Tag: security

Which?: Some banks leaving customers exposed to scammers

Some banks can and should be doing more to protect their customers from criminals trying to steal sensitive information, Which? research has found. 

With the last year seeing an increase in scams, many consumers will expect that the companies they deal with in their everyday lives are doing everything they can to protect them.

However, a new Which? investigation has found that some banks are failing to use all the tools available to them to combat scammers, leaving weaknesses in their security systems that scammers could exploit. 

The consumer champion looked into what protections banks were putting in place to protect their customers from receiving fraudulent emails, SMS messages and phone calls.

These so-called phishing attacks are worryingly common. Scammers send legitimate-looking messages that are designed to tempt people into divulging sensitive information, such as bank account details, usernames or passwords.

Phishing scams may try to imitate (or ‘spoof’) banks’ genuine email addresses or domains, sometimes by making slight changes – for instance, by changing ‘.co.uk’ to ‘.com’. 

Banks should be implementing a system that protects web addresses they own or use – known as ‘domain-based message authentication, reporting and conformance’ (DMARC) – to prevent spoofing attacks.

Banks can use DMARC to tell email providers how to handle the unauthorised use of their domains. 

The process of introducing DMARC is frequently done gradually: by initially setting records to ‘none’ (a monitoring phase where no action is taken if DMARC checks fail) before working towards ‘quarantine’ (which moves emails to junk/spam if they fail the checks) and ultimately, a policy of ‘reject’ (which blocks all emails that fail the checks). 

When Which? asked security experts at technology company 6point6 in April to check whether banks offered this protection, some banks were falling short. 

At the time of the investigation, the Bank of Ireland and Agricultural Mortgage Corporation – a wholly owned subsidiary of Lloyds Banking Group – had not yet introduced DMARC.

This could have allowed scammers to forge their email address and send messages that would appear indistinguishable from genuine ones from their bank. Both have since taken action to resolve this. 

The investigation also found that Nationwide, TSB and Virgin Money – nationwide.co.uk, tsb.co.uk and virginmoney.com, respectively – had not set their policies to ‘reject’ all emails that fail DMARC checks. TSB and Virgin Money told the consumer champion that they are working towards this. 

Nationwide said it has security features to protect against spoofing and will ‘look at ways to improve email security, including future enhancements to DMARC security.’ 

The investigation also uncovered that The Co-operative Bank, First Direct, Starling and Tesco Bank had no DMARC system in place for their alternative domains, but did for their primary domains.  

Although The Co-operative Bank has protected its ‘co-operativebank.co.uk’ email address, there are no DMARC records for ‘co-operative.co.uk’ and ‘coop.co.uk’ – two domains that are owned by The Co-operative Group, a separate company not associated with the bank – making them vulnerable to scammers who could pose as The Co-operative Bank using alternative email addresses. 

Since the investigation, Starling and Tesco Bank have now applied DMARC to alternative domains, starlingbank.co.uk and tescobank.co.uk, respectively.

First Direct and The Co-operative Bank told Which? they are reviewing the inclusion of their alternative domains – firstdirect.co.uk and co-operativebank.com – within their existing DMARC policies.

While banks are further ahead than other industries when it comes to implementing DMARC, Which? believes that it is often too hard for customers to tell the difference between a phishing email and genuine communication from banks due to inconsistent practices across the industry. 

This is particularly concerning amid a worrying culture of banks blaming victims for falling for scammers’ tricks, despite their heightened sophistication. This means people often face a lottery to get their money reimbursed under the industry’s voluntary bank transfer scams code.

Which? is calling for all banks to implement DMARC and configure it correctly, setting their policies to ‘reject’, meaning email providers should block any emails that fail these checks. 

Banks should also be clamping down on number spoofing, which involves scammers manipulating caller IDs to mimic the phone numbers of legitimate organisations. To tackle this, Ofcom worked with the banking industry body UK Finance to identify a list of ‘do not originate’ (DNO) numbers – numbers that are never used for outbound calls. 

Most banks had signed up to the scheme at the time of the investigation, apart from The Co-operative Bank and Nationwide – although both have since told Which? they plan to join.

Banks can also protect their SMS headers – the name or number a text message appears to come from – against spoofing by registering with the SMS SenderID Protection Registry run by the Mobile Ecosystem Forum. 

