Category: Knowledge

Practical guides, advice, strategies and insider knowledge to help you and your business manage risk, excel and grow.

10 smartphone security tips

Posted on by Admin Admin

As a result, should your smartphone fall into the wrong hands, it is a potential treasure trove of information and, therefore, a potential cyber security risk.

If you download a rogue app, click on a malicious link in an email or visit a dubious website, it’s even possible for hackers to hijack your phone without it leaving your side.

Here are 10 smartphone security tips to help keep you and your device safe and secure.

1. Guard your smartphone and make use of security settings

Treat your phone as carefully as you would your bank cards. Take care when using your phone in public, and don’t let it out of your possession. Thieves can quickly rack up huge bills on stolen phones, and you may be liable for all charges run up on your phone before you have reported it lost or stolen to your provider. To help prevent this happening, protect your phone against unauthorised use by setting up a PIN, password or biometrics-based security for your lock screen via your devices settings.

2. Take precautions in case your phone is lost or stolen

smartphone security - imei numberMake a record of your phone’s IMEI number, as well as the make and model number. The IMEI is a unique 15-digit serial number which you will need to give to your mobile operator to have your phone blocked. You can check your IMEI number by ‘dialling’ *#06# in your calls app (device information is displayed on-screen, rather than making an actual call). These details are also noted on a phone’s original packaging.

Consider making your phone less useful to potential thieves by barring calls to international numbers and premium rate lines, if you never use them. Some mobile insurance policies, or any other policies that may cover the phone, could provide limited cover for unauthorised use. It’s worth checking the terms and conditions of your existing policy, and when considering a new policy.

The national Mobile Phone Crime Unit’s Immobilise database is a free registration service that assists thepolice in reuniting owners with their stolen smartphones. For further details and contacts for different operators, see Ofcom’s Lost or Stolen Phone Guide.

3. Don’t override your smartphone’s security settings

It is not advisable to attempt to ‘crack’, ‘jailbreak’ or ‘root’ your smartphone or tablet. This is a process people use to remove restrictions placed on their device’s operating system by the phone manufacturer. Doing so carries considerable risks: it compromises the security of your device and may leave you more vulnerable to malicious software. It is also likely to invalidate your manufacturer’s warranty.

4. Back up and secure your data

Smartphones offer the option to back up your data to the cloud and/or a personal computer, so that you don’t lose data if your phone goes astray. Check for information on how to do this in the phone’s manual.

5. Install apps from trusted sources only

Apps are the easiest way for someone to hack into your phone. Sometimes hackers will take a popular paid-for app, add their own illegitimate elements and then offer it for free on ‘bulletin boards’, ‘peer-to-peer’ networks or through fake online stores. Once the rogue app has been downloaded to your phone, the hacker can potentially take control of the handset, incur charges via premium SMS without your permission, make calls, send and intercept SMS and voicemail messages, or browse and download online content. You may not be aware anything is wrong until it’s too late. Only download apps from official stores (e.g. App Store, Google Play), and exercise care – research the app and check reviews.

6. Use antivirus software

It’s not just rogue apps which pose a threat to your smartphone’s security. Viruses and spyware can also be downloaded from websites, or by connecting your device to an infected computer. Some phones may be more vulnerable than others, but you can check for antivirus software in a reputable app store. Also, before connecting your device to a computer, ensure it has the latest antivirus/antispyware and firewall installed and running.

7. Use software to find your phone or erase its data if it goes missing

This software is typically installed by default on most smartphones, allowing you to log in to a website or an app on another device to track your phone and take action. Examples include Apple’s Find My app and Google’s Find My Device for Android.

8. Clear your phone before you dispense with it

If you decide to donate, resell or recycle your smartphone, remember to erase any data on it first. Remove and erase any media cards and perform a full or ‘factory’ reset by going into the Settings menu.

9. Accept updates and patches

From time to time, you’ll be prompted on screen to update your operating system. App developers may also propose updates to their app. It is advisable to accept these updates as they become available. As well as typically offering new features and improving your phone’s performance, they can also fix security vulnerabilities.

10. Check if your smartphone security has been breached

smartphone security - app usageAdditionally, there are some lesser-known tricks to check whether your smartphone is being tracked or if your security has been breached:

  • Dial *#21# to see whether your data, including SMS, are being forwarded to a third party.
  • Dial *#62# to see if your calls are being automatically forwarded. If so, where are your calls forwarded to? Don’t be too alarmed initially if you see that your calls are forwarded to a number you don’t recognise. This number might be a separate voicemail box run by your network service provider. The digest message might say that your calls are forwarded to this number after 20 seconds or so. Mobile service providers often provide separate voicemail gateways, including for those overseas on roaming charges. But you should certainly double-check with your service provider. Some suspicious numbers of known scammers and criminals are published online at unknownphone.com.
  • Dial ##002# to stop your calls being automatically forwarded.
  • Dial *#*#4636#*#* to find detailed configuration about your phone including call redirects, current network, usage and location. Check ‘Usage Statistics’ and ‘App Count Usage Time’ to double-check app usage and remove any apps that are suspicious (for example, you might not use them, but they show high usage).

Further smartphone security advice and support

For further advice on securing your smartphone and other digital device, or if you think your device has been compromised, contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form. We’re here to support you.

You may also be interested in:

 

Free report download: The Cyber Threat Landscape 2022

Ransomware: What you need to know

Posted on by Admin Admin

In this article: ransomware meaning; types of ransomware; ransomware examples; protection against ransomware.

Ransomware meaning: What is ransomware?

Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. While some people might think ‘a virus locked my computer’, ransomware would typically be classified as a different form of malware than a virus. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card, and attackers target individuals, businesses and organisations of all kinds. Some ransomware authors sell the service to other cyber criminals, which is known as Ransomware as a Service.

How do I get ransomware?

How exactly does a criminal carry out a ransomware attack? First, they must gain access to a device or network. Having access enables them to utilise the malware needed to encrypt (or lock up) your device and data. There are several different ways that ransomware can infect your computer.

