Banking on your good nature

As we become more a-tuned to potential phishing attempts, the fraudsters up their game to try and catch us out and profit from our sense of security. More and more banks are now putting fraud prevention measures in place, which are being used against them by the cyber criminals.

This is a real text, received by someone in my family in early March. The number it has been sent from has been spoofed so that it appears to have come from the short code number used by TSB Bank.

What makes this scam relatively effective is that TSB are one of the banks that send message alerts to clients when they use their cards abroad. So by sending these texts, they are alerting customers to a potential fraud, when in reality, they are attempting to defraud.

For many TSB customers familiar with these texts (and assuming that they are not abroad at the moment, which in most instances would be against lockdown regulations), receiving such a message would cause concern.

The first action many people would take is to call the number. After all, we are warned about clicking on links and following strange URLs. But a phone number isn’t an issue, right? Unfortunately, in this case it is a major issue. Whilst the second telephone number is a genuine number for TSB Bank, the first one most certainly isn’t. At least not anymore.

Back in the day it was a valid number for the bank – if you search for the telephone number you will find some Tweets from the bank advising customers to use that number. But that was back in 2013. Today, the bank uses 03459 758 758 but the 08459 number is still being used for fraudulent purchases.

If you do receive similar messages from a bank who you happen to use and it does appear strange then contact them using telephone numbers from their website and not within the text message.

Don’t delete your domains…

….until you really understand the impact of losing them.

This isn’t a public service announcement by the domain name industry who want to ensure that every domain is renewed for eternity. Whilst that would be especially pleasing for the registry operators and the registrars who sell the domains, it is never going to happen.

Everyone who holds a portfolio of domain names should periodically carry out an audit on them to see if they are returning any value. Whether you own a portfolio of a couple or tens of thousands, you need to ensure that they all still hold value for you.

“We don’t have enough domain names” is not something you will ever hear a portfolio manager within an organisation say. Every year the same pressure to reduce the cost of their portfolio will be had with their registrar, who of course wants to see them spend more. So, in one corner there is a party motivated to increase the protection of their intellectual property but at a lower cost, whilst in the other corner there is a party who also want to increase the protection of their intellectual property but by buying more domain names and associated services. There is never a win-win but a stalemate could be reducing the number of domain names that generate value for a firm with new services that do.

Value can be measured in a number of ways – it isn’t all about the money. Some domain names are held defensively by organisations, for instance, either because they have previously been used in an infringing manner, or they simply don’t want someone else to register them. Others will be held relating to old marketing campaigns, brands or slogans which still generate some traffic. And naturally, some will be held because of the resale value they have.

But there is a danger when reviewing portfolios that names could be marked for deletion that have a risk to an organisation or an individual if they fall into the wrong hands. There are plenty of stories about domain names that have been deleted because they appear worthless but end up being sold on for significant sums but these aren’t normally the domains that are of concern. It’s the ones that have some other, often hidden, intrinsic value that we should be concerned about.

Most domain names have a history. Normally, that history is good. Like a car, they may go through a number of careful owners, being let to lapse before being recycled through the domain name life cycle and out again onto the open market to be registered. If a domain name is used for a nefarious purpose it is quite hard to find that out when it is repurchased and new registrant may have to deal with the sins of its previous owners. But while they are being held in a portfolio, they can acquire attributes that make them more valuable than a cursory glance may seem.

Therefore it is prudent that as part of any regular review of your domain names, and especially before you delete or decide not to renew any, that you follow these steps to determine whether you are about to give away any valuable IP or put your brand at risk.

  1. Where does your domain name resolve to?
  2. Where does your domain name rank in natural search?
  3. Is there any AdWord campaigns still using the domain name or keywords?
  4. Who owns other domains that use the same keywords?
  5. What incoming links are there to any websites that the domain name resolves to?
  6. Does the domain name have any monetary value?
  7. Are there any trademarks that align to the domain name?
  8. How would you feel is your biggest competitor acquired the domain name and started actively using it?
  9. How has the domain name been used previously both internally and externally?
  10. Is the domain name on any black list?

