Unexpected messages

Cybercriminals often look for profit, and use personal and professional information to gain it. For example, they can try to steal money, or to impersonate a person to access unwanted and/or illegal services. In order to gain that profit, they will try to reach out to their victim and make sure to get a reaction from them, being it to download a file, click on a link, or give them a secret code or password. The victim cannot know in advance that they are being targeted by such malicious activity.

1. Watch out for unexpected messages.

Scams can happen through SMS, email or social media. As it is not possible to predict the time of a potential cyber-attack, all unexpected messages should be paid enough attention to. The most known cyber-attack using unexpected messages is phishing. To help assess the legitimacy of a message, the following questions can serve as a first indication of a scam:

To help assess the legitimacy of a message, the following questions can serve as a first indication of a scam:

•    Is it unexpected?
•    Is it urgent?
•    Do you know the person who sent the e-mail?
•    Do you find the request strange?
•    Where does the link you need to click on lead to? (only hover on it with your mouse, do not click)
•    Is there a QR code in the message?
•    Are you being personally addressed?
•    Does the message contain many linguistic errors?
•    Is the message in your Spam / Junk folder?
•    Is someone trying to make you curious?
•    Are you asked to make a payment?

Online websites

Malicious people try to create websites that will generate the visitor’s interest, such as a web shop or an online game, but also portals of resources attractive for business, by making it look as legitimate as possible. They will then try to trick the visitor into buying a fictional item, making them believe they earned a gift or a special coupon or provide them with a requested document in order to steal their professional and personal information that will help them earn some profit.

How to evaluate the legitimacy of a website?

The following five golden tips and tricks help assess the legitimacy of a website to better identify the malicious ones.

1. Check the address of the website

In order to look like an organisation’s official website, cybercriminals will often provide an address that looks like the legitimate address of that organisation (for example myorganisation [.]be instead of my[.]organisation [.]be). Another option for them is to use a different top-level domain from the legitimate one (such as, .org instead of .com or .be). In addition, they can play with letters and numbers in order to make people think they are on the right website. For example, they might use a capital ‘i’ to replace the letter L or the number zero instead of the letter o.

Identify the legitimate address using search engines

When the exact legitimate website address of an organisation or of a web resource is unknown, a quick research on one of the most known search engines can help identify it without having to click on a suspicious link.

2. Check the reputation of the website

The website should be known to the public: the IT Responsible of your organization can always be consulted to evaluate the legitimacy of the website. Online reviews can also be checked to ensure that the service provided is real and not a scam. Some antimalware solutions can also provide a websites’ reputation scoring and can be accessed in the features of the antimalware.

3. Check how unbelievable and amazing offers and promotions are

Scammers try to attract a website’s visitors attention by displaying exaggerated discounts. If it is too good to be true, it is probably not.

4. Check how the payment is requested

Filling in personal information for delivery and payment outside of the initial web-shop can be an indicator of scam. Also, requesting payment through a third-party, for example, a parcel or transport organisation, is a common way used by cybercriminals to steal money without providing any service in exchange.

Look for https in a website address

The beginning of a web address should be displaying https, not only http. This indicates that the information the visitors are providing can only be read by the website itself. The ‘S’ should always be there when surfing online, however, despite https the website might still be malicious.

5.    Fill in only the strictly necessary information

Some personal information are not needed for specific services. For example, providing a social security number to buy something is not necessary. A website asking for unusual information for the service provided can be an indicator of scam.

Personal information is valuable

Personal data is a very valuable information for cybercriminals. They can use it to impersonate people or to target an organisation’s colleagues, clients or providers. They can also use it to pursue criminal business under someone else’s identity, or to get access to bank accounts, mobile providers and much more. Personal data is one of the most important information a person has and should be treated accordingly.

Public and unknown Wi-Fi

Public Wi-Fi’s allow anyone to connect to the internet from anywhere. It represents a handy solution as people can access professional resources, shop online, browse websites, or manage their social media almost everywhere. However, as its name indicates it, it is public and everyone can access it, including scammers and criminals. If it is wrongly configured, a public Wi-Fi can be used to monitor the activities of people connected to it and steal their information by intercepting the data being transmitted.

1. Only make use of official public Wi-Fi when strictly needed

That includes for example needing to access information online when being at a known airport, train station, bar, restaurant or shop.

2. Never connect to an unknown public Wi-Fi

Cybercriminals might emulate an organisation’s Wi-Fi name to trick people into connecting to it, for example because it offers a stronger connectivity. Organisations should always implement a professional secured Wi-Fi network to ensure a safe access to their internal resources. Alongside this professional Wi-Fi, another can be implemented for personal or guests activities that can require to create an account in order to access it. This separation is important to make sure only the right people can access the organisation’s information. The IT Responsible of your organisation can always be consulted to make sure the available Wi-Fi belongs in fact to the organisation.

3. Use a VPN

A Virtual Private Network is a solution that helps encrypt and hide internet traffic to whomever might be trying to “listen” to the data that is being transmitted. The IT Responsible of an organisation can always be consulted to see if a VPN solution can be provided from the organisation.

4. Implement a guest Wi-Fi for personal and guest activities

Set up a dedicated network to which collaborators and visitors can connect to with personal devices. This dedicated network should be separated from the corporate internal network to make sure not to risk its compromission. The access should only be granted through giving unique credentials (i.e., a username and a password) to people registered. In addition, as a best practice to control which users currently have access, make sure to limit this access for a limited time (e.g., it expires after 24 hours).

What to do if you get scammed?

1. Report the incident to your IT responsible

2. Warn your colleagues, clients and providers that they might be getting a message from a specific collaborator but that they should not trust it.

3. Change all the passwords that were given (if any) on all the accounts they are being used.

4. If the scam was about bank details, immediately contact the finance responsible to inform them of the incident. If you notice that money has been stolen from your bank account, be sure to file a complaint with the police.

5. If you are the responsible of that bank account, call Card Stop on +32 78 170 170 and make sure to check your account statements. If you identify any suspicious activity, immediately call your bank so they can help you out.

Always report every incident

Incidents should always be reported to the IT Responsible, even if it was only witnessed or if there is a slight doubt. The sooner the right people can act on it, the smaller the consequences of the incident.

The aim of this content is to share and raise awareness of good cyber security practice. 
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.