Malspam

To gain access, some threat actors use spam, where they send an email with a malicious attachment to as many people as possible, seeing who opens the attachment and ‘takes the bait’, so to speak. Malicious spam is unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents. It might also contain links to malicious websites.

Malvertising

Another popular infection method is malvertising, or malicious advertising, which is the use of online advertising to distribute malware with little to no user interaction required. While browsing the web – even legitimate sites – users can be directed to criminal servers without ever clicking on an ad. These servers catalogue details about victims’ computers and their locations, and then select the malware.

Spear phishing

A more targeted means to a ransomware attack is through spear phishing. An example of spear phishing would be sending emails to employees of a certain company, claiming that the CEO is asking them to take an important employee survey, or the HR department is requiring them to download and read a new policy.

The term ‘whaling’ is used to describe such methods targeted toward high-level decision makers in an organisation, such as the CEO or other executives.

Social engineering

Malspam, malvertising and spear phishing can, and often do, contain elements of social engineering.

Threat actors may use social engineering in order to trick people into opening attachments or clicking on links by appearing as legitimate – whether that’s by seeming to be from a trusted institution or a friend.

Cyber criminals use social engineering in other types of ransomware attacks, such as posing as a government agency in order to scare users into paying them a sum of money to unlock their files.

Another example of social engineering would be if a threat actor gathers information from your public social media profiles about your interests, places you visit often, your job, etc., and uses some of that information to send you a message that looks familiar to you, hoping you’ll click before you realise it’s not legitimate.

Encrypting files and demanding a ransom

Whichever method the threat actor uses, once they gain access and the ransomware software (typically activated by the victim clicking a link or opening an attachment) encrypts your files or data so you can’t access them, you’ll then see a message demanding a ransom payment to restore what they took. Often the attacker will demand payment via cryptocurrency.

Types of ransomware: Examples

Scareware

Scareware, as it turns out, is not that scary. It includes rogue security software and tech support scams.

You might receive a pop-up message claiming that malware was discovered and the only way to get rid of it is to pay up. If you do nothing, you’ll likely continue to be bombarded with pop-ups, but your files are essentially safe. A legitimate cyber security software programme would not solicit customers in this way. If you don’t already have this company’s software on your computer, then they would not be monitoring you for ransomware infection. If you do have security software, you wouldn’t need to pay to have the infection removed – you’ve already paid for the software to do that very job.

Screen lockers

Screen lockers – upgrade to terror alert orange for these guys. When lock-screen ransomware enters your computer, it means you’re frozen out entirely.

Upon starting your computer, a full-size window will appear, often accompanied by an official-looking FBI or US Department of Justice seal saying illegal activity has been detected on your computer and you must pay a fine. However, the FBI would not freeze you out of your computer or demand payment for illegal activity. If they suspected you of cyber crimes, they would go through the appropriate legal channels.

Encrypting ransomware

Encrypting ransomware – this is the truly nasty stuff. These are the guys who snatch up your files and encrypt them, demanding payment in order to decrypt and redeliver. The reason why this type of ransomware is so dangerous is because once cyber criminals get hold of your files, no security software or system restore can return them to you. Unless you pay the ransom, for the most part, they’re gone. And even if you do pay up, there’s no guarantee the cyber criminals will give you those files back.

Mobile ransomware

Mobile ransomware – it wasn’t until the height of the infamous CryptoLocker and other similar families in 2014 that ransomware was seen on a large scale on mobile devices. Mobile ransomware typically displays a message that the device has been locked due to some type of illegal activity. The message states that the phone will be unlocked after a fee is paid. Mobile ransomware is often delivered via malicious apps and requires that you boot the phone up in safe mode and delete the infected app in order to retrieve access to your mobile device.

Who do ransomware authors target?

When ransomware hit the scene, its initial victims were individual systems (aka regular people). However, cyber criminals began to realise its full potential when they rolled out ransomware to businesses. Ransomware was so successful against businesses – halting productivity and resulting in lost data and revenue – that its authors turned most of their attacks toward them.

By the end of 2016, 12.3% of threats were ransomware, while only 1.8% of consumer detections were ransomware worldwide. And by 2017, 35% of SMEs had experienced an attack.

Ransomware attacks are still focused on western markets, with the UK, US and Canada ranking as the top 3 countries targeted. As with other threat actors, ransomware authors will follow the money, so they look for areas that have both wide PC adoption and relative wealth. As emerging markets in Asia and South America ramp up on economic growth, expect to see an increase in ransomware (and other forms of malware) there as well.

How can I remove ransomware?

If an attacker encrypts your device and demands a ransom, there’s no guarantee they will unencrypt it whether or not you pay up. That is why it’s critical to be prepared before you get hit with ransomware. 2 key steps to take are:

  • Install security software before you get hit with ransomware.
  • Back up your important data (files, documents, photos, videos, etc.).

If you do find yourself with a ransomware infection, the number 1 rule is to never pay the ransom and make sure you have backed up all of your data on a remote drive. Other ways to deal with a ransomware infection include downloading a security product known for remediation and running a scan to remove the threat. You may not get your files back, but you can rest assured the infection will be cleaned up. For screen locking ransomware, a full system restore might be in order. If that doesn’t work, you can try running a scan from a bootable CD or USB drive.

How do I protect myself from ransomware?

My advice is to prevent it happening in the first place. There are methods to deal with a ransomware infection, but they are imperfect solutions at best, and often require much more technical skill than the average computer user posesses.

How to prevent ransomware

The first step in ransomware prevention is to invest in security tools – software and programmes with real-time protection that are designed to thwart advanced malware attacks such as ransomware.

In addition to using the right tools, it all comes down to training, education and awareness…. don’t click on it if it doesn’t feel right!

How ESA Risk can help

If you’ve been the victim of an attack or you’d like further advice and support on ransomware protection, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Increase your knowledge of cyber security – we offer cyber security courses, provided by the Global Cyber Academcy, from levels 2 to 5.