The consumer champion believes that if banks did not include weblinks or phone numbers in their official SMS communications – sensitive information that is prone to spoofing – consumers could feel more secure and be able to spot scams more easily. 

Which? is working on a best practice guide for businesses to help raise standards of SMS communications and bring greater consistency to how they protect consumers. 

Jenny Ross, Which? Money Editor, said: “It has never been harder for people to know whether they’re receiving genuine communications from their bank, or being tricked – so it is crucial that banks take every measure to protect their customers from these devastating scams. 

“These include implementing email scam protections properly and no longer putting phone numbers and links in messages, to ensure customers feel safe and can bank with confidence.”

Bike marking events this weekend

Police Scotland’s North West Community Team are holding two free bike marking events this weekend.

Saturday 5 June: Victoria Park, Trinity from 11am – 2pm.

Sunday 6 June: St. Margaret’s Park, Corstorphine from 11am – 3pm.

#PedalProtect

#BikeRegister

Police issue advice on shed security

Break-ins to garden sheds, garages and thefts from gardens are common throughout the country. In fact, many criminals consider this type of crime to be low risk, as they don’t have to force entry to your home.

Many people store bikes, power tools and expensive gardening equipment in their sheds making it very attractive to criminals.

The good news is that there is a lot you can do to outsmart garden thieves. A few simple solutions can make all the difference to the security of your garden:

• Make sure the lock is in good working order. Fit a mortise lock (BS3621:2007) and/or use a good quality closed shackle padlock on your shed door. The hasp should be attached using coach bolts or anti tamper screws rather than basic screws.

• If there are any windows in the garage/shed, fit a grill, adhesive frosting or put a curtain over the window, so that people cannot see in.

• Fit a shed alarm. These can be bought online for around £10.

• Secure all the equipment including bicycles that you can by padlock and chain, make sure it is attached to the building – a ground anchor is preferable.

• Security mark your bicycles, lawnmowers, toolboxes and garden furniture, by engraving, painting or using a DNA security marker kit and register these. Available online.

• Consider installing a garage defender, which secures the door to the ground.• Surrounding hedges or trees should be trimmed or cropped so as not to provide cover for thieves.

• Clear your garden all of debris, rubble and tools that may be used to force entry.

• Install security lighting to illuminate your garden.• Consider topping your fence or wall with a trellis, which will provide an additional barrier and provide support for climbing plants.

• Aggressive plants and shrubs, such as Berberis and Hawthorn can help deter intruders.

• Sign up to local alerts provided by Police at; https://www.neighbourhoodwatchscotland.co.uk/

• If purchasing security products look for items endorsed with the Sold Secure or Secured by Design logo.

If you see anyone acting suspiciously near to your premises please contact the police immediately with as detailed a description as possible of any person or vehicle involved.

Please call 999 if an emergency and urgent police assistance is required or 101 if not urgent to report the matter to the police.

Further advice also available at https://www.scotland.police.uk/keep-safe/home-and-personal-property/secure-your-garden-outbuildings/ and www.securedbydesign.com

Police advice for business owners

Image may contain: one or more people and text

Advice for Business Owners

#COVID19 has had an unprecedented effect on public health and the way we now socially interact. This has had a significant impact on the commercial sector.We would like to share some general crime prevention advice that may help and assist you during what is an uncertain time for all businesses.

The impact on business will vary and will naturally be defined by your business location, size, customer base, products and services offered, criminality in the area, and your existing levels of security.

If your staff fall victim to an assault or witness violence in your premises:

  • Try to remain calm and think of your safety and that of others.
  • If the perpetrator has left the premises, record accurate descriptions, including any vehicles used, and report this to the police as soon as possible.
  • Trust your instincts and maximise distance between yourself, customers, colleagues and any aggressive parties.
  • Use panic alarms if it is appropriate to do so. If there is a panic alarm installed use it, but only when safe to do so.
  • Consider the use of body worn video technology to capture evidence and positive impact the behaviour of those involved in violence on your premises.
  • Closed Premises/Venues that have been temporarily shut:
  • Test your intruder alarm, ensure it is working and fully operational.
  • Identify any vulnerable areas and rectify this if required.
  • Ensure security gates, bollards and fire exit doors have been secured prior to closure of the premises.
  • Ensure service doors are closed and locked when not in use.
  • Make sure you have list of key holders who can be contacted in times of emergency and ensure your contact details for staff are up to date.
  • Consider moving high value items into secured stockrooms and/or out of view.
  • Ensure keys to the premises or other venues are not left inside and are instead with dedicated key holders.
  • Consider timer switches or ensure sufficient lighting is left on at the premises/surrounding area.
  • Ensure there are no combustible materials left in the proximity of the building such as packaging – consider the risk of fire.
  • Review your CCTV to confirm it is operational, provides good quality images, and is positioned to cover as much of the building’s public and private areas as possible.
  • Ensure that no cash or valuables are retained on the premises overnight and leave a note indicating this on the door or window of your premises. If having to retain cash on site then do so using a security accredited safe bolted or ‘ground anchored’ to the floor.
Physical Protective Measures:
  • Use security rated products where possible. You can find information on a variety of police approved crime prevention products at www.securedbydesign.com
  • External shutters and grilles are recommended but some buildings may be subject to local authority planning approval before installation.
  • Ensure all doors leading from public to staff, service, and loading areas are kept secure and monitored.
  • Consider installation of laminated glass or apply security film to existing glass to make your windows more resistant to physical attack.
  • An insurance rated safe should be bolted to the floor. Anti-tamper sensors can be fitted to set off an alarm if attacked.
  • Anti-ram security tested (retractable) bollards can be mounted externally to protect frontages but may require local authority planning approval.
  • Consider use of anti-theft alarms on most desirable household items.
  • Fogging devices that activate as a result of an intruder activation may also be beneficial – you can’t steal what you can’t see.
Large gatherings/Queuing:
  • Premises should be adequately staffed with prominent management present who can make decisions or be identifiable to emergency services.
  • Consider an allocation system or queuing to provide items that are provided on a limited basis – or possible keeping these off shop floor for collection.
  • “Meet and Greets” on main entrances provide reassurance, customer care and can be a subliminal message to any prospective thieves.
  • Where possible SIA licensed security officers should have a visible presence on the premises in strategic areas.
  • All prominent / desirable household item areas should have a member of staff regulating them and depending on your risk assessment, consideration given to deploying security (or trained staff) into these areas.
  • Reassurance to customers, some of whom may be anxious, is key to reduce anti-social behaviour. Ensure that all staff are fully briefed each day, on emergency procedures and working practices.
  • All staff should remain vigilant and report any violence or suspicious activity to the police.
  • Consider minimising the number of entry points to your building in concert with fire exits.
  • Ensure building perimeters are clear of any debris, dustbins, ladders or loose tools and equipment that could be used to assist or force entry.
  • Check that your emergency equipment/grab bags, first aid supplies and radio communication systems are well equipped, maintained, and fully operational.
  • Check and test your building security and emergency systems regularly.
For further advice contact your local police station, local Crime Prevention Officer at EdinburghPreventandIntervent@Scotland.pnn.police.uk, or visit our website at www.scotland.police.uk

Edinburgh businesses warned of threats to vacant premises

EMPTY workplaces across Scotland are being seen as potential easy targets for thieves and vandals looking to commit crime.

The warning comes following a spate of attacks on premises across the country, suggesting criminals are keen to exploit the current COVID-19 lockdown which is leaving most commercial premises empty for extended periods – and a lack of potential witnesses on the streets.

Experts across policing, fire and rescue and the security sector are coming together to help advise businesses of the risks and dangers, via an upcoming free webinar as part of a timely series launched by the Scottish Business Resilience Centre (SBRC) at the outset of the COVID-19 response.

David MacCrimmon is seconded to SBRC from Police Scotland, as its lead for serious and organised crime and counter terrorism and will be available to speak with concerned business owners and keyholders at the session, which takes place on Thursday 16 April at 10am.

He said: “With most of us stranded in our homes, the clear and obvious place that burglars, arsonists and vandals will sadly be looking to will be our empty offices, clubs, bars and shops.

This could range from a one-off break in to steal alcohol from a bar, to an organised effort to steal valuable assets.

But businesses can limit their exposure to the risk – and there are reasonable steps they can still be taking to protect their premises while sticking to lockdown advice. This webinar will give us a chance to fully explain some of those options and for those that sign up to ask questions.”

Like previous webinars in the series, Thursday’s will see SBRC draw on its widespread expertise alongside leading industry names, to provide guidance to business owners concerned about the wide-ranging implications of the COVID-19 pandemic.

As part of its advice, the upcoming session will cover tips on what to remove from the premises, what to leave in windows, as well as how and when to safely visit.

