Cookham Discussion Board

If you receive the following message from O2 delete it, it is a scam:

O2:We were unable to process your latest bill. In order to avoid fees, update your billing information"

I work in cybersecurity.

This is a long-running scam and most of the UK phone providers can be named in the message. The perpetrators stand up short-term plausible domain names that contain the operator name somewhere in the URL and also of course send texts and emails using bogus phone numbers, with the intention of obtaining the user logon credentials. Using these and other personal information they can then perform a 'SIM swap' and gain control of your phone number. At that point the game is to then go to web sites and do the 'I forgot my password' ritual but with the text confirmations going back to them, not you. Now they can get control of your primary email account and ultimately with luck possibly also your internet banking, PayPal, amazon, ebay and other accounts.

I'm sure you can imagine the absolute nightmare trying to sort this all out could become. Here are some things you can do to protect yourself and your family. Please share this information with your loved ones and ensure they remain safe at all times.

1. If your internet banking provider offers a security token, use it. For example, HSBC will issue a small device that looks like a pocket calculator. It generates a random number every time you use it to log on or authorise a transaction. The device is PIN-protected. An attacker who obtains personal information about you cannot access your internet banking account unless they also have physical possession of the security token and its PIN.

2. Don't re-use passwords across multiple web sites. The weakest site will ultimately be compromised and attackers will then attempt to use those passwords on other sites. Rather than create, and write down, complex passwords, a much more secure method is to think of something that you will always strongly associate with a web site. It could be, for instance, something you purchased on it that you'll always remember. Use that concept to create a strong password you won't forget. People who memorise lots of names etc use this trick; they associate an image with each person that they will always remember.
Attackers also have access to huge lists of popular passwords. These lists contain literally billions of passwords. If you thought BritneySpears12345 was a strong password, think again. So did thousands of others. Attackers know this. Choose a password that is a longer phrase, like part of a sentence. It's much harder to guess these as long as you aren't obvious.

3. Put a PIN on your phone's SIM card and ensure your phone is securely locked via either a pattern, PIN number or fingerprint protection as well. By doing this, someone who steals (or finds) your phone can't use it fraudulently, nor can they rack up huge call bills on it. When they try and restart the phone, they will be required to enter the SIM PIN code, so if they pull the SIM card out of the phone to try and use it, they're stymied because the PIN is stored on the SIM card and they'll just get asked for it on the new phone as well.

4. If someone rings you claiming to be your bank etc, then hang up and ring back but - if the phone is a standard landline phone - don't ring back on that phone immediately. It's possible to hold a call open on the other end - people don't realise that hanging up at your end does NOT clear down the call immediately. There's a timeout and it depends on the local exchange settings. The attacker waits, playing a fake dialtone, and then pretends to 'answer' if you ring out straightaway.

Instead, use your mobile phone or wait at least 10 minutes THEN ring out. (BT are allegedly working on reducing the call hold time, but it's prudent to be careful).

5. If you're expecting to pay someone a large amount, e.g solicitor on completing a property transaction, then be cautious about emails. Attackers compromise the often weak security of many legal firms by guessing passwords - then they can intercept all emails and send fraudulent emails. Although the press tends to talk about accounts being 'hacked', this is hardly hacking, where an attacker finds some kind of security weakness. This is someone guessing - or obtaining by bribing or coercing staff - a password.
Banks - after dragging their heels for years - at least now check names against accounts when performing internet transactions. Hopefully this will help.

6. Don't give away personal information on social media. By default, Facebook makes information like your date of birth public, and Facebook's privacy controls are opaque and deliberately difficult to alter. Too many people overshare on social media, making it trivial for attackers to obtain enough information to impersonate you.

7. Shred, or securely dispose of, confidential information like bank statements etc that you no longer need to keep. Attackers are quite happy to go through rubbish bags to find personal information.

8. Enable two factor authentication on any accounts e.g paypal etc that involve financial transactions. If you've set your phone up securely (see above) then an attacker who guesses your password still can't initiate a transaction because they don't have access to your phone.

9. Your 'friend' on facebook who just lost their wallet and desperately needs money is probably a fraudster. This is a popular social media scam.

10. Finally, it helps to think like your attackers. Cybercrime is a business, like any other business. In fact, some fraudsters run on such scale that they have HR departments to manage employees!. There are entire towns in some parts of the world where most of the economy revolves around cybercrime. Somewhere, someplace, someone is contemplating, right now, ways of parting you from your money. Make it hard for them by practicising - and preaching - effective cybersecurity.