For most organisations the marginal cost of holding a domain name is negligible yet the potential return or on the flip side, damage, is significant. Over the next few posts we will go into detail about why you should follow the ten point plan for every domain name that you are thinking of deleting just so you know that you are not harming any revenue or reputation that they underpin.

Whilst there is no foolproof way to ensure that domain names with value are not cancelled, following a process that ensures you have done your due diligence before you press Delete will almost certainly mitigate the risk.

Help, someone has hacked by email!

The number of attempts to phish someone by good old fashioned email continues to rise. Why? Because more often than not there is little or no cost in sending emails to an acquired distribution list and you only need one or two people hooked to make a profit.

Phishing attempts come in various forms – ranging from the “Deposed prince who needs your help to move millions out of his country” to “the opportunity to queue-jump the COVID-19 vaccination priority list”. Many will be undone by poor spelling and grammar, whilst others will be professionally designed and look genuine.

But often the giveaway is the senders address. Whilst the sender may appear genuine in your email client, the actual sending address often reveals, very quickly, that it is a scam. For instance, the sender may appear as “HMRC”, “NHS” or “First Direct” but when you click on the name it appears as coming from a gmail or yahoo email account, a sure giveaway that it isn’t genuine.

Wearing my hat as Chairman of Lewes FC, my contact details appear on a number of publicly accessible website and directories. That means I get a lot of spam and contacts from all sorts of organisations. But I also get phishing emails, also known as Business Continuity Email fraud, regularly sent from myself to myself asking for money “for a transfer” or the more popular one these days, Amazon gift cards for sponsors. I know I shouldn’t but I often keep a conversation going with them, asking why they need them now, why in dollars and who the sponsors are, all the while sending the emails from an account that clearly states who I am. To the fraudsters they don’t care – they think they have hooked me and just want their ill-gotten gains.

Whilst we need to all be vigilant in not being fooled by these attacks, what happens if the sending address does appear to be genuine? This is the danger of spoofed email addresses. Email spoofing is creation of an email header that appears to be from one party but has actually been sent by a third party. Because core email protocols do not have a built-in method of authenticating that the sender is who they say they are, it is commonplace for spam and phishing emails to use spoofing to trick the recipient into believing it is genuine.

Even if domain names are registered and in use by brand holders, they can be spoofed because of the way most email systems are set up. To stop their intellectual property being used in such a way, brand holders can take measures to prevent their domain names being spoofed. Barracuda Networks are one of the experts in this field and have provided the following advice:

Since the email protocol SMTP (Simple Mail Transfer Protocol) lacks authentication, it has historically been easy to spoof a sender address. As a result, most email providers have become experts at detecting and alerting users to spam, rather than rejecting it altogether. But several frameworks have been developed to allow authentication of incoming messages:

SPF (Sender Policy Framework): This checks whether a certain IP is authorized to send mail from a given domain. SPF may lead to false positives, and still requires the receiving server to do the work of checking an SPF record, and validating the email sender.

DKIM (Domain Key Identified Mail): This method uses a pair of cryptographic keys that are used to sign outgoing messages, and validate incoming messages. However, because DKIM is only used to sign specific pieces of a message, the message can be forwarded without breaking the validity of the signature. This is technique is referred to as a “replay attack”.

DMARC (Domain-Based Message Authentication, Reporting, and Conformance): This method gives a sender the option to let the receiver know whether its email is protected by SPF or DKIM, and what actions to take when dealing with mail that fails authentication. DMARC is not yet widely used.

Even if brands have defensively registered a domain name it should be protected against spoofing as these are often used by fraudsters in the knowledge that it may be less likely to be detected by the firm itself.

Most corporate-focused registrars offer these email security measures. With revenues and reputations at stake, why wouldn’t any brand want to take as many preventative measures as possible to protect both?

Avoiding the sting of a fake COVID vaccine

It seems that there doesn’t seem to be a week rolling by at the moment without a new COVID-19 vaccine being ready for distribution after completing initial trials. As of the end of February there are vaccines being used produced by Oxford-AstraZeneca, Pfizer/BioNtech and Moderna with the Novavax and Johnson & Johnson versions close to being available. This is fantastic news in the crusade to vaccinate as many people as possible so we can all return to as normal a life as possible.

