News from 2021

December 2021 ~ “Good cybersecurity is not about technology . . . it’s about people!”

”Cyber risk is business risk, and cyber security is national security!” says Bryan Vorndran, Assistant Director of the FBI’s Cyber division.

Following on from our report [October 2021] that the UK Government may at last be responding appropriately to the ever-rising tide of fraud, not least cybercrime, US agencies, who have long taken a more proactive stance against the same ‘bad actors’ we face here, are providing some sage advice over the Christmas / New Year holiday period.

This short YouTube video, produced jointly by the Cybersecurity and Infrastructure Security Agency [CISA] and the FBI, provides sound guidance for businesses, large and small, particularly in relation to the expected upsurge of phishing attacks over the holidays when staffing levels will be limited and potentially off-guard. This advice is not restricted to the holiday season, of course, and is just as relevant 365 days of the year.

The European response to cybercrime has been dysfunctional to say the least. It has been plagued by an inability to coordinate countermeasures; primarily as individual nations are reluctant to take on responsibility for cross-border investigations . . . because any individual agency accepting primacy will end up shouldering the cost.

In contrast, US authorities have for some years taken strong action against this scourge; particularly where it is state sponsored. Hopefully, the UK’s proposed response and can match the lead given by the Americans.

November 2021 ~ Smishing . . . what can we do?

How frequently do we still get those authentic-looking SMS text-messages, encouraging us to follow that link and reveal our login information . . . an action which will surely result in us kissing good-bye to our data and/or money?

It may not only be an SMS text, of course. It can be any messaging platform; perhaps WhatsApp or Instagram. So, if we fall for it, we might also be losing control of our social media.

Someone ‘smishing’ us will want us to take certain action; perhaps to click on that link or make a call. We mustn’t forget that that they are urging us to enter our usernames and passwords so they can use them to steal from us.

Another mode of attack might involve being asked to respond by text to a blatant request for personal or financial details, or to download a malicious app . . . with the same devastating result.

Gone is the opportunity to check out ‘Whois’ to see if it’s a genuine website we are being steered towards; we can thank GDPR for that! So, what can we do to protect ourselves from ‘smishing’ and spot those other red flags?

We can study the phone number. Is it correctly formatted? Or is it a random UK mobile number? We can ask ourselves, why would our bank [or whatever] be using that number? International scammers in general are spoofing UK mobiles all the time because our systems allow it . . . and will continue to do so until 2025 at the earliest, when we move to VOIP; [see May 2021 posting].

If it’s a website we are being asked to engage with, then that should raise our suspicions immediately. We can be sure that the fake site will be mocked-up to resemble the genuine one, so we can watch out for the oddly placed full-stop or hyphen in the URL.

We can examine the content of the text. Are there grammatical errors or spelling mistakes? For many of these smishers, English will not be their first language.

Are we being tempted to respond because there is a ‘reward’ . . . a gift-card or the like? Again, we are being urged to ‘take action’, so beware.

Perhaps the ‘big clue’ should be the degree of urgency which the smisher will try to inflict on us. Are we being encouraged to ‘act fast’ in order to protect ourselves? Here, above all, we need to pause and take stock.

It goes without saying that we should all keep our devices protected by ensuring phone and computer software is updated.

If after all this we are still in doubt, then we can always contact the purported sender by another reliable method and check if the message is authentic.

Bottom line . . . think before you click!

October 2021 ~ Fraud is a “national threat”

“We are calling for coordinated action and increased efforts from government and other sectors, to tackle what is now a national security threat,” says Katy Worobec, Managing Director of Economic Crime at UK Finance.

Technology chiefs are currently being questioned by MPs on the Treasury Committee about their efforts to prevent economic crime; answering questions as to why around 70% of fraud originates via online platforms, including social media.

According to BBC News, Romance [up 63%], impersonation fraud [123%], and investment scams [95%], continued to rise, whilst push payment [APP] fraud alone rose by 71% to £355m; for the first-time outstripping bank and credit-card fraud.

