the most common ones are adware (that spams your searches with a great number of unsolicited adverts), viruses (which try to maliciously alter your files whilst spreading throughout your systems), and ransomware (which encrypts your data and holds it ransom). However, the important thing to know about malware is how to keep it off your systems. Malware is often used with the end goal of financial gain, although it can also be used for other reasons, such as the stealing of personal or corporate data or maybe something as simple as causing an annoyance.

How to choose the safest software?

In the media, hackers are often imagined spending hours looking for vulnerabilities in a computer system to exploit. However, most of the time the greatest vulnerabilities come from simply people making mistakes – often, these mistakes are easy to fix or prevent if you know what they are.

The simplest rule to remember is when you’re downloading and installing software, do so from the official vendor’s website and use the latest version. This will ensure the software has been patched and has not been tampered with. If an update is available for the software, make sure this is installed as soon as possible.

Make sure you’re downloading the correct software, too – if you’re trying to download Zoom, malicious actors might set up an app called “Zoon” to trick someone not paying close attention. One thing to look out for is SEO poisoning, where malware is hosted on a site that looks legitimate and is designed to be in the top few results – make sure you double check where even a top site is sending you. If you wish to make completely sure that a site is not malicious, scan the link in one of the sites listed here: https://decentsecurity.com/#/malware-web-and-phishing-investigation/.

The UCL Software Database (https://swdb.ucl.ac.uk/) offers legitimate copies of software available to staff and students. The availability tab for each software should indicate who it is available to, where you can access it from (for download on a personal device, available on Desktop@UCL Anywhere, teaching rooms, standalone devices, etc), if it is free to download or the purchase of a license is required. The download tab will show a link to the download as well as the system requirements and installation documentation.

If you are unsure about whether to use any software, contact ISG at isg@ucl.ac.uk to advise if it is safe before you download it.

How to avoid malware?

Here are some more general tips for avoiding malware across the internet

• Only open attachments or click on links in emails from people you know and if in doubt, contact them using an alternative method such as a phone number or an official contact email address and query if the email you’ve received is genuine.
• Another tip would be to hover over a link and check if the destination matches the one shown in the status (usually located at the bottom left of the browser window).
• Always check the extensions of the files you are opening, and make sure they line up with what you think you’re opening (don’t open a file you think is a PDF if it has a .html extension)
• Keep your operating system, antivirus software and applications up to date. This won’t necessarily stop the malware being downloaded, but could mean that they’re detected sooner, and the malware may not work if the vulnerability they are trying to exploit has already been fixed with an update. You can explore what antivirus UCL uses here: https://swdb.ucl.ac.uk/package/view/id/166?filter=f-secure.

How to detect malware?

Inevitably, mistakes are bound to happen, and no matter how careful you are, there is always a chance that malware will get on your machine. However, it is vital that you know how to detect and remove malware from your devices as soon as possible, otherwise it could develop into something more serious.

Often, you don’t need a technical solution to become suspicious that your computer might have malware – you might notice that:

• Your computer is running a lot slower than usual
• Ads and popups are showing up more than they used to, and in places they shouldn’t be (such as government websites)
• Your default home browser or default search engine has changed without you having changed it
• Your device won’t let you uninstall software

If any of these are the case, you might want to run an antivirus scan to check to see if there is any malware installed on your device and contact ISG.

How to remove malware?

If you have determined that your device is infected with malware, please do the following as soon as possible:

• Contact ISG immediately at isg@ucl.ac.uk or phone us at (0)20 7679 7338 so we can investigate further
• Do not log into anything online, including banking, online shopping, or any UCL related accounts, until your device is free of malware
• Run a scan on your device for malware and uninstall and delete any of the files or software that the scan has picked up as suspicious. Once this is done, you can restart your computer

Once you have done these, you should be free of malware. Remembering to keep your antivirus and operating system up to date and remaining vigilant can solve most malware problems.

It is week four and the last week of Cyber Security Awareness Month. This week is all about recognising and reporting phishing. There is also the last chance to win a £20 Amazon voucher.

