After UK ministers were targeted in a spate of hoax calls by Russian pranksters, Mike Wills, director of strategy and policy at cyber and data security firm CSS Assure, discusses how businesses can protect themselves against hoax calls designed to trick, embarrass, steal and defraud.
Recently, video clips have been released of calls with senior cabinet ministers and an imposter posing as Ukrainian Prime Minister Denys Shmyhal. The British government has blamed the Kremlin for the stunts, stating they were part of a Russian disinformation campaign.
These are classic information operations tactics, which are as old as time. In these cases, they have sought to undermine and embarrass the British government, while distracting from the major issues of the day and diverting attention away from what is happening in Ukraine. Indeed, the international Five Eyes community have issued warnings of further cyber and misinformation attacks in response to the heavy sanctions placed on Russia.
It is important to remember that the fraudsters who carried out these government-targeted pranks are well-resourced. They are the Hollywood blockbuster actor-standard of scammers and a lot of time and effort will have been put into preparing for and conducting these attacks. They will have done their background research, knowing they have a single chance to be utterly convincing from the first point of contact.
War isn’t just about bombs and bullets – it’s about every facet of human endeavour. It includes the physical combat sphere and the ethereal information sphere. The Russians are past masters at this; within their state apparatus, they will have infantry fighters, combat fighter pilots and tank gunners, as well as the best of the best in terms of intelligence and influence operations.
While this time, the fraudsters have been cunning and managed to get into the top level of government, this can – and does – happen to any business at any time.
Organisations should make themselves as hard to hack as possible at all times, but more so than ever given that Russia will be seeking to create instability within western countries – which, in this day and age, is easier to achieve virtually.
So how has this been allowed to happen? In theory, the government will have, and should have, verified the other participants in the meeting were who they said they were. This isn’t always easy, but there are simple tactics that you can use to identify potential fraudsters.
If this was conducted by means of a phone call, you would want to take control of that call so you know who you are dialling. This can be done by asking the caller for their full name and the organisation they are working for. Then, tell them you are going to call them back via the front desk phone number of the organisation – which you can get from a credible source online – and ask to be put through to them internally. Here, you are taking control of the situation by going to a known phone number.
However, in these cases, communication appears to have taken place via an online virtual meeting, which means it had probably been set-up by email and that the email is likely to have come from a credible source. This suggests the email address has either been intercepted or cloned.
With this in mind, businesses should consider resetting passwords in case they have been breached and are enabling access to web portals and email accounts, as well as remind employees to think twice before opening or clicking links on any suspicious emails.
Multi-factor authentication – which requires users to provide two or more verification factors to gain access to a resource – should be implemented wherever possible, and software upgrades and patches should be up to date.
Once you’re on the call – whether voice or video – people should confirm who is on the other end of the line before revealing any information.
If taking place over the phone, try and work out if you recognise their voice. This is difficult, but there may be someone within the department who has regular communication with the caller. If so, bring them into the room and ask if they can confidently verify their identity. This can be done by a brief discussion based on previous conversations and historic pleasantries.
For video calls, insist the other party turns on their camera and Google their name to see if you can identify they are who they appear to be via images. With cyber and misinformation attacks being so common and pervasive, it is important people develop the confidence and feel comfortable in verifying someone’s identity – for their own protection and resilience.
Businesses should also dust off, review and rehearse incident response plans so they know how to react swiftly to any incident and are able to minimise its potential scope, scale and associated impact.
Finally, it is vital to ensure employees understand the importance and necessity of information security, which can be carried out through data and cyber security awareness training. This will help to ensure confident, compliant and resilient staff, which, in turn, creates a well-protected business.
Be suspicious, be disciplined and be resilient in order to be safe.