Know Your Fraud And Cybersecurity Risk - Fraud Awareness With Barclays Eagle Labs
Scams and fraud are not new. But as technology continues to advance, criminals are finding new ways to access your information and your money. Did you know, 4 out of 5 of the top causes of a data breach are because of human error? And in the wake of fraud and scam criminals, only 4 out of 5 victims will report an incident to the proper authorities.
On Thursday 25th March the Digital Greenhouse hosted a session with Barclays Eagle Labs expert speakers as they shared their knowledge on the latest types of frauds and scams. The virtual event began with Emma Qualtrough, Fraud and AML Manager at Barclays IOM taking us through some data points for the channels islands from the last few years and a deep dive into the warning signs of scams and frauds.
Fraud VS Scam - What does it mean for you?
Where someone else accesses your accounts and takes your money without authorisation.
APP (Authorised Push Payment) Scam
Where a victim is duped into giving or sending someone your money.
It falls to us to be vigilant against scams and fraud. These can appear frequently on our social media feeds as well as our emails, and phone lines. Some techniques include Facebook profile page cloning and fake prize-giving messages. Social media quizzes can also share personal information that can be used by a fraudster to steal your personal data and money.
If you think that your latest status update may be oversharing then it probably is! After watching a video clip about the ease of gleaming dates, pet names and locations from our social media pages it became clear how easily passwords can be guessed and used. Emma encouraged attendees to always be careful of what information they’re putting up on social media, to remember that tagging family members and geotagging locations can also be the pieces of the puzzle when it comes to accessing your bank accounts.
The scammer's toolkit - The ease of Social Engineering
Social Engineering is the art of manipulating people so they give up confidential information. The best defence for these sorts of scams is identifying this kind of behaviour and acting accordingly. How do we spot this behaviour? The first thing an SES (Social Engineering Scammer) will try to do is create a sense of authority, as we tend to comply with a figure of authority rather than follow our own conscience. And in this facade of authority, they will create a sense of consequence because we fear the loss of money/items or those ‘once in a lifetime' chances.
An SES may pressure you with a time constraint to force you to comply. This false sense of urgency aids the making of poor decisions under time pressure and stressful situations. Would your colleague really email you at odd hours asking you to send those accounts to their personal email before tomorrow’s important meeting? Probably not. In this specific case, you may call your colleague and as for the verification of their request, it is advised that you should not send classified information to unprotected accounts such as personal email accounts. If you do, you should first verify the correct email and encrypt the files you are sending across.
Finally, an SES may try to appeal to our vanity or greed. As we struggle to resist opening an email attachment that promises rewards, videos or funny cat pictures.
“Social Engineering is the most prolific and effective means of gaining access to secure systems containing sensitive information, yet requires minimal technical knowledge.”
CIFAS Fraud Prevention Agency
Top forms of Social Engineering scams provided by Barclays Eagle Labs
'Phishing emails' are mass untargeted emails sent to many people asking for sensitive information (such as bank details) or encouraging them to visit a fake website.
'Spear Phishing emails' are a targeted form of phishing, where an email is designed to look like it's from a person the recipient already knows and/or trusts. Fraudsters take the time to research their targets to add credibility.
'Whale Phishing/ Whaling emails' are a hyper targeted phishing attack - aimed at senior executives masquerading as a legitimate email. Whaling is digitally enabled fraud through social engineering, designed to encourage victims to perform actions such as wire transfer of funds.
Best Practices to protect yourself from email scams:
- Remember emails can be disguised and hacked by fraudsters.
- Do not click on links or attachments in unexpected emails.
- If you are unsure, contact the sender directly on a method other than email ie. via phone.
Vishing (Landline/Mobile phonecalls) and Smishing (Text Messages)
'Vishing' is phone calls or voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
Best Practices to protect yourself from phone scams:
- Don't assume a caller is genuine because they know information about you.
- Remember banks may call you but they will NEVER ask for your PIN or Password details, provide you with ANY account details to make a payment, request you to change permission levels of who can access your account or request that you grant them remote access to your systems or PC and they will NEVER ask you to move your money to a 'safe account'.
'Smishing' is text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.
Best Practices to protect yourself from SMS scams:
- Do not click on links in texts unless you are 100% sure they are genuine.
- Do not call numbers contained in text messages, always call a known number or the number on your bank statement or the back of your card.
- Ask yourself if the sender was really genuine, would they really contact you via text?
- Remember even if the text has come from someone you trust that it could be a compromised number. If in doubt, call that person from a separate phoneline.
We then heard from the Barclays panel consisting of Emma Qualtrough, Fraud and AML Manager at Barclays IOM, Sharon Kinley, Fraud Analyst at Barclays IOM, Sian Davies, Fraud Analyst at Barclays Jersey and Matt Robilliard, Relationship Manager at Barclays Guernsey as they took questions from the attendees.
‘Is it a good precaution to look at the end of emails and websites rather than the beginning? Is it easier to falsify the end of an email address than the beginning?’
While this is good practice, it is better to look at the email address as a whole and look for mistakes. If it looks like an email address you know, go pack to previous email chains with this person and compare the two, then call this person to see if it is genuine.
‘Is there a trick to know whether a call from a bank is genuine?’
No caller from a bank will get irritated if you ask who they are and to provide proof. Hang up the call and call the number back on your card or statement, sometimes from a different phone as fraudsters can hold the line for a period of time and you end up calling the same person. Ask the bank if you can talk to the person who just called you or verify them.
‘What’s your advice from preventing data gathering methods such as line tapping as we are working from home and that environment is not as safe as the office.’
Employers have a duty to provide a secure method of communication. They will often provide a way of making calls through your work device rather than your home line or mobile phone. Remember to be careful to not disclose important information over the phone or video calls in areas that are not private.
‘Are these free online Password managers safe to use?’
Control of these sites can't be protected through the bank, as it is the companies responsibility. It could always potentially be a way in for fraudsters especially if it is a free service. You should consider doing some extra research and paying for a better edition to keep your personal information safe, rather than trying to find free alternatives. For mobile phones, you need to keep updating your system software (such as IOS) to keep your device protected.
‘If I have clicked on a text message or email link is there anything I can do straight away to mitigate the problem?’
Call your bank, they can take steps to protect your account. If a payment has been made then they have a better chance to stop these payments, the next steps would be contacting the police/fraud aware or email provider. Go and change your email password straight away and if you haven't got some already, purchase some anti-virus software.