Recognising and Reporting Phishing

Phishing emails are common these days and whilst email filtering does a good job of removing some if not most of them from our mailboxes, some will always get through. Chances are the ones that get through are the less easy ones to spot.

1. Stop Skimming and Start Studying

We receive so many emails that we tend to skim them rather than fully read them, but when we do this, we take unnecessary risks. There can be clues on both the surface and just below the surface of the message that can alert us to things that aren’t right.

What to look out for in a phishing email:

• “From” addresses, URLs, and embedded links can all masquerade as things they aren’t – Do not take these items at face value (even if a name, logo, or other identifiers seem familiar and safe). On your PC, hover over—or “mouse over”— these pieces of content and examine the info that appears (you will often see the true destination of a web address in the bottom left of your browser window). On mobile devices, use a “long press” or “long click” and review the information in the pop-up window. If there appears to be a mismatch between what you expected to see and what is actually presented, steer clear.
• The content or topic of a message might not be quite right or not fully relevant to you. Be on alert if the tone of an email from a colleague, friend, or relative seems inappropriate or just doesn’t “sound like” them. Likewise, be sure to question receipt of an invoice or shipping notification that doesn’t make sense based on your ordering history. Thoroughly read what is written; don’t just skim past details.
• Misspellings and poor grammar can be indicators that the email did not originate from a trusted source. This is particularly true with messages that appear to be from a well- known, well-established individual or organisation.
• In general, any unsolicited email—that is, any email that you were not explicitly expecting to receive—should be looked at carefully. But you should be particularly wary of any email that seems like it’s designed to trigger an emotional response— fear, surprise, excitement, concern—and that urges you to respond or act in some way (click a link, download a file, confirm/change a password, etc.).

2. Think It Through

After you read an email, take a moment to digest it. What you want to do is give yourself the space to act thoughtfully, rather than just reacting in the moment. Be particularly cautious with any email that requests a response or action that could compromise sensitive data, devices, or systems.

3. Verify, Verify, Verify!

It’s critical to remember that, with phishing scams, things are never what they seem. The reality is that a message can look and even sound legitimate but still set off a warning bell. For example, an email that comes from a corporate IT address and tells you to download new security software can seem trustworthy; it appears real and is on topic. But would that really be the process your IT department would follow?

• Instead of clicking on a link, open your web browser and type in a known, trusted URL and navigate to the site yourself.
• Instead of replying to an email or calling a number included in the message, do your own fact-finding. Use an email address or phone number that you are able to confirm.
• If you’ve received a questionable message from a colleague or friend, contact them via another channel (like a phone call or text message) to make sure they sent it.
• Reach out to the UCL Information Security Group for advice (and to alert them that there is a potential active phishing threat).

See these short videos on spotting warning signs and why reporting is so important from Proofpoint:
https://videos.proofpoint.com/watch/GnuQi2oR5zNfQcjcFE5Q8C
https://videos.proofpoint.com/watch/dt84c3omwjHeRAN7d8EV2T

 

Would you like to help UCL researchers improve cybersecurity training (and possibly win an iPad)?

On the topic of phishing, we are working with UCL researchers who are running an independent study on how to improve phishing detection. They need volunteers to take a few minutes of their time to help. Participation includes the chance to win an iPad. If you would like to take part in this study, please register your interest here: https://forms.office.com/r/7c7GeKZZ2y

 

Launch of CybSafe

Just to let you know that next week we will be launching CybSafe, our new mandatory information security training platform, to all staff.  CybSafe is a more immersive cyber security training tool which contains up-to-date training and a knowledgebase. It is an NCSC approved learning platform with short, engaging modules which should take no longer than 30 minutes to complete. If you have any questions on CybSafe please email isg@ucl.ac.uk.

Quiz

Be in with a chance to win a £20 Amazon voucher by answering the following question:

What is the new mandatory information security training platform called?

Send all entries to isg@ucl.ac.uk with the subject line: Cyber Security Awareness Month – Week Four.

Entries will only be accepted from UCL email addresses.

 

*Thanks go to Proofpoint for helping to provide some of the content for this year’s Cyber Security Awareness Month.