Managing risk when choosing to invest overseas

Posted on by Admin Admin

When investing in overseas markets, it’s important to understand the context of any potential investment opportunity in order to manage risk.Overseas investments bring with them potential differences in customs, currency, language and accounting techniques. For the best chances of success – i.e. protected, profitable investments – prior research and due diligence are key, especially into the regulations of any foreign country you wish to trade in.

There are 3 main risk areas that investors should take heed of when investing internationally:

  1. Higher transaction costs
  2. Currency volatility
  3. Liquidity risks.

There tend to be higher expenses on foreign transactions, alongside differing exchange rates or additional charges specific to the market, such as clearing fees, taxes or stamp duties. Added transaction costs vary depending on which international market you are investing in.

Exchanging your money could also impact your return, depending on the time of exchange and the currency you exchange to. Using an exchange-traded fund (EFT) could be a way around this, due to better liquidity and accessibility.

However, liquidity risk poses the potential of losses, if investments aren’t sold at a certain time. There is higher risk of this in foreign markets, especially as it’s harder for investors to protect their capital against losses that occur in a different country with different rules. Arguably, foreign investments are worth the risk, as they contribute to a well-balanced portfolio that utilises the global economy.

Avoiding risk in overseas investments

There are products and techniques that can be used to ensure your international investments are better protected. These include:

  • Global depository receipts (GDRs) can be traded, cleared and settled like domestic stocks are, by institutional or private investors. They can be found on the London Stock Exchange.
  • Foreign direct investing via a domestic-based broker, or a broker based in the target country, that can buy foreign stocks directly on your behalf.
  • Global Mutual Funds – Mutual funds use international equities that can be regional or country-specific. They can be sourced in a passive index fund or a managed fund, which means there are higher fees involved.
  • Exchange-traded funds (ETFs) offer investors access into foreign markets, rather than having to compile a portfolio yourself. ETFs provide insight into multiple international markets.
  • Multinational corporations (MNCs) – Investing in MNCs gives investors international exposure without having to directly invest in foreign stocks.

How do I manage the risk of investing overseas?

It is vitally important for anyone considering investing in overseas investments to either do extensive research on the country and the type of investment before committing, or, as an extra type of safety net, invest through reputable investment vehicles such as Global Mutual Funds, exchange-traded funds or global depository receipts.

As the global economy is still navigating it’s way through it’s most volatile period, it’s important to take the time to do your investment homework.

The first step for an investor is to conduct a country analysis, deciding where exactly to invest. Investing in a broad international portfolio is best, or within a specific region or set of countries, rather than in a single foreign country. Diversification is important when investing internationally, as maximising diversification minimises risk.

Once the country or countries of investment are decided, the investor must decide which investment vehicles to invest in, for instance in stocks or bonds of companies within the country, mutual funds, internationally focused ETFs, etc. Ongoing monitoring of the investment portfolio needs to be done, as the economic conditions overseas will be continuously changing.

The political and economic landscape of the investment country must also be observed, as any abrupt changes can result in unexpected losses to investments. This is part of the country risk analysis, as countries with stable finances and a strong economy offer safer investments than those without. Countries that are unfriendly towards foreign investors or that are in political unrest also offer a less stable investment opportunity.

The Economist Intelligence Unit (EIU) offers comprehensive and objective information on different countries, including an overview of the political, social, economic and demographic climate. Other country risk analysis resources which can help investors include the CIA World Factbook and the UK government’s Overseas Business Risk service.

At ESA Risk, we offer enhanced due diligence services, which can help you see the whole picture before committing to an investment. Contact us for an initial chat with our experienced consultants. You can contact Ali Twidale, Banking & Financial Fraud Consultant at ali.twidale@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Employment fraud: be diligent

Posted on by Admin Admin

Online job scams and employment fraud are when jobseekers are under the pretence that they are in an application process but are instead being scammed into giving up their personal data, including bank account or credit card information.

In this way, criminals can conduct identity theft – gathering people’s personal information and then applying for loans or credit cards in their victims’ names. The Federal Trade Commission says employment fraud also occurs via phishing, whereby scammers use malicious links or websites to obtain the personal information of their victims.

The Disclosure and Barring Service (DBS) has revealed that “85% of identity fraud is committed via online channels, and Cifas members recorded almost 158,000 cases of identity fraud in the first nine months of 2021. Not only is this an increase of 17% compared to 2020, but this is equivalent to one person every 2.5 minutes.”

As well as using online methods, perpetrators might conduct ‘interviews’ by phone and ask upfront for payment for certification or training materials before considering the applicant for a ‘job’, which often does not exist.

In a widescale study of 12,000 jobseekers by JobsAware (previously SAFERjobs), 71.3% of workers said they assumed that any job found online was a legitimate posting from a real business. A staggering 98% admitted they would still apply for a job even if they thought it was suspicious.

It is important that jobseekers remain vigilant when applying for jobs online.

Signs of potential employment fraud

  • Companies asking for any sort of payment during the application process.
  • Interviews taking place over messaging services such as Facebook Messenger or Google Hangouts.
  • Unclear job descriptions or being offered a job that isn’t the one you applied for.
  • Unprofessional-looking emails with misspellings or grammatical errors.
  • Emails coming from personal accounts such as Yahoo or Gmail, rather than a business email address. (However, email spoofing may be used, so be wary even if the email address appears genuine, and conduct further research on the company).
  • Fake job boards and recruiter websites that might ask for card details for ‘pre-screening’ or personal bank account number to start depositing payslips.

Until you are sure of the credibility of a company that has contacted you about a potential job, do not give out personal information or financial information. Research the company – for example, look at their website, social media accounts, Companies House listing, any online reviews, etc. – to make sure that the job posting is real. Call the company’s phone number (if you find a number for them through your own research, rather than a number in the email or job posting) to verify that they sent an email or posted the job online.

Use caution when deciding on the information you include in your CV, as these details could be used in identity fraud. As a rule, do not include any of the following:

  • Date of birth
  • Full address
  • Passport number
  • National Insurance number
  • Driving licence number.