Ms Worobec said that co-ordination was needed between banks and a range of technology providers to tackle the issue, as well as raising awareness among consumers. However, the banks’ and police’s own efforts in stopping the rising tide of fraud will also come under the microscope, with ministers promising an overhaul in the fight against fraud.

September 2021 ~ GDPR: a hacker’s weapon?

Since 2017, prior to the introduction of the General Data Protection Regulation, IPFGB has continued to warn that the legislation, introduced as a safeguard to the public, was ill thought out. The motive was worthy, but the methodology flawed; not least by the introduction of punitive penalties for breaches. These have clearly encouraged governments to treat them as cash-cows, thus rendering them potentially counter-productive.

This phenomenon is perfectly demonstrated by the concerning rise in ransomware attacks; the perpetrators of which are now armed with an additional threat . . . “Pay us £1m, or we publish the data . . . and you will be fined £20m!” [£20m was how much British Airways was penalised for “poor security arrangements” when hackers captured data belonging to half a million customers.] In 2020, more than 1000 companies saw their data published online when they refused to submit to demands. How many others were subjected to ‘double-extortion’ and took the cheaper option to pay the cybercriminals can only be speculated.

In “A New Direction”, a consultation document published this month by the Department for Digital, Culture Media and Sport, it illustrates how the UK is diverging from the EU in developing its data protection legislation. Whist the desire to protect the public’s data remains key, there is a clear recognition that GDPR in its current form is restrictive and that business needs to operate in “a pro-growth and innovation-friendly regime”. Might we hope that this fresh approach will include an emphasis on targeting the criminals and not the victims?

August 2021 ~ Good-bye Action Fraud! What next?

The Centre for Counter Fraud Studies at the University of Portsmouth estimates that the cost of fraud to businesses and individuals in 2021 will be £137 billion. Since 2008, the police in England and Wales have been content to abrogate their responsibility in taking on this cancer of crime, instead willing to direct victims to a national fraud reporting system which has been both under-resourced and lacking in direction and purpose. Due to its sorrowful record over 13 years, it has effectively encouraged the growth of fraud, leaving the public and commerce unprotected. At last, the bullet has been bitten, the nettle grasped, and the under-achievers booted out.

Or has it? The replacement is not too clear. Possibly, we’ll have an “improved reporting system” bolstered by an additional force, dedicated to cybercrime, and set up within the National Crime Agency to investigate more complex and serious fraud cases. In that event, a radical programme of training will be necessary to address the current situation where fewer than one in 200 police officers have any experience in fraud investigation. How can that have come to pass when fraud now accounts for 40% of all crime? And that is only what is reported!

In the meantime, someone has to do the job and we , such as IPFGB, outside of law enforcement these days, are charged with investigating fraud cases on behalf of our clients. It is we who track down those responsible and, in most cases where we are successful, our instructing lawyers hit the fraudsters in the pocket by settling the matter in the civil courts.

But it is also open to victims to go down the criminal route. Only last month it is reported [source Insurance Business] that ERS successfully pursued a private criminal prosecution against three High Wycombe taxi drivers, who produced false testimonies in an attempt to secure £63k in personal injury damages.

Analysis of CCTV footage showed that the claimants’ versions of events were false. The claim was withdrawn, but the insurance company decided to prosecute, and the trio was successfully convicted of fraud by misrepresentation. This was apparently the first time an insurer had used the Fraud Act 2006 to secure convictions against both a claimant as well as the witnesses supporting the claims.

The pragmatic amongst us might consider that in this case, the police neither refused nor declined to do their duty. The sad probability is that that it never entered the heads of those who led this prosecution to involve them, knowing too well that reporting the matter to Action Fraud would be a futile waste of time.

We are at a milestone. Now could be the time for those in law enforcement to forget the politics and the soundbites, and get back to the basics of investigation. As 40% of the crime on your manor is fraud, then show us that you mean business. Reintroduce the skill and the will to counter it!

July 2021 ~ Ransomware . . . prepare and don’t give in!