Gary Wood, a Watch Commander with Scottish Fire and Rescue Service seconded to SBRC, will also lead a discussion on fire and safety risks – with simple tips that can be followed. He said: “With many businesses temporarily closed due to the current Government restrictions on Covid-19, premises may now be unoccupied.

Fire does not discriminate and can strike at any time including periods of unprecedented situations such as the global pandemic we currently face. But with a number of straightforward steps, it is possible to appropriately manage fire risk within your temporarily vacant premises.

The watchwords are ‘Protect the building – Protect the business’. There can be a link between fire risk and criminality in terms of the risk of wilful fire raising.

This webinar will focus on practical guidance and advice that business owners and managers can use to mitigate those fire risks”

Further expertise will be provided by Ronnie Megaughin, Regional Manager for Scotland and Northern Ireland with the Security Industry Authority and Allan Burnett QPM, Operations Director with SecuriGroup.

During its first week, the SBRC provided advice to more than 600 business people across areas from cyber security to the legal implications of COVID-19. So far the dedicated webinars have been viewed by more than 1250 individuals.

To register for the session on vacant properties, please register here: https://bit.ly/3efzHkJ

To watch previous webinars, please visit: https://www.sbrcentre.co.uk/news/

The SBRC is a non-profit organisation which exists to support and help protect Scottish Businesses.

To ensure Scotland remains a safe place to live, work and do business, SBRC will be regularly sharing COVID-19 developments and advice from Scottish Government, its partners and members as they happen.

SBRC maintains a unique connection to Police Scotland, Scottish Fire and Rescue Service and Scottish Government, which gives the organisation exclusive access to the latest information to advise citizens and businesses how to interact safely.

Employers can also reach SBRC by emailing enquiries@sbrcentre.co.uk.

Shopping: stay safe online

Some security advice to help protect British shoppers against cyber-crime has been released as we head online for the basics:

Internet shopping specialists from NetVoucherCodes.co.uk have revealed their 13 top tips to help UK consumers stay safe when shopping on the web in the wake of the coronavirus pandemic.

From using a credit card and keeping software up to date, to writing down complicated passwords and making up answers to security questions, online shoppers could avoid becoming a cyber criminal’s next victim by following the guidance.

A spokesperson for NetVoucherCodes.co.uk said: “With more and more Britons heading online to shop for the essentials, it’s important to take online security even more seriously.

“Browsing the web can be a security minefield for consumers – a computer virus, hacker or fraud could be just one click away.

“So to help Brits shop online with greater peace of mind, we’ve revealed the different measures you can take to stay safe when buying something on the internet.”

Here is the NetVoucherCodes.co.uk advice:

1. Use a credit card

If you purchase online using a debit card and it turns out to be a scam there’s usually no way to retrieve your money, but fraudulent charges must be reimbursed by credit card companies.

Check your statements regularly, just in case a purchase you didn’t make gets through the card provider’s safety net and you need to dispute it. This could also help if a purchase is shows up different to what you ordered, damaged or doesn’t arrive at all.

2. Make up security answers

When creating an account with online shopping sites, you might be asked to set up password reset security questions to confirm your identity.

Rather than entering the real town you were born in or mother’s maiden name, enter false answers and write them down if you can’t remember. This makes it much harder for cyber criminals who might be trying to gather information on you.

3. Only fill out required fields

 Don’t offer up any more personal information that is necessary to complete an online purchase.

The required fields are usually starred or highlighted when checking out – it’s usually wise to leave the rest blank.

4. Never save information 

Allowing even the most reputable of websites to store your payment or address information is unnecessary.

Don’t say yes when your browser suggests saving any passwords either and always log out when you’ve finished shopping.

5. Change passwords often

 Regularly change between complicated, hard to guess, alphanumeric passwords that also contain symbols, even if you have to write them all down somewhere secure at home. Keep them different for each site you use too.

Using the same, simple but memorable password for every website for years, such as a pet’s name, is asking for trouble when online shopping.

6. Look for security indicators

A web address (or URL) that begins with ‘HTTPS’ are secure – those without the ‘S’, ‘HTTP’, may not be.

Other signs of shopping site security to look out for could include a closed padlock or complete key, possibly green, alongside the URL, next to the search bar or elsewhere around the screen. 