Protect yourself against employment fraud

  • Conduct an online search for the name of the employer alongside the word ‘scam’ to check for reports of job scams.
  • Be wary of vague job descriptions.
  • Don’t believe anything that sounds too good to be true; for example, if the pay on offer is very high but for little work.
  • Be cautious about online forms that are part of the interview process and never include personal or financial information on these.
  • Be wary of mystery shopper or secret shopper positions.
  • Jobs that involve receiving and reshipping packages are likely scams.
  • Do not respond to calls, text messages or emails from unknown numbers or suspicious addresses.
  • Do not click any links in a text message from a number you do not recognise. If a friend sends you a message containing a suspicious link, and it seems out of character, call them to make sure they weren’t hacked.

If you think you’re a victim of employment fraud, the first step is to cut all communication with the fraudulent party. Take note of their details and file a report with Action Fraud. If you have given any bank details, get in touch with your bank immediately.

For futher help and advice on preventing and avoiding fraud or dealing with an ongoing fraud, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Beyond security: How access control and CCTV video analytics can generate business intelligence

Posted on by Admin Admin

Fortunately, modern, network-connected security systems can deliver operational benefits that give security chiefs a powerful argument when it comes to pitching to the boardroom for greater funding.

Security systems are, of course, fundamentally – and historically, solely – about deterring and thwarting criminal acts in order to protect people and property.

However, today’s AI-powered video surveillance and access control software can transcend this core purpose to provide other benefits, often in concert with building management systems (BMS).

Deployed wisely, cutting-edge security systems can play a role in reducing energy use, boosting productivity and sales, enhancing work environments and delivering services more effectively.

New technologies can therefore be justified on the grounds of cutting costs and boosting the bottom line, as well as reducing insurance premiums and improving safety, security and loss prevention.

Consider how, for instance, automatic licence plate recognition (ANPR) systems can eliminate the need for ticket inspectors in carparks.

Access control efficiencies

In mediating the entry and exit of authorised individuals, meanwhile, physical access control systems build a picture of which and how many individuals occupy any given room or floor at any particular moment.

If access control reports show an office building is consistently quiet at the same time each month – say, Friday afternoons – facilities managers could decide to close certain floors to lower cleaning, maintenance, staffing and energy demands.

And integration with building management systems means lights, heating and air conditioning can be automatically switched on or off as buildings become occupied or unoccupied, thus reducing energy use.

Further efficiencies can be realised by consolidating physical and logical access control and integrating them with other services. As a result, employees could use the credential they access the office with – whether it’s a card, key or biometric authenticator – to pay for food in the canteen or enter the adjoining car park, too.

Integration with other business functions, such as HR, can streamline back-end administration, while cross-site standardisation is useful for large organisations with multiple offices.

Increasingly, access control can also be integrated with visitor management systems, making the check-in process more seamless and restricting visitors to the areas they need to access and the times they need to access them.

CCTV video analytics for retail business intelligence

Video analytics software, which uses deep learning algorithms to make sense of CCTV footage, has powerful security functions that vendors have repurposed to generate business intelligence.

It can, for instance, automatically identify and track persons of interest, highlight people or objects that fit a certain description, send alerts when pre-defined behaviors are detected, and detect suspicious packages.

In retail, similar capabilities can realise operational insights that inform decisions – on staffing, procurement and store design – that optimise the customer experience and boost sales.

Video content analysis can, for instance, measure footfall and where it is concentrated, something usefully presented in heatmaps.

The routes customers typically take around the store and where they tend to linger – measured by ‘dwell time’ – can help retailers optimise store layout, product lines and even pricing (imagine the conclusion you might draw, for instance, from a long dwell time around particular products but comparatively unremarkable sales figures).

Supported by proximity and people-counting thresholds, staffing levels can be tweaked to reflect peak periods and reduce crowding and queuing at checkout counters, fitting rooms and bathrooms.

Consider the resource efficiencies yielded by determining bathroom cleaning schedules by through-traffic rather than arbitrary intervals.

The ability to monitor shopper numbers and density also has a powerful application in relation to Covid-19 guidelines on limiting headcounts or enforcing social distancing.

Stores can learn how their customer demographics break down by age and gender, too, which can inform marketing and procurement decisions.

However, functionality that analyses individuals’ characteristics will raise understandable privacy concerns – something vendors have, thankfully, taken into consideration.

Data privacy mechanisms

Mindful of GDPR and equivalent data protection regulations in force around the world, reputable technology providers have ensured that retail-focused applications only ever convey information about shoppers as a group, not as individuals.

CCTV systems more generally should be privacy-protecting by design at every stage – capturing, storing, sharing and deleting data.

Among the most important privacy features is dynamic anonymisation, which ensures anonymity by default, with operators only unmasking individuals suspected of criminal wrongdoing.

Even more reassuring from a privacy perspective – and most relevant for non-security applications like monitoring footfall or for hazards – is permanent masking, where data subjects are anonymised with no possibility of reversing the process.

Redaction, meanwhile, is used post-hoc when individuals featuring in footage relevant to a criminal investigation are anonymised if they’re not under suspicion themselves.

Upgrade your security systems with ESA Risk

For advice on physical security or to enquire about a free security risk assessment, please contact Liam Doherty, Security Consultant at liam.doherty@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Email spoofing

Posted on by Admin Admin

In this article, I’ll answer the questions:

  • What is email spoofing?
  • How do spammers spoof an email address?
  • What does a spoofed email look like?
  • How can you prevent email spoofing?

According to Proofpoint, 3.1 billion spoofed emails are sent every day, with attacks costing businesses $26 billion (about £18.8 billion) since 2016. The goal of email spoofing is like phishing, as fraudsters attempt to obtain sensitive information from the recipient or get them to download a malicious attachment. However, instead of simply imitating the email address of a trusted source, spoofed emails manipulate the way emails are delivered.

How do spammers spoof my email address?

Email spoofing is possible because of the way email providers send and deliver messages. When someone sends an email, it doesn’t simply go from the person who created the message to the intended recipient. Rather, it goes through an SMTP (Simple Mail Transfer Protocol) server configured in the client software.