In the UK, a company subject of a ransomware attack has to consider not only the damage due to resultant shut down, coupled with the potential publication of sensitive commercial information, but also that the exposure of stolen personal data will risk the wrath of massive fines from the Information Commissioner’s Office. Certainly, immediate notification to the ICO of a personal data breach is mandatory. The company will need to prove that it had originally taken every reasonable step to protect the data. But should it negotiate, paying substantial funds [usually via Bitcoin] into the war-chests of the hackers . . . who may also be terrorists?

Ransomware hackers will typically take IT systems offline and begin the process of extortion; threatening to post or sell the stolen data. Very recently, a US trucking company facing this situation did not panic. Having prepared for such an eventuality, they were well prepared with a plan of action. Backups of data meant they had systems up and running again within minutes. So, what to do?

The trucking company’s lawyer brought in a cybersecurity response firm. Using forensic IT methods, calculating what the hackers had actually stolen might have taken weeks. The FBI advises against making ransomware payments, not least as it encourages further attacks. There are also no guarantees that the hackers will play fairly with any agreement which is struck. In the event, after serious consideration, the company simply chose to ignore the demands.

It latterly reported the attack to law enforcement and the investigation ultimately traced the catalyst to a phishing email which had been opened by an employee.

Back to the question: what to do?

  • Back up systems offsite.
  • Keep software up to date.
  • Have a continuity plan.
  • Have a negotiation policy; or rather a non-negotiation policy.
  • Strengthened employee training and other internal security measures.

June 2021 ~ “Paying top-dollar PI fees can still bring grief!”

A London-based private investigation firm is being sued for breach of contract and negligence in the Commercial Court by a former client. Catalyst Capital Group is a Canadian private investment company, which in turn is being sued by a competitor [West Face] over the purchase of a telecoms firm in 2014.

An article published by law firm, Addleshaw Goddard, describes how Black Cube was hired [for a fee of between $1.5m and $11m] to discredit both West Face and the judge who presided in the ensuing court case. It includes an account of how the judge was tricked into a dinner invitation and attempts made to extract and record defamatory remarks.

“Paying top dollar for ‘investigative services’ by no means ensures what you receive will be legally obtained,” said Dick Smith of IPFGB. In turn, Tony Imossi [Secretariat of the Association of British Investigators] added, “I read the article with despair . . . it describes the sort of activities the ABI has tried hard over the years to warn about, but with little traction from the Home Office. Our evidence to the Leveson Inquiry and the Parliamentary Home Affairs Select Committee in the wake of the infamous ‘Phone Hacking’ scandal, fell on deaf ears. We [remain] . . . an unregulated sector with rogue agencies performing illegal activities with a degree of impunity.”

Black Cube, which is staffed by former Israeli intelligence officers, has previously attracted worldwide condemnation in respect of several missions it has taken on. Not least of these was in 2017 when it employed dubious methods to defame women accused of sexual harassment by client, Harvey Weinstein, followed by attempts by Trump aides for Black Cube to find evidence to support unsubstantiated claims made against the Obama administration.

May 2021 ~ “Who’s calling me?”

Fraudsters can enjoy another four years of spoofing phone numbers in the UK whilst they go about their illicit business.

Whilst other countries such as the US and France are taking action now, it will not be until the end of 2025 that the current phone network [Public Switched Telephone Network] will be updated to VOIP [Voice Over Internet Protocol].

Ofcom director, Huw Saunders, has warned the public not to trust caller ID on their phones, as the use of phone number spoofing has become an integral part of the unremitting attack on the British public, often from overseas. “It’s only when the vast majority of people are on the new technology that we can implement a new patch to address this problem,” he told BBC’s Money Box.

April 2021 ~ Annual UK fraud now estimated at £190bn:
Phone companies are playing ‘the numbers game’

Treasury figures released back in July 2020 revealed that the UK had already spent £190bn in the first few months of the Coronavirus pandemic. Last week, this was also precisely the same figure which Graeme Biggar, the director general of the National Crime Agency’s National Economic Crime Centre disclosed was the country’s annual cost of fraud!