 

It is week three of Cyber Security Awareness Month and this week is all about updating outdated software. There is also another chance to win a £20 Amazon voucher.

 

Updating Outdated Software

It is really important to keep software up-to-date, outdated software exposes you and UCL to harm from malware and compromise.

Keep the following updated:

• Operating Systems
• Applications including browsers
• Plugins

You should also use up-to-date anti-virus software that updates itself regularly, most anti-virus software will update itself every hour.

Use automatic updates where you can so that updating your machine and software does not rely on you remembering to check and update everything. You should always check that your updates are happening as malware often turns your updates and anti-virus off.

Only get updates from the company that provides the operating system, application or plugin. It is easy for criminals to trick people into thinking they are updating their machine with a pop-up on a website or phishing email when in fact the user will just be downloading and installing malware. It is also worth mentioning that you should always use legitimate software and not pirated or unlicensed versions of software. You can end up unwittingly installing malware or making your research invalid from using unlicensed software. It just isn’t worth the risk.

 

See this short video on why software updates are important from Proofpoint:

https://share.vidyard.com/watch/vEF3qvdQ5KUCnuwqn5YP5q

 

Quiz

Be in with a chance to win a £20 Amazon voucher by answering the following question:

What is an example of something that needs to be kept up-to-date?

Send all entries to isg@ucl.ac.uk with the subject line: Cyber Security Awareness Month – Week Three.

Entries will only be accepted from UCL email addresses.

 

*Thanks go to Proofpoint for helping to provide some of the content for this year’s Cyber Security Awareness Month.

It is week two of Cyber Security Awareness Month and this week is all about using strong passwords and a password manager. There is also another opportunity to win an Amazon voucher.

Using Strong Passwords and a Password Manager

Password Security Tips

 

See these short videos on password security from Proofpoint:

https://share.vidyard.com/watch/qL2mFJUD3ktKHZP5W56mdz

https://share.vidyard.com/watch/LLbauNmNYiEfudfAfaeqHm

 

Quiz

Be in with a chance to win a £20 Amazon voucher by answering the following question:

What is an example of a password manager?

Send all entries to isg@ucl.ac.uk with the subject line: Cyber Security Awareness Month – Week Two.

Entries will only be accepted from UCL email addresses.

 

*Thanks go to Proofpoint for helping to provide some of the content for this year’s Cyber Security Awareness Month.

It is that time of year again, it’s Cyber Security Awareness Month! This year the topics will focus on how to stay safe online using four key behaviours:

• Enabling Multi-factor Authentication
• Using Strong Passwords and a Password Manager
• Updating Outdated Software
• Recognising and Reporting Phishing

We will be giving away Amazon vouchers again this year so read on to find out how you can win one!

Week One – Multi-factor Authentication (MFA)

It is always a good idea to use multi-factor authentication (MFA) when it is offered as an option on your account. MFA adds an extra layer of security, so for example, if your password was compromised, the attacker would not be able to gain access to your account.

"Always take advantage of MFA when it is offered"

MFA increases security by requiring two or more pieces of information during the authentication process:

• Something you know – like a password, PIN, or passphrase.
• Something you have – like a real-time, unique verification code. These authentication codes are usually generated by a mobile app or security token, or they are delivered to you via a text message.
• Something you are – like a fingerprint, iris scan, or voice pattern.

Why should you always opt for MFA:

• It’s easy to add – whilst you do need to take some action to enable MFA, it shouldn’t be difficult and most sites provide simple step-by-step instructions explaining when to expect an MFA prompt and how to complete a login.
• It’s easy to use – regardless of the technology behind the additional MFA factor(s), MFA add just a few seconds to your login process, and the extra seconds are worth it!
• It’s far more secure than a password alone – cyber criminals have access to billions of stolen usernames and passwords on underground forums. So what if the only thing standing in between a criminal and your data, finances, and files is a compromised password? MFA helps to limit the damage that can be done if an attacker steals (or buys) account credentials.

See these short videos on Multi-Factor Authentication from Proofpoint:
https://share.vidyard.com/watch/gWPufbGUD9NmPYaMnqjw2A
https://share.vidyard.com/watch/adCugSNMGNEsEEX9hV2s3a

Quiz

Be in with a chance to win a £20 Amazon voucher by answering the following question:

What is an example of two pieces of information that can be used for Multi-Factor Authentication?

