Toni Sless Appointed SCAMbassador for National Trading Standards Scams Team

Toni Sless joins national campaign to prevent vulnerable people falling victim to scams

Toni Sless has joined the Friends Against Scams campaign, an initiative that aims to protect and prevent people from becoming victims of scams by empowering communities to ‘Take a Stand Against Scams’.

As a SCAMbassador, Toni Sless has joined the National Trading Standards (NTS) Scams Team and others to protect everyone from scams and the damage they cause. Toni will be able to work with members of her community in and at a national level to educate and support those who may be vulnerable to scams.

Each year scams cause between £5bn and £10bn worth of detriment to UK consumers. In addition to the financial impact, scams can have a severe emotional and psychological impact on victims.

Toni said: “Scams damage lives and can affect people financially and emotionally so it is with great pride that I have joined the work of the National Trading Standards Scams Team, the Chartered Trading Standards Institute and others who are working together to prevent people from being victims of scams.”

Scams affect millions of people across the UK and cost consumers an estimated £5-10 billion of detriment of each year. Scams are a pervasive, criminal threat, which in addition to the financial damage can also cause serious detrimental, long-term psychological effects and ultimately destroy lives. 

Louise Baxter, Team Manager, National Trading Standards Scams Team said: "The tactics used by scammers leave victims socially isolated and ashamed of telling their friends and families what's really going on behind closed doors.

“It is fantastic to have such an influential figure in the community to help us tackle this problem on a local, regional and national level and I would encourage all those that are interested in showing their support to join the campaign and be part of our growing SCAMbassador network."

For more information about becoming a Friend Against Scams including the full campaign pack, please visit

Yahoo: top tips for what you should do

Last week Yahoo confirmed that it experienced a huge data breach in 2014, in which 500m accounts were compromised. This is the biggest known breach in terms of number of records. The information exposed includes names, email addresses, telephone numbers, dates of birth, encrypted passwords and the answers to security questions, some of which were unencrypted. I’ve been talking to the media about the breach and its wider implications and wanted to share some top tips to better-protect your accounts.

The information stolen could be used by criminals for financial cyber crime, identity fraud and social engineering. The breach is a couple of years old, but people should still do what they can to minimise any potential damage.

Here are the Risk Avengers top tips:

1.       Even if you are not a Yahoo user, this breach may still affect you. People who use some other email services (including Sky and BT) could be at risk because those services use Yahoo to manage their webmail service. Apparently 572,162 domains are using Yahoo as their email provider. You can use this tool to check whether your domain is affected.

2.       Change your Yahoo password and if there’s any danger that you’ve used the same password elsewhere, change the password for those accounts too. The passwords stolen have been encrypted, mostly with bcrypt, but this does not mean they are un-crackable. This leaves your Yahoo account, and any account where you’re reusing the password, vulnerable. My research suggests 62% of people in the UK reuse their passwords, so this could be quite a problem.

3.       Make passwords long and complex. Use numbers and special characters as well as upper and lower case letters, and don’t use the obvious combinations for your p@ssw0rds! Consider a password manager so that you can maximise security whilst maintaining usability.

4.       The compromise of unencrypted answers to security questions is worrying. You may well be using this information for the security questions on other accounts, possibly even for your online banking accounts. Whilst you are going through your accounts to strengthen the passwords, update your security answers to something unique for that account. You could use the password manager for storing answers to your security questions that are as random and complex as your new passwords.

5.       Set up two-factor authentication on your Yahoo account to add a double-layer of security. Two-factor authentication is much, much, much more effective at protecting your accounts than simply having a password and yet, only 19% of people in the UK use it. At the same time as setting it up for Yahoo, set it up on your other online accounts, too. Scott Helme wrote a really helpful guide on how to set it up for most websites.

6.       Watch out for social engineering attacks over email, messaging services and the phone. Having your email address and telephone numbers exposed means attackers could use that information for phishing, smishing and vishing.  These social engineering attacks could be attempts to get your login credentials for other accounts or to infect your devices with malware.

7.       A lot of people have commented that they used to use Yahoo and still have an account, but can’t remember their password. This year has seen some huge historic data breaches come to light, including MySpace as well as Yahoo, which highlights that online accounts we no longer use can still come back to haunt us and the importance of shutting down these ghost accounts.