7. Avoid public Wi-Fi

 Entering personal information such as credit card details, passwords or home address while using free public Wi-Fi hotspots is dangerous as your data won’t be protected by encryption and could vulnerable to hackers.

8. Update your computer

Using an older version of a popular internet browser, operating system or anti-virus software on your computer means that you’ll be missing out on important security updates, which could leave you exposed when browsing the web.

9. Be extra careful on mobiles 

Most mobile phones won’t have the same level of anti-virus protection as laptop or desktop computers so extra vigilance is required, particularly around shortened mobile-friendly URLs.

Mobile devices are also more likely to be stolen, so make sure any payment details are passcode or fingerprint protected.

10. Avoid email links

 Rather than clicking on potentially suspect links to shopping sites that you see on social media, other websites or in emails, search for the website yourself.

This helps to make sure you browse the authentic site. If you’re getting a lot of spam emails, consider setting up a dedicated online shopping only email address.

11. Leave badly designed websites

If a shopping site appears to be out of date, has a strange URL, comes with lots of pop ups, or is dominated by cheap, irrelevant or overseas adverts, the page could be dodgy and worth exiting before it’s too late.

12. Research and read reviews

When considering spending on a new site that you haven’t used before, it can be useful to browse forums and social media to see what experience others have had of shopping there.

If you can find a real physical address and verifiable contact details for the company you intend to make a purchase from, they’re probably legitimate. 

13. Trust your instincts

 Just as you would when shopping on the high street, if you feel like a website is requesting too much personal information or could harm your computer with viruses, close it.

If in any doubt, stick to shopping with sites you know and trust.

Remember, if a deal looks too good to be true, it probably is.

Which? – Coronavirus email and text phishing scams

Phishing and smishing emails and SMS messages are already being sent out to trap the unwary into giving up login details.

One we’ve seen is an email that claims to come from the World Health Organization. It’s short and sweet, asking that you click on a link to what it says is a PDF offering advice on how to stay safe during the outbreak.

Security firm Sophos has a detailed breakdown of what happens if you click on that link, but broadly it shows you a pop-up in front of what looks like the WHO’s actual website asking you to input your email address and password so that you can receive the non-existent PDF.

Other phishing emails and SMS messages (known as ‘smishing’ texts) are also doing the rounds: Action Fraud has warned that emails purporting to be from organisations including the US Centers for Disease Control and the WHO are being sent with the aim of tricking you into opening malicious attachments or giving away your passwords.

The latest email and text phishing scams:

Fake lockdown fines

People have been warned not to fall for a bogus text message saying they have been fined for stepping outside during the coronavirus lockdown. The scam message claims to be from the Government, telling the recipient their movements have been monitored through their phone and they must pay a fine or face a more severe penalty.

HMRC goodwill payment 

The MET police are warning of a fake message designed to steal your account details that says ‘As part of the NHS promise to battle the COV-19 virus, HMRC has issued a payment of £258 as a goodwill payment’.

Free school meals 

The Department for Education has issued warnings about a scam email designed to steal your bank details saying: ‘As schools will be closing, if you’re entitled to free school meals, please send your bank details and we’ll make sure you’re supported.’

Conspiracy theories and misinformation

Another email we’ve seen is full of doom-laden warnings that ‘There is no vaccine for coronavirus’ and that ‘the US government, like the Chinese government, isn’t telling us the truth about how many are infected’. That email is full of links. While we’ve only seen screenshots of this, it seems likely that these links will lead you to either phishing sites or, worse, sites that can infect your computer with malware.

Sophos has also reported on emails that – for now – are targeting Italian email addresses and which include a Word document that purports to offer guidelines for preventing infection, but which in fact harbours a malicious script that infects Windows computers with a banking Trojan, i.e. malware that aims to steal online banking credentials.

So watch out for emails that include attachments.

Read the Which? guide on how to spot a phishing scam for more information:

Read more: https://www.which.co.uk/news/2020/03/coronavirus-scams-how-to-spot-them-and-stop-them/

 

Safer Business Stronger Scotland campaign urges businesses in Edinburgh to safeguard their future

BUSINESSES of all sizes in Edinburgh are being encouraged to act now to keep their workplaces safe as part of a pioneering campaign launched this week by the Scottish Business Resilience Centre (SBRC) with support from Police Scotland and Scottish Fire and Rescue Service.  Continue reading Safer Business Stronger Scotland campaign urges businesses in Edinburgh to safeguard their future