Staff intranet

Fraud Awareness and Phishing Attacks

Information and guidance about fraud awareness and phishing attacks.

Global IT issues: phishing / scam emails alert (July 24)

Following on from news of a global IT issue, some organisations have reported that scammers are using this opportunity to exploit the news to target phishing and scam emails more effectively at organisations to conduct malicious activities.

It is a timely reminder that increased vigilance is required to keep ourselves and Cumberland Council safe.

Scammers try to quickly gain your trust. They aim to pressure you into acting without thinking. If a message or call makes you suspicious, stop, break the contact, and consider the language it uses.

Scams often feature one or more of these tell-tale signs:

  • Authority: Is the message claiming to be from someone official? For example, your bank, doctor, a supplier, or line manager? Criminals often pretend to be important people or organisations to trick you into doing what they want. 
  • Urgency: Are you told you have a limited time to respond (such as 'within 24 hours' or 'immediately')? Criminals often threaten you with fines or other negative consequences.
  • Emotion: Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.
  • Scarcity: Is the message offering something in short supply, like concert tickets, money or a cure for medical conditions? Fear of missing out on a good deal or opportunity can make you respond quickly.
  • Current events: Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you.

How to check if a message is genuine
If you have any doubts about a message, contact your ICT Service Desk or you can forward suspicious emails to security@cumberland.gov.uk.  

Don’t use the numbers or address that have been included in the message you are suspicious of.

Remember, your bank (or any other official source) will never ask you to supply personal information via email, or call and ask you to confirm your bank account details. If you suspect someone is not who they claim to be, hang up and contact the organisation directly. If you have paper statements or a credit card from the organisation, official contact details are often written on them.

Fraud Awareness and Phishing Attacks

The UK Government launched a major campaign (February 2024) to transform the fight against fraudsters – Stop! Think Fraud, which is backed by leading counter fraud experts who are uniting under one voice to provide consistent, clear and robust anti-fraud advice to the public.

Fraud accounts for around 40% of all crime in England and Wales, with an estimated 3.2 million offences each year and an estimated cost to society is £6.8 billion in England and Wales.

The evidence led campaign draws on the expertise of leading counter-fraud experts and includes an online fraud hub which will provide concise, simple to follow advice. It will also signpost victims to relevant organisations for further advice and support.

The Stop! Think Fraud website provides vital guidance on how to spot fraud, stay safe and what to do if targeted. The site is supported by an advertising campaign, which includes a Stop! Think Fraud TV advert (40 sec).

A range of advice is available to individuals and businesses – this includes How to Spot Fraud

Links are also provided to National Cyber Security Centre’s  (NCSC) e-learning package Stay Safe Online - Top Tips For Staff. The package is free to use, takes less than 30 minutes to complete and includes a short quiz at the end, with links to further reading. No login is required - just click on the link and start learning.

NCSC Advice re Phishing Emails

Malware is often hidden in phishing emails, or in websites that they link to. To help users identify the common features of phishing messages the NCSC has produced guidance on how to spot scam messages.

They advise that management should ensure that users understand the nature of the threat posed by phishing, especially those departments that may be more vulnerable to it. Customer-facing departments may receive high volumes of unsolicited emails, whereas staff authorised to access sensitive information, manage financial assets, or administer IT systems will be of greater interest to an attacker (and may be the target of a sophisticated spear phishing campaign). Ensure these more vulnerable staff are aware of the risks, and offer them additional support.

Attackers can exploit ‘ways of working’ to trick users into handing over information (including passwords) or making unauthorised payments. To help prevent such attacks:

  • Ensure you are familiar with the normal ways of working for key tasks (such as how payments are made), so you're better equipped to recognise unusual requests.
  • Make processes more resistant to phishing by ensuring that all important email requests are verified using a second type of communication (such as SMS message, a phone call, logging into an account, or confirmation by post or in-person). Other examples of changing processes include using a different login method, or sharing files though an access-controlled cloud account, rather than sending files as attachments.
  • Ensure you are aware of the processes to report phishing and that you know in advance how to report incidents. Bear in mind that you may be unable to access normal means of communication if your device has been compromised.
  • Use informal communication channels (through colleagues, teams, or internal message boards) to create an environment where it is easy for users to ‘ask out loud’ for support and guidance when they may be faced with a phishing attempt.

The NPSA has developed a series of security awareness campaigns, designed to provide organisations with a complete range of materials they need, including:

  • Don’t take the bait! – 2:45 minute video on Phishing and Spear phishing.
  • Social Engineering - Hostile actors use a range of tactics and techniques which are evolving all the time. However, organisations can help to reduce their vulnerability to a social engineering attack - see additional resources below and the “Be Savvy About the Social Engineer” video (2:05m).
  • Workplace Behaviours - designed to help individual staff members ensure that they are getting the general security basics right, in and around the workplace – See the “Introduction to Security: Getting the Basics Right” video (1:32m).

Cumberland ICT Advice re Phishing Emails

As the threat from cyber-crime continues to grow and evolve, following just a few quick and simple steps can make it harder for cyber criminals to get into your devices and online accounts. Recent incidents of email scams have been reported and the following advice issued by Cumberland ICT:

  • To be highly vigilant of scam emails - it is always best to check if you are unsure rather than fall foul of a scam.
  • If you hover your cursor over the sender’s name it will show you the actual sender’s email. If they don’t match the email is likely to be spam.
  • You can also hover the cursor over any button to reply and again, if the address is different, the email will be a scam.
  • Do not click on suspicious links.
  • The text of the email may also be a bit odd, the grammar and spelling may be wrong and the tone may be not what you would expect. Remember that these emails may appear to come from friends and relations as well as companies.
  • The fraudsters will often also introduce an element of urgency. Do not be taken in by this as it is an attempt to stop you thinking straight and taking sensible decisions. Always check with the real person alleged to be the sender before you do anything.  If you cannot contact them, however urgent it may seem, DO NOT take things further until you have contacted them.
  • Never provide personal, work or financial details to such an email
  • Remember that if it sounds too good to be true, it usually is.

If you do reply to a spam email the likely next thing is that the fraudster will ask you to buy vouchers or transfer money.  Stop any contact with them immediately. You should note that the council will NEVER ask you to do this from your personal account. If you have access to a corporate debit card then you should not use this either. However if you think that the request is genuine then you should contact the alleged sender using their known council email address or, better still by calling their known phone number or on Teams. You should never use a number provided by the possible fraudulent email or message.

If you think that you are in contact with fraudsters then you need to stop communicating with them at once.  If you have made purchases or transferred money from your personal account, or divulged your bank or building society details then you need to contact your bank or building society immediately. This is really important as the fraudster may try to use your banking details to commit more fraud, either directly or by using the details elsewhere. The bank or building society’s fraud department may be able to stop any payments so time is of the essence.  It will also start the process of trying to recoup your money.  If you have made purchases you should also contact the fraud departments of the retailers concerned. 

You should also report the fraud to Action Fraud - Reporting fraud and cyber crime.

You should keep written notes of all the actions you have taken with dates and times, who you spoke to, what was discussed etc as this will assist in you in reclaiming the money you have lost from the bank and stores.

It is good practice to have a different password for every organisation that you interact with online.  You should also enable two factor authentication where it is available.  If you have divulged any financial or login details to the fraudster you need to change your password to the relevant account immediately.

Any members of staff who have received spam emails should report it to security@cumberland.gov.uk