In the UK we have been living under full or partial lockdown for almost a year. That has had a huge impact on everyone both physically and mentally. Over 100,000 lives have been lost and countless families have been impacted. Thousands of businesses have been forced to close and unemployment continues to rise as a result. Therefore, the demand for the vaccination is growing all the time.

That vacuum created by the increasing demand and the scarce supply of vaccinations is being filled, to some extent by fraudsters who are targeting the most vulnerable and needy with offers to buy the vaccine now rather than wait for it to be administered for free based on the health authorities prioritisation list.

Bolster, the fraud prevention company published a report last week that looked at the rise in domain name registrations from the past year that featured the worlds ‘vaccine’ and ‘COVID’. Almost 12,500 domain names were registered with those keywords in 2020. A large number will be genuine, with some firms registering domain names featuring relevant keywords to let customers know what they are doing about the pandemic.

In the last 7 days there have been over 650 domain names registered that start with the word “covid” according to a search through Domainpunch.com, whilst there is almost 800 more that have the word somewhere in the domain name, across a variety of TLDs. There are also nearly 150 domain names featuring the word “covid” in the 1 million most popular websites in the world.

There have been calls to stop any registrations of domain names featuring such keywords, with NameCheap being one registrar who have placed restrictions on the registration of certain keywords relating to the pandemic. However, it is still far too easy for an opportunist to register a domain name and set up a website – for instance the domain name novavax.shop was registered on the day of the announcement of the rollout of that vaccine and a “coming soon” website lander added.

Domain registrations that contain the names of the manufacturers of vaccines such as”Pfizer” and “BioNTech” have increased since March 2020 – domain names referencing the two companies rose from just 13 in January 2020 to 343 in December 2020. In the case of Moderna, Bolster found 3,596 new domain registrations in 2020. rising from 114 in January 2020 to over 500 in December.

It isn’t just vaccines that are being fraudulently offered. Vaccine appointments for cash, fake home testing kits and miracle cures are still all too easy to find. With little return on investment required, fraudsters can quickly make a profit from unsuspecting and often desperate victims.

There are no shortcuts or alternative drugs. Whilst the roll-out and distribution of millions of vaccines is a logistical headache for all governments, it will happen. Patience is the key and if you do come across any offers that look too good to be true, they undoubtedly will be and could potentially do you more harm than good.

Money can’t buy you love

Like is or not, the commercialised world we now live in is determined by events in the year. As soon as Christmas is over, the focus is on Easter. Halloween has now become the in-thing whilst every year there seems to be another day of celebration slipped into our conscious by retailers and their marketing teams. One event that is now looming large is Valentine’s Day. For some people this is the opportunity of over-exuberance and lavish gifts to win the hearts of someone. But it is also a big date in the diaries of the fraudsters in trying to part us from our cash.

One industry that has seen the levels of fraud rise as been online dating. As with the way we consume our media, do our shopping and interact with each other, technology has made it easier for us to try to find love, with online apps now catering for all potential suitors. It has never been easier to find love, someone said to me last year and whilst I understand what they are saying, it has also never been easier for a fraudster to break someone’s heart and their savings.

A recent example of the increase in nefarious activity in the online dating world has been an increase in investment-based scams that have started off as online conversations between two people supposedly “looking for love”. INTERPOL has recently brought the subject to the attention of all of its 194 member countries by issuing a Purple Notice outlining a specific modus operandi on dating apps and websites.

The International Criminal Police Organisation have compiled evidence based on reported cases that have used dating websites, with, as they refer to is, an artificial romance being established, trust being built and then sharing details of an investment scheme that they encourage them to take part in. After all, having spent time getting to know each other, sharing personal and potentially intimate details, the long-term prospects of a relationship look good. The fraudsters “sell” the investment scheme, often accessed via an app and continue to encourage further investment.

With many relationships now having to start and grow online due to the restrictions that COVID-19 has placed on us all, the conditions for these scams to fester has never been stronger.

The investment firms have authentic looking websites, domain names that could be using homographs to make them look real (Greatlnvestment.com rather than GreatInvestment.com – looks identical but there is a small ‘l’ rather than a capital ‘I’) and fake reviews that can be bought easily online. Everything looks good until one day the money, the firm and the potential love of their lives just disappears.