This may seem like a tedious task list, but it’s a lot better than dealing with identity theft, infected machines or further data loss.

Incident Management Principles

All businesses, large or small, should have a plan of action and incident management response plan in place in order that they can effectively mitigate an incident be it a cyber attack, data breach, fraud, or that of a critical threat and be able to respond in a timely manner.  With that in mind, the following is our guide on incident management principles.

  1. Get your policies and processes in order. Policies should be clear, concise, accessible and appropriate to the business. They also, very importantly and often overlooked, need to be well-communicated and enforced.  Processes should be simple but understandable by all stakeholders so that in the event of an incident (be it fraud, a critical threat or a cyber attack) everybody knows who is handling what and communicating to whom.
  2. Included in your policies and processes, should also be an incident response plan.  This should be tested on a regular basis, we recommend at bi-annually or annually.  This will ensure that those involved in an incident will know and understand their roles and responsibilities.  Equally, it provides opportunity to ensure the correct processes are in place and are robust.
  3. Roles and responsibilities of the Crisis Management Team (CMT), Incident Response Team (IRT) or Incident Management Team (IMT) should be clearly defined so that everybody involved has a clear delineation of duty and accountability.
  4. All Members of the CMT, IRT or IMT should be provided with regular training.
  5. Ensure all employees, suppliers, stakeholders and customers know to whom an incident should be reported.  Provide clear guidelines on the process for reporting which should be in place as per point 1.  The recipient of an incident notification should also know to whom the incident be reported, ensuring the salient information is captured and reported according to business policy.
  6. The CMT, IRT or IMT should have full knowledge of to whom the incident should be cascaded, internally and externally including law enforcement, Information Commissioners Office (ICO) (if relevant).  Ensure you have a dedicated Single Point of Contact (SPOC) thus avoiding several people speaking to the same organisation from different parts of your business.
  7. Ensure your PR Team are fully apprised and updated at appropriate times so that briefings can be made to media, stakeholders, customers etc.
  8. Have a clear concise response plan.
  9. Maintain an incident log (which is easily accessible and easy to use).  It should include full details of the incident, names and locations (if available/known), timings, actions, accountabilities and responsibilities.  This could become admissible evidential material therefore ensure each page of the incident log is signed and dated by the incident log manager and it is clear who is accountable and who authorised actions.
  10. Subsequent to the incident, evaluate your lessons learned – what worked and what didn’t.  Re-evaluate your policies and processes and update, if necessary, to reflect the areas that require change.  Implement the changes as soon as practicable and cascade, where relevant, any changes to policies and processes.

Bonus tip: it’s now widely accepted that, when it comes to incidents, it’s not a case of ‘if’ but ‘when’. As such, your incident response plan should be tested before an incident, so that the first time you put it into practice isn’t when you need it the most.  In the event of an incident, ensure you conduct a lessons learned exercise, implement resolves within a timely manner and ensure your stakeholders are informed.

There is no such thing as 100% security, but you can and should mitigate risk where possible – the tips above will help you do just that. If you want more assistance or information, please contact us.

The Ethics of Social Engineering Testing

I’ve been performing social engineering tests for over a decade.  I have social engineered my way into organisations from company offices to government facilities, hedge funds to sports stadiums, both in the UK and abroad.  I’ve done social engineering tests in person, over the phone and via email.  The more social engineering tests I do, the more ethical quandaries I come up against. 

I’ve learned that while malicious social engineering can be easy, ethical social engineering is hard. There are quite a few limitations that quickly become apparent once you start your ethical social engineering test and even your social engineering career. As social engineers, we have so many more restrictions when it comes to performing our social engineering assignments.    

All security testing involves ethical questions at some level; social engineering testing even more so.  In social engineering testing, as opposed to most other security testing, you are targeting people rather than machines, people whom you may feel bad about misleading and who may be angry that they have been duped. 

Everyone has different boundaries when it comes to social engineering, both in terms of what they feel comfortable doing themselves as a tester and in what they feel comfortable doing to other individuals as their targets.  For example, some social engineers have no qualms about using crutches or a wheelchair to deceive someone into holding a door open for them; for others, this is a step too far.  Some testers find it easy to lie to their targets, others find themselves unable to do so.  Sometimes it can be easier for testers to perform remote social engineering, such as phishing attacks, where they do not have to speak directly with or even see their targets, potentially leading us to forget that there are real people at the end of our tests.

