This episode talks about the COVID-19 related Phishing tactics.
After listening please visit National Cyber Security Centre, Action Fraud, Take Five and the West Midlands Cyber Protect Websites for more guidance on all things relating to online Security.
Please forward any Phishing emails you receive on to email@example.com and any text messages on to 7726.
Our hosts today were Patrick, a Detective and Cyber Protect officer for the West Midlands Regional Cyber Crime Unit (WMRCCU) part of the West Midlands Regional Organised Crime Unit (WMROCU) and Demi the WMRCCU as an intern taking a year out from her University Studies.
Also, a member of the WMRCCU is
To contact us please email us at firstname.lastname@example.org to signup for our newsletter please visit www.wmcyber.org/subscribe.
Hello and welcome to the Cyber Threat weekly. My name is Patrick and I'm a detective and cyber protect officer within the West Midlands Regional Cyber Crime Unit. I'm here today with my colleague Demi.
Hello and welcome. My name is Demi and I am an intern within the Regional Cyber Crime Unit.
Thank you Demi. You're a welcome addition. This podcast is running in conjunction with our newsletter, the Cyber Crime Sentinel. And if anybody listening to this is not on our distribution list, and we'd like to please feel free to contact us using the details in our show notes and we'll add you to our distribution list, you're more than welcome to do so if you want that. So I'll just say as we run in conjunction with our newsletter, we will be taking an item within the newsletter and elaborating further on it. So today we're going to be speaking about COVID scams and the sort of types of scams and the ways that they are perpetrated. And the reason why we're going to do this and I appreciate you may think, well, I've listened to all your old ones, and they're obviously one already covering these issues. I do think due to the current events, that I think it'd be an area that's worth revisiting. With all that said, we're going to go now to Demi and Demi is going to give us a bit more of an insight into the COVID scams,
The outbreak of COVID-19 as normally affected our day to day life and our health, but unfortunately is also provided cybercriminals with a topical and often convincing ruze that can aid them in deploying often believable phishing attacks that prey on people's curiosity, worry, good intentions or simple lack of knowledge. Phishing attacks can take many forms, most often emails, and in the case of coronavirus scams, they can be disguised as anything from Health and Safety advice to workplace emails to news updates, or even emails that claim to originate from big organisations such as the World Health Organisation.
These emails will often contain attachments and or links that when clicked can download a malicious software onto your device. Or in the case of recently seen false HMRC scams. A fraudulent email will lead the victim to a phishing site, where the victim is then asked to disclose personal details, perhaps to the promise of something like a tax rebate. Cybercriminals aim to make these attacks as believable as possible, and therefore may evolve these phishing attacks over time to be in line with current world events and news.
Thank you very much for that Demi. When you look at the history of phishing phishing actually started via letter, somebody would send a letter, and then you'd send a letter back and then it's in a letter, you'd have this letter conversation. Then the telephone come along, and then email which sadly, for this criminal activity made it even easier and more efficient for them.
I do want to also delve a little bit further into Phishing, it's approached in two ways, which is wide and narrow. And the reason why I say that is because there's five types of phishing, there's the overarching term phishing, whereby there's a massive number of emails sent out and then they just play the numbers game unfortunately, because sadly, it's likely somebody will click on a link or download an attachment or even reply and send money. Common tactics were ex member of royal family got loads of money when a park in your account, and I'll give you the interest oh but by the way, there's a fee involved. So I know people who probably would have heard about this.
There's four other types of Phishing believe it or not, there's the spear phishing emails, the whale phishing emails, SMishing and Vishing, but I'll go back to spear phishing.
Spear Phishing is where we've gone from the wide approach to the narrow approach, the email gets sent to an individual and is specifically intended for that individual. The aim is to entice them to download an attachment click on a link, and then to carry out further actions. The downloaded attachment could just be there to infect a network or a computer. Whereas the link could take you to a website which require further details about the individual receiving email. It makes sense that the person receiving it has got this email. So it's more likely they're going to click on a link or download an attachment.