Send all entries to isg@ucl.ac.uk with the subject line: Cyber Security Awareness Month – Week One.

Entries will only be accepted from UCL email addresses.

 

*Thanks go to Proofpoint for helping to provide some of the content for this year’s Cyber Security Awareness Month.

 

The mandatory Data Protection awareness training has proved to be effective over the past couple of years. UCL members are now more aware than ever, of the issues that data breaches can cause; but what are some of the most common causes of data breaches UCL members should look out for?

Data breaches are not only caused by someone acting maliciously. Verizon, one of the world’s largest IT solutions providers, found that more than 1 in 5 incidents resulted from a mistake made by a member of the organisation.

Within UCL the most common data breach incidents are caused by human error: usually involving personally identifiable information (PII) that been sent to the wrong recipient via email, or through the post or giving access to an unauthorised individual to information on IT systems.

In this blog piece I will discuss what UCL members should think about and do when sharing personal data via email.

It is everyone’s responsibility to adopt, maintain and follow information security and data protection best practices when processing information.

Avoiding Human Error When Sending Emails

 

When sharing personal information via emails, it is the responsibility of the sender to ensure the following:

• Ask yourself what type of information are you sharing? – Any personal or sensitive data should be shared in a secure manner.
• Who are the intended recipients? – Before sending the data, users are advised to exercise due diligence and double-check that the recipients ‘email addresses are correct.
• Are there multiple recipients? – When sending emails to multiple recipients, ask yourself whether the recipients are known to each other and whether their email addresses can be disclosed to the other recipients. If not, always use the “BCC” option in your email client which hides email addresses not the “CC” option. Recently the BBC reported that more than 250 people’s lives were put at risk after the MoD mistakenly disclosed email addresses containing names of individuals who were Afghan interpreters. The data breach occurred when the 250 individuals were “CC’d” in an email sent to them, instead of “BCC” meaning they could see each other’s personal information.

Some facts

Human error accounted for 88% of incidents reported to the Information Commissioner’s Office (ICO) in year 2017/2018.

During the 1st Quarter of Year 2021/2022, the Information Commissioner’s Office (ICO) received a total number of 405 data breach incident reports which were caused by emails being sent to the wrong recipients

Human errors leading to data breaches can cause serious reputational damage and financial implications to organisations. In 2016 the BBC reported that an NHS trust was fined £180,000 after a Sexual Health Centre leaked the details of almost 800 patients who had attended the clinic. The disclosure was caused by a human error when a member of staff emailed the patients, entering their email addresses in the “To” field instead of the “BCC” meaning their addresses were visible to all the other recipients.

References:                                                                                                                                                                                                                                         

DATA BREACH INVESTIGATIONS REPORT (Data Breach Investigations Report) Verizon Business. Data Breach Investigations Report. [online] Available at: https://www.verizon.com/business/en-gb/resources/reports/dbir/

AFGHANISTAN: MOD SHARED MORE THAN 250 AFGHAN INTERPRETERS’ DETAILS ON EMAIL: BBC News. 2021. Afghanistan: MoD shared more than 250 Afghan interpreters’ details on email. [online] Available at: https://www.bbc.co.uk/news/uk-58629592

INFORMATION COMMISSIONER’S OFFICE (ICO) (Previous reports, 2021) Ico.org.uk. Previous reports. [online] Available at: https://ico.org.uk/action-weve-taken/data-security-incident-trends/previous-reports/

INFORMATION COMMISSIONER’S OFFICE (ICO) ico.org.uk. [online] Available at: https://ico.org.uk/media/action-weve-taken/csvs/2620168/data-security-incident-trends-q1-202122.csv

NHS TRUST FINED FOR 56 DEAN STREET HIV STATUS LEAK (NHS trust fined for 56 Dean Street HIV status leak) BBC News. NHS trust fined for 56 Dean Street HIV status leak. [online] Available at: https://www.bbc.co.uk/news/technology-36247186