INTERPOL’s Financial Crimes unit has received reports of cases from around the world and have also reached out to the more popular apps and websites to ask for their help in raising any flags from users of suspicious looking activity. On Valentine’s Day it is a case of not only considering the “it” but also “they” in the old adage of If it looks too good to be true, it probably is!

No Return on Investment

Action Fraud, the UK’s national reporting centre for cybercrime, has seen a growing number of reports relating to investment fraud, with the average loss now reaching £45,000.

Education and awareness of scams and potential fraud has greatly reduced the number of victims in many cases of cyber crime, but the ease of being able to create convincing an online presence, based by social media has allowed the fraudsters to become more authentic-looking and thus able to hook a new set of victims.

Technology has made it so much easier for us all to be able to invest in equities. Most reputable firms now have apps that allow you to buy, sell and track your investments from the palm of your hand. These have become increasingly popular with older generations who tend to have more available funds and time to research who to invest in.

However, Action Fraud has seen a rise of 29% in cases of ‘clone firm fraud’ where genuine looking investment firms are created, including professionally designed websites, and investors are targeted to deposit funds that are never seen again. A frightening stat from 2020 is that more than £78 million was reported lost through investment fraud. The Financial Conduct Authority said it received over 3,700 reports of these clone scams during the lockdown in 2020.

Some of the tactics used by fraudsters to entice victims are the same as those used by genuine firms. Social Media presence, SEO and AdWord campaigns, outbound email and telephone marketing. It does not take much effort or cost unfortunately to create an authentic looking investment firm online.

There are some steps that can be taken by potential investors though to check if the firm they are considering using is genuine. Here’s our five step guide to fraud prevention.

  1. Look at the domain name the company is using and do a WHOIS check to see when it was registered and where. If it was relatively recent it could be a sign of a company that isn’t what or who it seems.
  2. On their website look for the contact details. Is the address a genuine building – use Google Streetview to look at the building to see if it is genuine. Do they use mobiles and retail email addresses (gmail, yahoo, aol etc)? They should be signs that it may not be all that it seems.
  3. Is the content on their website all theirs? Often scam websites will lift content directly from someone else. Take a sample paragraph and paste it into a search engine and see what the results are. If there is duplicate text elsewhere, investigate if it has been directly taken from a reputable firm’s website.
  4. If the initial approach was by phone, be very wary. Cold calling on investment opportunities especially if related to pensions has been banned in the UK for over a year.
  5. Any reputable investment firm will have a Firm Reference Number (FRN) which can be checked on the FCA’s register. Use the FCA’s website to check the firm’s detail and whether the contacts you have match.

It is almost impossible to get any investments made back from the fraudulent firms. They close down their operations immediately at any sign of being discovered and move on to a new scam quickly. Remember ABC – Always Be Cautious – when it comes to any type of investment. As with most things in life, if it looks too good to be true, it probably is!

Hello, i5 it m3 y0u are I00king for?

HeiIo…

Was that a real, genuine hello or a fake hello?

At first glance it seems genuine enough but that is because our brains translate what we see into what it thinks we want to see. It’s not a genuine hello as most of you will now see as I have replaced one of the ‘l’s with a capital ‘I’. The trouble is our mind is far more complex and intelligent than we give it credit for and rather than reading every letter we see, we focus on the first and last letters followed by the characters we would expect to find in a word while the exact order of the characters is less relevant for our understanding of a word. In other words, our brains are just too clever, backed up by Cambridge University who have carried out significant, or should we write singficant, research into what has been termed Typoglycemia – a neologism the cognitive processes involved in reading text.

Want some more proof? OK, well see how quickly you understand the following sentences despite them being littered with natural spelling mistakes:

“At shcool we were tuahgt taht slpeling was ipmorantt”

“The huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe”

“Typoglycemia sneds my sepllchkehcer carzy”

It’s a good thing that our brains work in this way, right? In most instances, yes. It helps us absorb information quickly and react accordingly but it also opens us up to the risk of being fooled by cyber criminals who have used our new-found strength into a common weakness.