You can think of this process like a sorting office for physical post. The SMTP takes an incoming message and routes it to the relevant email server, which then directs it to the relevant user inbox. This gives criminal hackers the opportunity to input a bogus address in the ‘Sent’ field, because the SMTP doesn’t have a process to authenticate this information. As such, attackers can make it look as though the email has been delivered from someone else.

What does a spoofed email look like?

Now we’ve answered the question ‘what is email spoofing?’, let’s examine what a spoofed email looks like. Below is a real-world example of a spoofed email received by multiple members of the ESA Risk team last week, purporting to be from ESA Risk’s Marketing Director. This email was caught by our spam filters, so it didn’t make it into anyone’s inbox, but it did arrive in their spam folder, so required manual intervention to fully eliminate the potential threat.

 

—–Original Message—–
From: xxxxxxx@staging.esarisk.com <rebeccasmith0900@gmail.com>
Sent: 20 October 2021 08:25
Subject: RAPID INTERVENTION

Good morning,

Hope you don’t have a lot of work to do? Well in case you do, peg it now because i have a task for you to carry out urgently.

Drop your number so i can brief you about it all.

Thanks.

Xxxx xxxxxxxxxxx @staging.esarisk.com

Sent from iphone

 

Spot the obvious issues with the above.

Here is another example of what someone might see when they receive a spoofed email:

what does a spoofed email look like

There is nothing here that reveals the true nature of this message. The ‘From’ field displays the address provided by the scammer, but, crucially, this is not necessarily the email address from which the message originated. Only by investigating the email header (sometimes known as the envelope) can you tell if the ‘From’ field has been manipulated. This information isn’t typically displayed on email clients and will require you to look in your settings.

In most versions of Outlook, you can do this by double-clicking the message to get it to open in a separate window, then selecting ‘File’ and ‘Properties’. You’ll be presented with a long string of information, but within that you should see something that looks like this:

email spoofing

You can see here that, although the message says it’s from the employee’s boss, there is a different address in the reply field. When the recipient responds, the message isn’t going to ‘boss@company.com’ but to ‘scammer@scammail.com’. This is a big clue that the original email address has either been forged or compromised. A bogus email address won’t always be as easy to spot, however. You may well encounter the same technique as standard phishing attacks, with the attacker replicating the email address of a genuine organisation.

In this example, the sender might register the email domain ‘conpamy.com’ – transposing the ‘n’ and the ‘m’. This can be tricky to spot, and it’s why organisations should adopt SPF (Sender Policy Framework). SPF is a security protocol that works alongside DMARC (Domain-based Message Authentication, Reporting and Conformance) to detect malware and phishing attacks. It does so by comparing the IP address from which the email was sent to the address in the ‘From’ field.

If you’ve implemented SPF, the email header will contain a string of text that looks like this:

prevent email spoofing

You can see that this message failed the test, because the client’s IP is not permitted to send messages from the company domain. Implementing SPF helps flag suspicious emails and reduces the burden on employees to spot scams. However, for it to work, the domain holder (which in most circumstances will be your organisation) must configure a DNS TXT entry specifying all IP addresses authorised to send email on behalf of the domain.

How to prevent email spoofing and what to do if your email has been spoofed

At this point, I’m sure you’re asking the question: ‘How can I stop spoofing emails coming from my email address?’ Technical solutions such as SPF can help protect organisations from email spoofing. They can be implemented alongside spam filters and anti-malware software to give you the best chance of flagging suspicious messages before they reach employees’ inboxes.

However, these tools are never foolproof, and scammers are always finding clever ways to bypass security mechanisms and they may ask you the recipient to confirm that the email is real and valid, so it’s down to the recipient to decide. As such, you must ensure that employees are trained to detect, and respond appropriately to, suspicious emails.

Phishing emails always contain clues that can help you spot their true nature and ESA Risk provide training for you and your teams on these issues and all things cyber security.

If your email has been spoofed, you want to prevent email spoofing or you have any other cyber security questions or concerns, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form for advice.

Charities: What to do if you suspect fraud

Posted on by Admin Admin

Before getting into practical advice on what to do if you suspect fraud, how to report charity fraud and the investigation of suspected fraud, I think it’s important to mention the current state of affairs in the charity sector. Statistics from the Fraud Advisory Panel show that fraud within the charity sector is significantly underreported.

Charities appear to be concerned – maybe even scared – about the reputational damage fraud reporting could do to their organisation. A fraud-related prosecution or a case involving a charity with a high-profile may well enter the public domain through the media, and charities are concerned that might have a negative impact on public confidence in their organisation and their work.

This may well be as a result of recent high-profile scandals involving UK charities. While those cases didn’t involve fraud, the potential impact of bad press has been felt by the sector.

Most often, when people give their money to a charity, it’s because they believe in the work that charity does and believe that their money will be put to good use. Charities worry that anything that could dispel that idea in people’s minds could, in turn, lead to a reduction in support and donations received.

This is especially true when fraud is on the inside of a charity.

Fraud could be external to an organisation – for example, someone creating a fake website or page on a site such as Just Giving, pretending to be a charity / collecting on behalf of a charity, then syphoning the funds raised – but the potential for reputational damage in these situations isn’t as high.

The reluctance of charities to report fraud is a huge source of concern. And it should be a source of concern for the Charity Commission and other bodies involved in the charity sector and in fraud prevention.

What should a charity do if it identifies fraud within its organisation?

For me, I think it’s most important for charities to focus on insider fraud – the fraud that occurs within charities.

I think the first thing that charities should do is, as quickly as possible, to lock down all systems and controls. Whoever is responsible for governance and fraud prevention in the charity should press the brakes on everything as soon as possible, especially if fairly large amounts of money are involved.

It’s important to stem the flow quickly, as we know that the longer a fraud goes on for within an organisation, the bigger that fraud becomes. Fraudsters often test the waters. They may start off by syphoning off maybe only a few pounds or a few hundred pounds. Once they realise that there are gaps and weaknesses in the system that they can take advantage of, it emboldens them to think bigger. Stealing £100 then becomes £200 the next time, then £1,000, then £5,000 and so on. Unchecked frauds then grow exponentially.

