Cyber Fraud Awareness
We are highlighting to all licensees to highlight the risk of cyber fraud, as it appears to be an
increasing risk in the jurisdiction. This email is to provide some guidance and ask you to increase
vigilance around customer data and client and your own monies. This will also be published on our
website, and on our Twitter and Facebook page. Our aim is to increase awareness, and give some
tips on how fraud can be prevented.
We suggest that you increase awareness in your own organisation.
Email Spoofing
Spoofing:

Noun: the act or an instance of impersonating another person on the internet or via email

Verb: to communicate electronically under a false identity
(Collins Dictionary definition)
Email spoofing is a very common means of cyber attacking, as it presents an email to a member of
staff from a name they trust and respect, and a name they are likely to follow instruction from (for
example their boss or a member of senior staff in the company). It is a very simple and effective tool
for cyber attackers, and considering the amount of emails one receives daily at work, it is relatively
easy for an email to not receive appropriate scrutiny.
Here are five tips to prevent email spoofing:

Use authentication based on key exchange between the machines on your network;
something like IPsec will significantly cut down on the risk of spoofing

Use an access control list to deny private IP addresses on your downstream interface

Implement filtering of both inbound and outbound traffic

Configure your routers and switches if they support such configuration, to reject packets
originating from outside your local network that claim to originate from within

Enable encryption sessions on your router so that trusted hosts that are outside your
network can securely communicate with your local hosts
Here are some articles on spoofing that we think may be helpful:
http://searchsecurity.techtarget.com/definition/email-spoofing
http://www.computerworld.com/article/2546050/network-security/the-top-five-ways-to-preventip-spoofing.html
The first link, from searchsecurity.techtarget.com, provides a link toward the end of the article to a
Wikipedia page on email spoofing. It is a useful page for gaging an understanding of email spoofing,
and provides some tips on: Technical Detail, Identifying the Source of the Email and Counter
Measures
Simple Precautions
There are some simple tools that can help prevent cyber scams.




Request confirmation by phone or fax after receiving an email to transfer monies.
Place a limit on transfers so that more than one signature is needed for higher amounts.
Provide staff with simple checks on email authenticity. A quick check is:
If you receive an email from someone in your organization using their work address
(assuming you are using Outlook):
1. Open the email in a new window (double click it).
2. Get the email headers by clicking on File and then Properties.
3. Verify that the “From” Server and the “By” server are the same (Usually the first
header, called Received).
4. Verify that the “From:” Address and the “Reply-To:” address (if present) are the
same.
If 3 or 4 fail, there is something going on here…
Test staff alertness by sending safe spoof emails and seeing how many staff open them.
Useful links and websites
The Metropolitan Police website has some excellent links and information on all types of fraud. Here
are a couple on email and telephone tricks:
http://content.met.police.uk/Article/Unwanted-and-unsolicited-mail-marketing-and-telephonecalls/1400010761882/1400010761882
http://content.met.police.uk/Article/Vishing-and-SMiShing/1400016835539/1400016835539
There is also an important section on protecting your business:
http://content.met.police.uk/Site/businesscompanyinformation
We have also found their ‘Little book of Big Scams’ helpful:
http://www.met.police.uk/docs/little_book_big_scams_business_edition.pdf
The Financial Conduct Authority also share their advice for fraud prevention:
http://www.fca.org.uk/consumers/scams/how-to-avoid-scams
Follow the link below also for more guidance from the FCA:
http://media.fshandbook.info/Handbook/FC1_FCA_20150427.pdf