October is Cybersecurity Awareness Month 2022

1 October 2022

How can you help protect your organisation?

It’s Cybersecurity Awareness Month, and at Veritau we want to spread awareness of cybercrime and cybersecurity issues affecting the public sector.

Cybersecurity covers a wide scope, from high-level robust IT infrastructure to simpler measures relevant to all members of staff, like password security.

As organisations rely more on online resources to deliver services, cybercrime continues to be a prevalent issue. The National Cyber Security Centre (NCSC) said in a keynote speech that employees can be the “strongest link” when it comes to cybercrime.

Public bodies – including councils, schools and more – can suffer any type of cyberattack, including:

• Whaling and phishing
• Mandate fraud
• Ransomware
• Denial of service
• Hacking

The World Economic Forum’s 2022 Global Risk Report states that 95% of cybersecurity issues stem from human error.

How much do you know about cybercrime?

We’ve created a Wordle-style activity to help you test your knowledge. Green letters are correct and in the right place, yellow letters are in the word but in the wrong place, and grey letters aren’t used.

Answers can be found at the end of this article! [View a PDF version of the activity instead]

Examples at local authorities

Cybercrime is becoming more professional, targeted, and sophisticated. Our counter fraud team has noted a significant increase in attacks against local authorities. Unfortunately some have been successful.

Luton Council was subject to a mandate fraud perpetrated by organised criminals. A compromised user account was used to request a change of bank account, resulting in the diversion of a £1.1m payment. This has not yet been recovered.

Mandate fraud is a growing problem, particularly in the public sector. The NCSC reports that ransomware is also a key cybersecurity risk.

Hackney London Borough Council suffered an attack in 2020 that one councillor estimated might have cost up to £10m. Some council services were still affected six months after the attack.

Password security

Reusing passwords is a common risk, with a survey by Google finding that 52% of people reuse passwords for multiple accounts. Using the same password for personal accounts and work accounts can present an even more significant risk.

If a hacker is able to access your accounts at work, they could:

• Obtain and misuse people’s personal information
• Cause a data breach
• Install malware or ransomware
• Attempt to commit mandate fraud or a whaling attack

Always follow the password guidance set out by your IT team.

Phishing, whaling, and mandate fraud

Most people are familiar with terms like phishing, where cybercriminals attempt to trick you into giving away information or money. Whaling is similar, but involves impersonation of a senior officer eg director or chief executive.

At Veritau we have seen a rise in mandate fraud (also known as payment diversion fraud), particularly at local authorities. This can be done via whaling, where the cybercriminal poses a senior member of staff, but we also see fraudsters impersonating suppliers and creditors.

Often the pressure is piled on, asking the staff member to urgently change contact information or payment details.

Suspicious emails may come from a ‘spoofed’ account, where the email address is slightly different from what it should be. Or a fraudulent email might come from a colleague or supplier’s account that has been hacked.

How to help prevent cybercrime

Always:

• Use previously established contact methods to verify the source of a communication
• Treat unusual requests for payments – or change of details – extremely cautiously
• Familiarise yourself with any internal verification processes
• Follow the password guidance set out by your IT team

Look out for:

• Spelling and grammar mistakes
• Unusual tone of voice or phrasing, or anything else that feels strange
• A sense of urgency or pressure being put on you

Never:

• Assume that a request is safe because it has correct branding, or a colleague trusts the source
• Use the same password for different accounts
• Allow yourself to be pressured into bypassing agreed verification processes or internal controls

Further support

For more information about cybersecurity, contact your IT team, or visit the NCSC website.

If you have suspicions of fraud affecting the council, call our team on 0800 9179 247 or email [email protected].

If your organisation doesn’t receive counter fraud services from Veritau, please contact us for more information. We can support you with prevention, through providing policies, frameworks and fraud awareness training – or we can investigate matters as they arise.

Resources and activity answers

Want to have another look before seeing the answers? Jump back to the Wordle-style activity