Whale phishing is basically the same thing. But it tends to focus on an individual in an organisation, which has got either a high level of responsibility or more often is the case a high level, you could say rank within an organisation. so like the big bosses.
Smishing is again, we're coming away slightly from the conventional phishing attempts that is basically been sent a SMS text message and within that is a link and an enticement to click on the link and then provide information or purchase the PPE that is actually of no quality if it even turn up once you've paid for it,
And then vishing is voice solicitation. And that is where social engineering comes in, whereby people phone you up and extract either payment for something or information so that they can access payment, you could argue everything to do with phishing is very psychologically focused, you just have to bear in mind that a lot of the times we make a decision, the best case scenario is that it's largely based on logical thought it is that we've taken in that information, and we are making a logical decision. But sadly, a lot of the times we carry out an act, it is based on emotion. So somebody sadly phoned us up and being particularly nice to us and said, all the right things, unfortunately draws you in. So when they've been really nice to you paying you loads of compliments, it actually releases oxytocin in the brain, and it shuts down our logic sensors, and we become more emotionally driven. Generally, we are social creatures, social animals, and we are driven by our emotions, which is fine, but we need to at times, be logical and make decisions to carry out actions based on those logical thoughts.
So that's enough for me, I'm not going to continue much further, again, within the show notes, there will be lots of places you can visit to learn a lot more about what we've said in much more detail in your own time. At this point, I'm going to just check in with Demi, to see if she has anything further, she'd like to add.
Thanks Pat. I think a important thing to note is that the reason these attacks are so common is because a lot of the times they are convincing and can be quite successful. I think it's important to just remember that while the main thing right now might be COVID scams, that they are constantly are changing and evolving. And a lot of times it's just taken a step back from autopilot and thinking before you click on a link or attachment. I know myself got caught out in a phishing scam, because I thought I could trust it as it originated from a friend's email address. But they unfortunately had lost their email address when they they themselves fell victim to a phishing attack and lost their email address. So I think it's just important that we sometimes switch off autopilot and take a minute to consider if our actions could have larger consequences.
Thank you very much for that Demi. Thank you for sharing, because and you're quite right. Two things that I just like to add there is, please don't beat yourself up if you ever fall foul of such attacks, because they are so much more sophisticated than they used to be. It's not a criticism in the slightest within Demi's example there, it's important sadly, if you become aware that you've been subjected to this type of attack, it's actually worth letting people know, so that they can be aware that I've got to be a little bit more cautious when I receive an email from that person, because sadly, their account was targeted.
But also it reminds me of a campaign that was ran some time ago. It was Think before you Click and I think it's brilliant, because just have to think if you were a little bit frustrated with something or someone and you sat down even to send the email, the good thing to do with that is to save it in draft, go away, come back and then review and you probably feel a little happier and calmer. And that's the sort of thing, you get this sophisticated emails trying to say all buy now, or if you don't do today, it's going to it'll be gone to do it. Go on, do it, do it now, and it's just it's too much. Because we're only human, especially with the way lives are. So just think before you click just yeah, it's okay. If it's that good, and if it's right, is it totally out the blue, because that's quite common within emails, that it's completely out the blue and or it has some sense of urgency in it, and a threat of some sort, not a threat that you're going to be beaten up or anything like that, just that if you don't do this now, the worst case scenario is going to happen.
I definitely don't have anything further. One more check in with you Demi.
I think that's all for me, I think before you click is a good month to live by and similarly, if it's too good to be true usually is so if you've got someone wanting to send you money, it's probably worth taking a step back and reevaluate in the situation.
I couldn't agree more. So as I say, I'm gonna leave it there for now. Please be aware that in the shownotes there will be lots more links, like I mentioned earlier. Also in addition to the show notes, there will be contact details for ourself. If any organisation or any clubs, charities, anybody who's listening to this thinks they could benefit from a presentation of some sort with regards to cybersecurity and awareness on how to protect you prepare yourself and your businesses, please feel free to get in touch. Thank you very much for listening. Bye for now.