In 2019, according to a survey carried out by Retruster, 76% of businesses who responded said they have been victims of a phishing attack. That is a very scary stat and one that shows no signs of shrinking over time. Fortunately, most attacks aren’t genuine and many will go unnoticed, caught by our spam filters in email or simply laughed away as being so far fetched that they could never be true – I mean, would a deposed dictator of an African country really reach out blindly to any of us?

Why is the number of phishing attacks rising? Partly because of the increased use of domain names that are either deliberately spelt in a way to trip our brains into thinking they say something they don’t or by using mixed script where some subtle changes in using letters from non-Latin alphabets which means the domain names look like they reflect brand names or popular websites but in truth divert you to more nefarious locations.

These domain names are often called Homographs and are characterised by a mix of substitute letters or numbers with characters from Latin, Greek, Cyrillic and other scripts. Whilst the actual registration characters are made up of latin script characters, by using the “xn--” prefix, they are translated into local script when they appear in a browser or search bar. The danger of that is to most of us, we will not see the subtle nuances of the different characters and our brains will tell us that everything is in order.

Domain name registries are starting to provide solutions for the issues that surround homograph registrations. The TrueNameTM solution from Donuts for instance blocks homographic variations of any domain name that is registered in one of their TLDs, whilst Take a domain name such as university.degree. There doesn’t seem too many potential variants to two very common words, but you would be mistaken. There are actually 1,439 other variants that could be used to make a similar domain name, such as:

  • ʋniversity.degree
  • unıversity.degree
  • unɪversity.degree
  • uniᴠersity.degree

It is only when you see the actual characters that are used in the registration of the domain name that you can see how different they are to the original university.degree domain name:

  • xn--niversity-pje.degree (ʋniversity.degree)
  • xn--unversity-wpb.degree (unıversity.degree)
  • xn--unversity-c9d.degree (unɪversity.degree)
  • xn--uniersity-223d.degree (uniᴠersity.degree)

Thanks to Typoglycemia, our brains read the domain names perfectly, which could lead us down a path laid by a maleficent individual or group who are hell-bent on obtaining my personal and financial details. We all need to be aware that these dangers do exist in the digital world and it pays to double check not only the URL we are following but also whether the website we end up on is behaving the way it should. Am I being asked for my user name and password when normally I am logged in via the saved password and cookie stored on my machine? Why does the website need my credit card details if I am not buying anything? Does the website look different from when I was last on it?

Unfortunately, there is no real “retro fit” tool that can help us identify homograph domain names that have already been registered. Going forward, registries will almost certainly start to develop their own tools that can identify and stop any homographs that infringe on brand names and Intellectual Property from being registered but in the meantime it is important that we all try to be part of the solution and not the problem that our own human super computers is partly responsible for.

Positive COVID vaccine news could lead to an increase in email phishing

The news that the US authorities have approved a second COVID-19 vaccine is another step in the right direction for bringing the global virus under more manageable control. The Food and Drug Administration (FDA) authorised the use of the MRNA-1273 vaccine, produced by US-based Moderna.

It is likely that the distribution of the vaccine will begin within the US in the next few days, with the US Government agreeing to buy 200 million doses, whilst the UK has pre-ordered seven million doses. The vaccine is slightly different to the Pfizer vaccine, which began being administered in the UK last week as it can be stored at a higher temperature (-20c to -75c for the Pfizer one) which makes the logistical headaches of safe distribution and administration slightly easier.

So, what’s the issue? From an intellectual property point of view, there are inherent risks of fraudsters using the news and the impending availability to create campaigns that are designed to defraud unwitting potential recipients.

The vaccine, MRNA-1273 started off its life in China back in January and it was then shared with Moderna who have developed and trialled the vaccine since. There’s no surprise to learn that domain names, such as MRNA-1273.com, were registered back in January and have since laid dormant. The danger now is that they could become active and convincing looking websites built to fool unsuspecting victims.

The Moderna domain name portfolio doesn’t yet appear to feature domain names using the word “vaccine” or “mrna1273”. The danger of not securing relevant domain names, which will include TLDs such as .online, .help, .health or .store, means that cyber criminals can quickly create email campaigns that direct unsuspecting victims to authentic-looking websites that could be designed to capture personal, financial and health data from people.