Mr Biggar was using the opportunity to call for phone companies to do more to stop fraudsters who spoof phone numbers to snare their victims; simultaneously demanding “a step change in our response” to fraud.

The public is all too aware that there has been a dramatic rise in the use of spoofed phone numbers by criminal gangs. Indeed, the number of reported cases of impersonation fraud, including spoof calls, almost doubled to 40,000 in 2020;according to the industry body, UK Finance. If 40,000 were successful and thus reported, when it is widely accepted that only a fraction of victims admit to having been duped, then the real figure must be in telephone numbers!

March 2021 ~ A response to IP crime ~ ‘follow the money!

Last year, assisted by Law Enforcement across Europe, carrying out house raids and making arrests, Spanish National Police broke up an organised crime gang which had for years been supplying IPTV to millions of customers across Europe, Asia and the Middle East. Properties, cars, luxury watches, cash, cryptocurrencies, and electronic equipment, valued around €4.8 million, were seized by agencies pursuing methodology advocated for many years by UK investigators . . . ‘following the money’ is the best initiative in fighting IP crime.

In praising the UK’s consistent championing of this philosophy, a Royal United Services Institute report published this month concluded that ‘piracy’ is still considered by many to purely hurt the ‘fat-cats’. It drew attention to surveys which found that 25% of the population indulge in IP infringement [OCI Trackers], 63% would recommend pirate services for friends and family [YouGov], and 31% pay to access infringing content via box or app [Industry Trust].

In reality, in 2018, the TV and film sector generated £20bn to the economy and creative industries contributed 2m jobs. Still think it’s victimless?

February 2021 ~ Monitor for data-theft during lockdown

Whilst legislators in the UK concentrate on the rights of workers for privacy whilst at work, they are putting at further risk the trade secrets of British firms. Particularly at this time of lockdown, when so many are working at home, technology firms in particular need to be ultra-aware that their foreign competitors, particularly Chinese government-sponsored companies, are on the prowl. In the past seven days, two unrelated incidents have somehow managed to end up on this same page.

Firstly, yet another espionage case in the US has resulted in a prison sentence; the latest in a long line coming before the courts. The US Dept of Justice has revealed a 30-month term for a thief who stole scientific data from a research centre for the “benefit of herself and Chinese State institutions”. She was caught transferring secrets from work computers via email.

24 hours before reading this, we at IPFGB were indirectly approached by a Chinese company to locate a sizeable number of Chinese nationals working in the UK. Immediately suspicious, we applied the ‘legitimate interest test’, as required by data protection law, and rigidly employed here in every case, enquiring why such an assignment was being instructed. As expected, the potential task instantly evaporated and is no doubt currently being completed by a less than scrupulous outfit. One is left to wonder what justifiable reason the Chinese could have invented. Why would they want to know where their nationals were living and working . . . other than to pressure them into spying?

British firms need to protect their intellectual property and their trade secrets. By far, they are most vulnerable from rogue employees. At IPFGB, we are invariably called in after the horse has bolted. But we are able to advise on how best to introduce defensive software which will track unauthorised access; and do so quite lawfully.

January 2021 ~ Large-scale fraud remains non-reportable!

“As the Law Enforcement Liaison Officer for the Association of British Investigators,” says IPFGB’s Dick Smith, “ I am often called on to report major crime to the authorities. This mostly occurs where a professional investigator has become aware of serious crime which their client wishes to be officially dealt with and offenders brought to book. To this end, I am blessed with police contacts; officers whose dedication to ‘getting the job done’ cannot be faulted. Nevertheless, they too come up against a system which for many years now, simply fails to function!

“In October 2020, I referred a major fraud to a high-ranking London contact; complex corporate crime, damaging to both the tax systems of all EU countries and individual workers’ pension schemes alike. Nothing new there then! The litany of allegations, pointing to traceable culprits, with the guarantee of witness testimony, encompassed a multitude of facets. And there, of course, lay the problem . . . the charges revealed an array of institutions as victims, spread across far too many jurisdictions. For two months, it was punted around at the highest levels within law enforcement, yet not one agency in this country, nor in the EU, was willing to investigate. None would risk a drain on their finances by shouldering the responsibility. There was no mechanism, and importantly no budget, for joining forces to engage. So, what was the ‘unofficial’ advice? ‘Blow the whistle. Go to the press and lay it on the doorstep of the government.’”

