Beware the man-in-the-middle attack!

One of our client managers received a notification of change of bank details from their client requesting for all their accounts with us to be updated.  

Red flag – The body of the message contained several grammatical errors and the email address had been tampered with.   

The client manager immediately alerted their client who was completely unaware and on holiday at the time and they also reported it to Action Fraud. 

Tip: A public Wi-Fi network is inherently less secure than your personal, private one. Stick to well-known networks, like Starbucks or install McAfee on your phone (which checks for safe Wi-Fi or notifies you if it’s not). 

Note: We will not change any bank details without first checking with you via a telephone call.  

One of our client managers received an email from a client asking whether they use AMAZON (hyperlinked and in caps lock).  

Red flag – The email contained a link and was an out-of-character request.  

Whether it was a mistake email or not, the client manager treated it as a potential cyber incident and asked the client to call us.    

Tip: Proceed with caution before clicking on an any links or downloading any attachments as it may be disguised malware that will infect your PC, or it may ask you for confidential information.  

In the latest incident, the hacker timed a “fake” reply email (as client manager) to perfection and asked the client to return funds to a “subsidiary” account with Nucleus.  

Luckily, our client was extremely vigilant and questioned the email by requesting a callback. When that didn’t materialise, instead of replying to the email chain, he sent a new email to a stored email address requesting clarification, at which point the real client manager immediately called the client.  

Red flag – The email contained an instruction to move funds to a new bank account and there was no follow-up call when requested.  

The crafty hacker had created a nearly identical email address to that of the client manager with one tiny anomaly – an extra ‘l’ in the word ‘equillibrium’. 

The criminal failed in their attempt to transfer funds and the matter was immediately reported to Action Fraud and our IT support team for investigation.  

Tip: Do not action any request to transfer money, especially when there’s an element of time pressure. First check whether the email is legitimate by calling your contact or asking them a series of questions that only they would know.   

Note: Please be assured that our email system has not been hacked. Our systems have the highest level of security protection – the criminal’s email would not have made it through our exchange, for example. The intercepted email was on an external server not linked to any of our systems.

You should:  

• Change your password (and all other accounts with the same password). 
• Contact your mail service provider. 
• Let your contacts know. 
• Complete a virus and malware scan on devices.  
• Run a comprehensive antivirus scan.  
• Report it to Action Fraud.

Here are some simple steps:  

• Limit using public Wi-Fi networks – connect to well-known networks or ones you’ve used before.  
• Stick with HTTPS websites – Google Chrome lets you know when the site you’re visiting uses an unencrypted HTTP connection.  
• Be wary of giving away too much personal information when signing up to public Wi-Fi. 
• Limit AirDrop and File Sharing – it’s one way that hackers can grab your files or send you one you don’t want. 

For more information visit: How to Stay Safe on Public Wi-Fi | WIRED 

Unfortunately, email is not a secure mode of communication, and it should not be used for personal, financial, or confidential information. We always recommend using our portal wherever possible. If that’s not possible, make a telephone call.

Hotmail is the least secure personal email, whilst Gmail fares slightly better as it has just introduced enhanced security features. In order to get the most secure email, Microsoft offers a personal account (at a charge of c.£7 per month) – in other words, you have to pay for security features (£60 per year for personal / £80 per year for a family), they won’t hand them out for free!

That being said, email is still a part of our daily lives so in order to increase the security of your account, it is advisable to turn on two-factor authentication (2FA). 

What is Two-Factor Authentication and Why You Should Use It (pixelprivacy.com)

Turning two-step verification on or off for your Microsoft account – Microsoft Support    

A password manager such as Dashlane is the perfect solution to securely store all your passwords in the one place. All you then need to do is create and remember one strong password to login.   

According to traditional advice – a strong password:  

• Includes 12 characters minimum. 
• Includes numbers, symbols, capital and lower-case letters. 
• Is not a dictionary word or combination of dictionary words e.g., blue sky.  
• Is not a common phrase e.g., it’s raining cats and dogs.   
• Doesn’t use common substitutions e.g., replacing an ‘o’ with a 0. 

For more information visit: How to Create a Strong Password (and Remember It) (howtogeek.com).