I’m not suggesting that whole organisations should lock down as soon as they see £100 missing from their accounts. For smaller amounts of money, there may be a very simple explanation – a misunderstanding or an accounting error, for example. But, as soon as you think money may have been defrauded or stolen, that is when you need to quickly review what may be going on.

In the first instance, that means speaking to the responsible people in the organisation. That could be the head of finance, or the bookkeeper or treasurer. At the same time, the systems and controls in place should be checked to ensure they’re working properly. If there’s no clear explanation for missing money, that’s the time to take further decisive action.

Your response should be proportionate to the amount of money involved and to the size of your organisation. The tipping point will likely be different for different charities.

As a charity, the action you’re able to take may depend on the type of charity you are, too. If you’re dispersing funds, you may not be able to put the brakes on everything, because you have people and organisations that depend on you.

What does ‘locking down’ systems and controls involve?

When you suspect a fraud, the key objectives of your response are to identify and close any gaps, bolster any weak areas and mitigate the risk of more money disappearing. Typically, this is about access and authorisation. Access to systems and to finances should be limited to those people who absolutely need it. Authorisation processes can be strengthened simply by adding another level. For example, especially in smaller organisations, moving money might need to be authorised by only 1 person. Adding a second signatory to that process immediately adds another layer of security.

Once the potential risks have been mitigated, an organisation can start putting in place the next part of their response.

Investigation of suspected fraud

To ascertain exactly what has gone on in the case of a suspected charity fraud, you need to carry out a thorough investigation.

Whether you choose to undertake an internal investigation of suspected fraud or bring in external investigators, it’s important to involve people with the right expertise early on. Think about who needs to be involved in the investigation, and what skillsets you need to bring in from external parties. Do you need to bring in forensic accountants? Do you need to bring in economic crime investigators? Do you need to bring in auditors? External experts might be needed only for advice and can help guide the charity to make its determination about how it goes about its own investigation. Alternatively, the whole investigation can be outsourced to an independent external organisation.

The investigation needs to be quick and it needs to be addressed in depth. One reason for this is the obligation to report serious incidents to the Charity Commission. As soon as you’re able to ascertain a 60 or 70% likelihood that the case is fraud, it should be reported to the Charity Commission.

Internally, the investigation team needs to report into someone. In charities, the governance committee is the most likely candidate for this role. Even if there’s suspected involvement in a fraud by the charity’s trustees, the governance committee usually works independently of the charity’s management structure.

The investigation itself is the same for charities as any other organisation. Once the investigation team is in place, the next stage is to determine where the material is that can assist with uncovering what has happened. In a fraud investigation, that means working closely with members of the finance and audit functions within the organisation. Crucially, at this stage, you want to make sure that any information that could assist in the investigation is secured. Ensure that no material is destroyed or deleted (although digital forensics can help with recovering deleted digital files and emails).

When the potential evidence has been secured, you start your process of understanding what’s happened by virtue of interviews, reviewing the material and interrogating the accounts (which is where forensic accountants can add real value).

Prevention is better than the cure

Many UK charities are small bodies with limited resources, which can result in them having few fraud prevention controls in place and a mindset of ‘we haven’t got the money for this’. But it’s often the case that charities really can’t afford not to invest in fraud prevention. The fallout of a fraud case or another type of scandal could spell the end for smaller charities, whereas investing, say, a few thousand pounds in prevention tools could avoid the loss of tens of thousands to fraud down the line.

An area I always look at when conducting investigations is what controls were in place pre-incident and how can those controls and processes be improved to avoid future issues? One side of the investigation is, of course, discovering the truth about the case at hand, but the other side is analysing the preventative risk management elements within an organisation. Whether or not a crime is identified during an investigation, the organisation’s risk controls are left in a stronger position for the future.

Relentless risk management is the best chance an organisation has for preventing fraud.

That means continually undertaking risk reviews, looking at systems and processes. Transparency and accountability at all levels are really, really important.

How to report charity fraud

In relation to reporting charity fraud, trustees should be mindful of their obligations to the Charity Commission. Once it becomes clear that a fraud has been committed, it must be reported.

Another body charities may want to report suspected fraud cases to is Action Fraud, which gathers data about fraud across all sectors.

Finally, if you think a crime has been committed, there’s a decision to be made on whether (and when) to bring in the police.

The bottom line is that charities shouldn’t bury their heads in the sand. Each situation should be considered carefully and a quick decision should be taken on the most effective and proportional way to manage that particular (potential) problem.

Charity fraud: How ESA Risk can help

At ESA Risk, our team includes experienced fraud investigators and risk management experts, meaning we can support charities at every step – from offering advice on fraud prevention to conducting full investigations of suspected frauds.

If you suspect a fraud has been committed in your organisation or you want help to secure your charity against fraud, contact Lloydette Bai-Marrow, Serious Fraud and Economic Crime Consultant at lloydette.bai-marrow@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

This article was published as part of Charity Fraud Awareness Week 2021.

Charity Fraud Awareness Week 2021

Posted on by Admin Admin

Charity Fraud Awareness Week 2021 is a joint-initiative from the Fraud Advisory Panel (“the voice of the counter-fraud profession”) and the Charity Commission for England and Wales (“an independent, non-ministerial government department” that “registers and regulates charities”), who launched a related website – Preventing Charity Fraud – which provides resources “on how to prevent, detect and respond to fraud committed against charities and not-for-profits.”

We’ll be publishing content in support of the cause all week on our website and our social media accounts using the campaign’s hashtag: #StopCharityFraud. In tomorrow’s article, ESA Risk’s Cyber Risk & Security Consultant, Graeme McGowan, will be covering cyber fraud and other cyber risks in the charity sector. Later in the week, Ali Twidale, Banking & Financial Fraud Consultant will look at money laundering and financial crime in charities. And Serious Fraud and Economic Crime Consultant, Lloydette Bai-Marrow, will round off the week by discussing what charities should do if they suspect a fraud has been committed.