To understand why cyber criminals will try to gain the trust of any victim in a vaccine scam you only have to know the value of our data. According to a report published by Trustwave, the value of a payment card on the dark web is around $5.40 whilst someone’s healthcare information can fetch up to $250, with data protection company Protenus suggesting a full record, including more personal information could fetch up to $1,000. To put this into context, the cost of registering a domain name is often less than $1, setting up a website takes an hour or so, whilst sending an email costs virtually nothing. It isn’t hard to see why these fraudulent email campaigns are still a major concern for us all.

It is great news that the pharmaceutical and drug companies have pulled out all the stops to create effective and safe vaccines that will benefit us all. Whilst they will have intellectual property and brand protection programmes in place, it also needs us all to be part of the solution and not give the cyber criminals the satisfaction, or the opportunity to profit, from our online activities.

If it goods too go to be true……

STOP PRESS: The US Department of Justice has already seized two domain names being used to fool people in thinking they were on a website belonging to Moderna. Don’t think this issue is going to go away any time soon!

Day 12 of avoiding Christmas scams – Social Media scams

Where do you start with scams on Social Media? You don’t have to look far on Social Media to find some sponsored ads or messages that are designed to hoodwink people and drive financial gain into the hands of the fraudsters and scam artists.

One common ploy used by scam artists is to pretend to represent a well-known brand who are desperate to give away stock or sell it off at cut price.

One instance we saw frequently during lockdown in 2020 was Facebook groups set up using the Argos brand. A typical example can be seen on the left where the brand is claiming to be giving away 50 damaged expensive items in exchange for sharing the post and liking the page. What harm is there in that?

Naturally, if you do that then the fraudsters will contact you to say you are one of the lucky 50 and they just need a few more details from you…oh, and the delivery fee. Naturally, by the time people realise they have been scammed, the Facebook pages no longer exist.

They can easily add credibility to their posts and pages by buying likes and even comments from companies that offer a story. The scam looks a lot more genuine if people are adding comments saying they have their items and they work perfectly.

There’s a number of warning signs that posts like the one on the left are not genuine. Firstly, the spelling and grammar is poor – “Returned” not “returned”, “Curved” not “curved”, “for a numerous reasons”, “fulling working” and “aloud” rather than “allowed”.

And then there is the fact as to why a major retailer such as Argos would be simply giving away stock – why wouldn’t they do that through their shops in the first place if they did had such items? My main issue with the photo used (the top one) is that worrying crack running along the floor to the left of the TVs rather than the damaged stock.

Unfortunately, it is far too easy for the scammers to set up these pages, cause damage and then move onto the next scam. Whilst the social media networks need to up their game in detecting and stopping brands being abused, social media users also need to heed the warning signs and stop simply handing over personal and financial details so willingly. If there is not demand, there will be no supply.

And that’s it for our 12 Days of Christmas Scams for another year. Let’s hope that in a year’s time we will be living and working in happier times and these posts can tell stories of how consumers have beaten the scammers and not vice-versa.

Day 11 of avoiding Christmas scams – Fake COVID-19 fines

And so here we are again. Welcome to National Lockdown part 3. Nobody wants to be here but we all have to play our part to ensure that one day, hopefully in the not too distant future, we can return to some kind of normality.

When Prime Minister Boris Johnson announced the latest measures being put in place to try to stop the accelerating spread of the COVID-19 virus, he once again said that people should stay at home, only leaving for a small number of reasons, similar to the restrictions placed on us earlier in the year.

Back then text messages started to be received informing the recipients that they had transgressed the rules on leaving the house and would face a fine. The messages contained a URL that appeared to be genuine – http://www.gov.uk is the website for all Governmental matters, but the URL didn’t take you to the genuine website, rather one that had been made to look like the genuine one.

By suggesting the fines were small amounts, people, in theory, would be more likely to pay them, assuming they had indeed breached the regulations. Thousands of these texts were sent and I would imagine more than a handful of people were duped into paying the fine.

Now with lockdown part 3 in place you can be assured these texts will start to be received far and wide.

If you do receive one of these the only thing you should do it delete it straight away.