Genuine privacy is an issue organisations and individuals struggle with on a daily basis.
The ability to sign in or share your information from the comfort of your home can make it difficult to recognise online threats. Organisations need to regularly review the threat landscape and, through routinely assessing the risks, implement appropriate technical and organisational measures to ensure access to their employees’ and clients’ personal data is protected from unauthorised access.
What scams might fraudsters exploit?
Scammers will use every opportunity to capitalise on a situation, not falling short of exploiting national tragedies, scandals, and crises. During the Covid-19 pandemic, people were being targeted with fraudulent messages about early eligibility for booking vaccination appointments or ordering test kits following close contact notifications. At a time when we are all anxious and uncertain about the Cost of Living crisis, the threat of falling victim to an unanticipated scam is real. We have put together our thoughts on some of the methods scammers may try to craft.
Refunds from energy companies
Ofgem, the UK’s energy regulator, recently increased the energy price cap, affecting more than 22 million customers. Already, criminals disguised as energy companies have created false messages promising consumers a large energy refund by clicking on a link and submitting their financial information. As many consumers will struggle to find a cheaper tariff with another energy supplier, we expect to see more of these scams in the form of phishing websites, online adverts, or unsolicited email or text messages offering a refund, rebate, or a very good (too good of a) deal.
Government rebate applications or missed payments
The government have begun issuing Cost of Living Payments to support eligible households with the increase in bills. This applies only to those who receive disability benefits, low-income benefits, or tax credits. Consumers may be unaware of the eligibility criteria or think they need to apply for this rebate as with the £150 council tax rebate earlier this year. Scammers may invite consumers to apply for the rebate or request ‘corrected’ information to resolve an issue or a missed payment.
Bank transaction issues
Scammers impersonating a bank tend to call regarding an urgent issue, such as suspicious activity on the customer’s account and tell them to transfer funds into a separate account. With the rise in costs, we may see more fraudulent banking calls urging people to pay a fine for missed payments or provide their banking information to ‘unblock’ their account.
In the UK, the Privacy and Electronic Communications Regulations (PECR) give people specific privacy rights in relation to electronic communications, making it illegal for organisations to contact individuals with marketing messages without their permission. They can rely on an exemption in some circumstances, but people should take more precaution with unsolicited messages from organisations they have never had any dealings with.
How can individuals protect themselves?
Once in possession of someone’s personal or financial information, criminals can use it to access online accounts and impersonate the individual in numerous ways. The immediate effects of this can include emotional distress and financial loss, but over time it can have an impact on their credit score and ability to access financial services like a loan or mortgage. Here are a few ways in which individuals can remain vigilant and protect themselves:
Good password management
Use strong, unique passwords and do not reuse them anywhere else. This is because criminals can use technology to attempt entry into multiple accounts using a person’s stolen credentials. Follow your organisation’s password policy for work accounts and apply this to your personal accounts as good practice.
Clean their digital footprint
Deleting online accounts that are no longer needed limits the risk that the data could be misused. Individuals have the ‘Right to Erasure’ under the UK GDPR and can request that companies in possession of their information delete it.
Email- and caller ID spoofing awareness
Many phones display the number of caller before you answer, known as ‘caller ID.’ Nuisance callers and criminals can deliberately change the caller ID, a practice which is known as ‘spoofing,’ in order to pretend they are someone else. Similarly, they can also change the display name (e.g., ‘Jane Doe’ joebloggs@domain.com) if contacting you by email.
Know what genuine messages look like
Banks, utility companies and other major organisations that are likely to be impersonated by fraudsters provide clear information about the things you can look for to see whether a communication is real or not. This information is usually found in communications and on their website.
How can you protect your business?
Business email addresses and work phones are also targeted. Phishing remains one of the biggest threats to businesses and can result in a personal data breach. However, with the right controls in place and regularly monitoring the associated risks, your organisation can stay on top of current threats:
Effective information security and privacy training and awareness.
Increase and maintain employee awareness of phishing and personal data breaches, including being transparent about what the current threats are and what to do if they encounter one. You can test the effectiveness of your training, procedures, and incident response plan by conducting spot checks and simulation activities (e.g., phishing campaigns). Combined, this is the best defence against phishing attacks.
Review the data you hold.
Conduct periodic reviews to ensure your organisation only processes the personal data it needs, stores it until it is no longer needed, and deletes it appropriately. This not only maintains the quality of data but also helps you to comply with the Data Minimisation and Storage Limitation principles of the UK GDPR. This leaves your business, as well as the individuals, less exposed to risk in the event of a data breach.
Successful acceptable use policy.
Employees should know and follow the rules that govern how systems, networks, and devices are to be used, for instance, prohibiting personal use and always using appropriate forms of encryption when storing or sending personal data. This doesn’t prevent spam and phishing but does reduce the opportunities for phishing attempts.
Meet the Cyber Essentials standard.
This includes ensuring the latest software and patch updates, and implementing strong VPNs and Web Application Firewalls to filter and monitor harmful traffic between web applications and the internet.
If you would like advice and guidance on protecting your business from fraud then speak to Gemserv today.