Fraud prevention and fraud investigations is a topic we publish on regularly. We expect that much of this existing content (while created for a wider audience) will be of use to those in the charity sector looking to fight fraud:

Preventing Charity Fraud

As the Preventing Charity Fraud website states, “charities can be susceptible to fraud.” And it’s easy to see why. In a 2019 survey of more than 3,000 registered charities, the Charity Commission and the Fraud Advisory Panel found that only 9% of charities “have a fraud awareness training programme”, “almost half don’t actually have any good-practice protections in place” and “26% of charities believe they’re vulnerable to fraud because of an over-reliance on goodwill and trust”.

There’s been an increase in the number of cases of fraud in all sectors since the start of the Covid-19 pandemic. It’s likely that the situation in the charity sector is no better than it was 2 years ago, which is why initiatives such as this one are needed.

Charity Fraud Awareness Week comprises a number of online and in-person events aimed at those working in the charity sector.

Outside of Charity Fraud Awareness Week, the Preventing Charity Fraud website contains a host of practical information for those working in or with not-for-profits and charities, including downloadable helpsheets on topics such as whistleblowing, financial crime risks, volunteer fundraising fraud and charity retail fraud.

The Charity Commission and Fraud Advisory Panel’s 8 principles of good counter-fraud practice

Also on the website is the “8 principles of good counter-fraud practice” which was published in response to the findings of the 2019 survey of the sector.

The principles in full are:

“1. Fraud will always happen – being a charity is no defence. Even the best-prepared organisations cannot prevent all fraud. Charities are no less likely to be targeted than organisations in the private or public sector. Fraudsters don’t give a free pass to charitable activities.

“2. Fraud threats change constantly. Fraud evolves continually, and faster, thanks to digital technology. Charities need to be alert, agile and able to adapt their defences quickly and appropriately.

“3. Prevention is (far) better than cure. Financial loss and reputational damage can be reduced by effective prevention. It’s far more cost-effective to prevent fraud than to investigate it and remedy the damage done.

“4. Trust is exploited by fraudsters. Charities rely on trust and goodwill, which fraudsters try to exploit. A strong counter-fraud culture should be developed to encourage the robust use of fraud prevention controls and a willingness to challenge unusual activities and behaviour.

“5. Discovering fraud is a good thing. The first step in fighting fraud is to find it. This requires charities to talk openly and honestly about fraud. When charities don’t do this the only people who benefit are the fraudsters themselves.

“6. Report every individual fraud. The timely reporting of fraud to police, regulators and other agencies is fundamental to strengthening the resilience of individual charities and the sector as a whole.

“7. Anti-fraud responses should be proportionate to the charity’s size, activities and fraud risks. The vital first step in fighting fraud is to implement robust financial controls and get everyone in the charity to sign up to them.

“8. Fighting fraud is a job for everyone. Everybody involved – trustees, managers, employees, volunteers, beneficiaries – has a part to play in fighting fraud. Trustees in particular should manage fraud risks actively to satisfy themselves that the necessary counter-fraud arrangements are in place and working properly.”

Fraud-related advice and support from ESA Risk

Whatever sector you’re in, if you need advice or support on fraud prevention, we’re here to help. We’ll work with you to put in place preventative measures as part of your wider risk management strategy, covering areas including cyber security and due diligence.

If you suspect a fraud has been committed against your organisation, our experienced Investigations team – including a former principal investigative lawyer with the UK government’s Serious Fraud Office (SFO) – can help you discover the truth.

Contact Mike Wright, Risk Management & Investigations Consultant at mike.wright@esarisk.com, +44 (0)343 515 8686 or via our contact form, to find out more.

The process of process serving

Posted on by Admin Admin

Process serving in the UK is typically used when the court or serving party requires proof that the person was served their documents, as in some cases individuals deny receiving them, or there is a critical deadline for when the documents must be received.

A process server is the person that serves the documents; they have knowledge of legislative regulations including Civil Procedure Rules and Insolvency matters. They should have a good understanding of the rules of process serving and conduct their work with discretion and speed, according to proposed timeframes and given instructions. If a document has not been served correctly, it can cause problems when the case is taken to court and may even result in the case being thrown out by the presiding judge.

There is currently no requirement for a process server to have any form of recognised qualifications or licence, and it is therefore important any instructing client ensures their process servers have the knowledge required to complete the task in accordance with the requirements of the court.

Why is process serving needed?

The role of a process server is to provide written proof – in the form of a witness statement or affidavit – which can be presented to the court confirming service. It gives the date and time of service, the location, the documents served and any other information which may be relevant to the case. If such paperwork is merely sent in the post, there is no guarantee it will be received, and the client has no proof of it either.

Typically, served paperwork includes:

  • Statutory Demands and Bankruptcy / Winding Up Petitions
  • Monetary Claim Forms and Orders which enforce County Court Judgements (CCJ’s) such as Orders to Attend Court
  • Claim Forms for the possession of property or land, either for squatters or tenants
  • Witness Summons
  • Non-Molestation and Injunction Orders
  • Land and Property Notices such as Notice to Determine Lease, or Break Notices
  • Divorce Petitions.

For example, when serving in insolvency matters, it is imperative to be able to prove the respondent has received all the paperwork leading up to the insolvency, to give them the opportunity to respond and deal with the matter. If they state they did not receive it, and you cannot prove they did, the matter may not be able to progress.

How does process serving work?

Work is usually instructed by solicitors, specialist law firms or in-house legal departments but can also come from private clients. There are different service rules for different types of paperwork, although many documents are served under the ‘Civil Procedure Rules’ of the Ministry of Justice within the UK. For instance, service of bankruptcy is dealt with under the Insolvency Rules, and the Practice Directions to those rules specify certain acceptable methods to be able to serve the documents.

Take the example of a Statutory Demand on an individual, which is a final demand for payment. This can be served by letterbox, providing you can demonstrate that the person had the opportunity to receive the Demand personally and chose not to. This would be done by the process server sending an appointment letter nominating a set date and time of return to the address, as well as giving them the opportunity to meet with them, advising if they fail to attend that appointment they will be served by letterbox. However, if the person fails to deal with the Demand, and it progresses to a Bankruptcy Petition, there is no provision within the service rules for service of this by letterbox, and an application needs to be made to the judge for an Order allowing service by letterbox to take place.