“Chris Greany of Templar Executives is a former police counter-fraud investigator and has long been critical of the Action Fraud system. He reports {Professional Security – Jan 2021 } what all we former cops know; that police forces have ‘completely forgotten’ how to investigate fraud. He admits he has given up on a £10m cross-jurisdictional global fraud despite there being a bank’s evidence available. The common ‘lack-of-resources’ response from the police is that business can afford to take its own action against criminals. So, if we accept the police view that commerce is fair game for the crooks, what then is the excuse for failing to investigate when public money is being diverted?

“Perhaps the problem is that, in an effort to plug the ever-increasing gaps in countering crime, too many agencies have been set up. When I became a police officer, [in an era when the service was lazy, unethical, and/or corrupt, as we are constantly brainwashed into believing], if a crime were committed, it was only the police who could receive the report and we were duty-bound to investigate and prosecute. If a crime report was ‘cuffed’ you risked being subjected to a rigid discipline procedure. To cry, ‘I don’t have the resources’ or, ‘It’s not my job,’ would have been met at best with derision, or accusations of subversion at worse.

“Crime was also rife then and terrorism even more commonplace; so let’s dispel any myths before they are submitted. But it was not until the nineties that we saw a change which started the rot. For the first time, there was politicisation of the police. The introduction of KPIs and ‘control by budget’ was introduced by the Home Office, obliging Chief Officers to prioritise. They were forced into abrogating their responsibilities in combatting certain types of crime. One such crime, exacerbated by the parallel emergence of the cyber-age, was fraud, which required investigative expertise and was particularly resource-hungry in relation to man-hours. It became easy, indeed was encouraged, for those Chief Officers to disband their Fraud Squads. In the vacuum which followed, weird, wonderful [and cheap] Federal-style outfits were invented, all to a blaze of publicity, massively under-funded, and mostly short-lived. But the mould had been broken and a full circle developed. The more crime the police refused to handle; the less money became available. As crime levels rose, and detection fell, the police were financially punished. If either the public or commerce tried to report fraud to the police, it was now de rigueur for officers to respond, ‘Not my remit, chief. Go somewhere else!’

“As an example, how many of us have actually ever heard of the Counter-Fraud & Investigations Service; a branch of the Government Internal Audit Agency? It was set up in 2016 and has recently proudly announced that it has so far ‘detected and prevented £4m worth of fraud.’ £4m in four years; at what cost, I wonder? And at the same time Mr Greaney’s single £10m case, or our tax and pensions fraud which dwarfs that almost into insignificance, don’t even warrant scrutiny!

“Graeme Biggar, the Director General of the National Economic Crime Centre, claims that not every crime can be investigated because police are ‘going after the big hitters.’ Really? The evidence and ‘inside knowledge’ suggests very much otherwise.

“And there it is. Too many agencies, all with their fancy titles, none actually working in unison, and none biting the bullet for fear of the financial implication on their largely irrelevant and redundant territories.

“Reverting to that recent failed referral in London, some might consider that whilst taking the King’s shilling and yet refusing to do one’s duty is a form of corruption. John Penrose MP is the appointed ‘anti-corruption champion’. He is credited with having a grasp of the situation and quoted as saying, ‘No politician wants to be vulnerable to corruption, or even inefficiency with the public purse.’ He will no doubt have his work cut out addressing the billions lost to fraudulent bounce-back-loan and furlough schemes which we know have been prevalent through the pandemic. Nevertheless, we are currently endeavouring to get our friends in the national media to knock loudly at his door and ask some very pertinent questions. Watch this space!”

Dick Smith QPM
IP Forensics [GB]
ABI Law Enforcement Liaison Officer