In short, some papers can be served by ‘Substituted Service’ such as by letterbox or email, and some must be given in-person to the individual being served. Process servers have had to make adjustments due to Covid-19, avoiding direct contact by making use of letterboxes and electronic services.

If papers have to be served in-person, as in the case of a Non-molestation Order, they could be left at a person’s feet or on a table in front of them to avoid hand-to-hand contact. A Non-Molestation Order prevents a person from doing certain things against another person, such as contacting them or going near their house. There may be a ‘Penal Notice’ attached to the Order, which means if they breach the Order, it would be a criminal offence that they could be arrested for. It is therefore imperative to know exactly when individuals are served, as breaching the Order after service could lead to criminal charges.

While the physical process of serving documents seems straightforward, every case presents its challenges. Individuals may get tip offs that they are going to be served papers and attempt to avoid it, so investigative skills are important to ensure the service is carried out. In some cases, there is physical violence against process servers due to them delivering paperwork that is detrimental to the receiver who might resist being served. In other cases, clients may require service of multiple people across the country at the same time, and process servers must liaise to ensure that the papers are served accordingly.

Once served, the process server provides a Certificate, Statement of Service, or Sworn Affidavit confirming the time and date the documents were served, for reference by the court at the hearing.

Instruct ESA Risk today

If you’re looking for an experienced company to reliably serve documents, look no further than ESA Risk. Our extensive network of process servers covers the whole of the UK (as well as overseas locations).

Whether you require us to serve relatively straightforward, standard documents or to organise complex time-synchronised, multi-location services, either in the UK or overseas, we’ll work with you to understand your specific requirements and tailor our services and fees accordingly.

Need to confirm an address before sending documents? We also provide tracing services, ensuring you serve the right people in the right place at the right time.

Contact the team at process.serving@esarisk.com or on +44 (0)343 515 8686 option 2.

Forensic accounting: An overview

Posted on by Admin Admin

Forensic accounting entails a process of auditing, accounting and investigation into a company’s finances. The information obtained can then be used in court, with forensic accountants often being required to give a statement as an expert witness on a case.

A forensic accountant typically begins their career as an accountant or auditor, before specialising and training for further credentials, for instance, the Certified Fraud Examiner (CFE) designation. To qualify, accountants require deep knowledge of tax legislation and financial reporting. The role involves a scrutinisation of accounts, finding hidden or concealed money, in an efficient and concise manner. Forensic accountants are versatile, working with data and numbers, and articulating their findings in a way that is presentable to a court.

A forensic accountant will be familiar with legal concepts and procedures and must be able to communicate financial information clearly and concisely in the courtroom. Likewise, their knowledge on regulatory compliance mandates and financial markets must be solid, in order for procedures to be correctly followed. Forensic accountants will also often need to review contracts, bank statements, accounting records or other data relevant to the investigation, all bearing on knowledge in financial crime and internal investigations. The information is reviewed to identify discrepancies or areas of inconsistency that support the case further.

Charlie Batho, a professional forensic accountant at ESA Risk, has shed some light on the ad-hoc nature of the job. “It is a unique form of accounting; each case is different and you can never be sure what you might come up against. There is no textbook guidance to it, each investigation is a one-off experience and every single case is different. When a company requires forensic investigation, it is usually for the first and last time. My job is to follow where the money has gone, usually in cash trails, scoping out how and why it has gone missing and providing answers for my clients.”

Forensic accounting involves working in a variety of areas, for instance in pre-litigation, accounting, complex finance and tax disputing.

Tax disputes

HMRC might start to litigate against an individual who is partaking in tax evasion, so when hired by that individual, the role of the forensic accountant would be to defend them, finding mitigating circumstances and evidence to demonstrate their innocence.

Marital disputes

In the case of a divorce, couples may dispute over the holding of shares. A forensic accountant would handle the financial disagreement and, if the case is taken to court, act as an expert witness. Depending on which side of the dispute they are hired to represent, the forensic accountant would explain the value of the shares and present a case for why their client is owed a certain amount.

Medical cases

In cases where children are born with disabilities or brain injuries, it is the job of a forensic accountant to establish what the ongoing capital award might be for the parents to look after the child for the rest of their life. Additions, such as ramps, shower-railings, disabled access around the house, a 24-hour carer and the annual RPI, must be taken into consideration. Forensic accountants project figures into the future to estimate finances, as well as looking retrospectively.

Fraud cases

In companies there are times accounts might be mishandled, cash goes missing or problems arise in internal accounting. Payroll fraud is an example of this, where employees add fictitious workers to the payroll and direct the money into their own accounts. It is the role of a forensic accountant to uncover and expose this kind of fraud to their clients.

Shareholder disputes

In business valuation, forensic accountants assist with valuing companies in various ways. For instance, two shareholders might each hold 50% of a company and one wants to exit and sell their shares, but there is a disagreement over the price to sell those shares for. Here, the forensic accountant will put together a financial report to support a case stating why the shares are worth more or less than the disputed amount.

Insurance claims

In cases that involve insurers not paying out, for example after a car crash, a forensic accountant would provide information to negotiate the claim. This would involve the worth of the car, comparing dealers’ prices and car policies on mileage.

Audit complaints

If an audit has been incorrectly taken and auditors have been negligent and misstated accounts or missed a fundamental accounting policy, a forensic accountant would have to prove how the auditors made an error, filing an insolvency case against them. This might be relevant if a company goes bust but the audit was previously signed stating that budgets and cash flows were all in order.

At ESA Risk, we offer expert litigation support and forensic accounting services, available for the consideration of any company or individual that requires assistance with a financial error or dispute.

Deep dive for the answers you need
TAKE A DEEP DIVE
Or contact us on +44 (0)343 515 8686 or at advice@esarisk.com.

Deep dive for the
answers you need

Lawyers, accountants, advisors, investors, senior
management. You name them, we help them find the answers
they need. Ready to discover how we can help you?

Take a deep dive
Continue browsing