When the Ashley Madison information was leaked, it would have been easy to turn it into a social engineering scenario (and I am sure many malicious social engineers did just that).  I considered sending an organisation I was testing some emails along the lines of “Find out who in your company uses Ashley Madison” – a ruse not everyone would be able to resist and an easy click-through for some office gossip.  Although I am sure this test would have been successful, to my mind, it would not have been ethical

Examples of other ethical questions I have come up against include:

  • What kind of bribes, if any, are acceptable as part of a social engineering test?
  • Is it ok to go after people’s personal information?
  • To what extent can you use social media as part of your test?
  • Should you name individuals in reports?

The ethics of social engineering testing is highly personal, and different people may have different answers to these questions.  Whatever your answer is, it is important for both you as a social engineering tester and your client to consider the ethical impact of performing a test.  Before you embark on a social engineering test, you must consider the ethical implications of any pretexts, scenarios, or ruses you are planning to use.  If you want to err on the side of caution, discuss the ethical (as well as the legal) side of your plans with your client and potentially even a representative from their HR department. 

Social engineering testing has an important role to play in any good security programme.  It’s a great way of testing and improving security awareness among employees, especially if done on a regular basis.  But make sure it is done lawfully and ethically.  

Business Trip Planned? Travel Security Basics

As with most professions these days, we communicate on a regular basis via the wonders of modern technology with the ability to sit comfortably at our desk in the office or even whilst working from home.  However, nothing quite beats having those face to face meetings with your client, supplier, vendor etc, to secure that deal, manage a project on site, mitigate problems or to just say hello.  Unfortunately though, as we know only too well with recent tragic events in the forefront of our minds, travelling isn’t always as safe as we assume or hope it to be.

The following may seem like basic travel security tips, but you’d be surprised how many people aren’t aware of or follow these simple guidelines or remember the support and processes that their employer has in place to assist when travelling in Country or abroad.

So thought I’d put together some useful tips and advice (not in itself an exhaustive list) for when travelling.  Further useful information

Make sure you’re aware of and know the details of your employer’s emergency support service for when travelling.  Keep the information to hand, not just on your phone or mobile equipment, but also on paper, in the event your mobile equipment doesn’t work or worst case scenario, is lost or stolen.

Ensure your employer has up to date personal information (including your personal mobile number) and next of kin (NOK) contact details (including mobile, landline and work numbers).

Take a photocopy (front and back) of all the credit and debit cards you have, and keep the details in a safe place so that in the event your card(s) get lost or stolen you know who to contact and equally as important, you remember all the cards you have.  Telephone numbers of card issuers in the event they are lost or stolen, can be found on the back.  Don’t forget to do the same with your loyalty cards, you don’t want to lose all those points you’v accumulated.  And only take the cards you need with you when travelling.

Remember too, keep a note of your passport number and make a copy of it, namely the pages with your photograph and identification data on them. Take a copy with you (keeping it separate from your actual passport) so you have the details to hand if you need to report it lost or stolen and, keep one in a safe place / with a trusted person at home.  And don’t forget to complete the emergency contact details in the passport.

Carry your passport with you at all times.

Check the Foreign Commonwealth Office (FCO) website for travel advice before and during your travel, not just the news and weather sites.  And, if travelling to a high risk country / area, be sure to follow their guidelines.  

Make sure you have the contact details of the Embassy of your Country’s origin for the Country you’re travelling to as well as the emergency phone numbers for that Country, ie police, ambulance and fire services.

Never leave your mobile phone, laptop, tablet or other electronic devices unattended and if possible, don’t leave them in the hotel room, particularly if you are in a region of high risk.  If you can’t take them with you, leave them in the hotel safe and don’t use your date of birth or a generic password such as 1234 as the safe code.

Make sure you have the IMEA numbers of all your electronic devices in the event they are lost or stolen, these numbers will assist in blocking the phones and/or tracing them.  And if you’re not sure what they are, using your keypad, type in *#06# If you have an apple device follow these tips. Keep these details safe with your credit and debit card details.

And remember, keep safe and be vigilant.  Some useful information from NPCC.  

Why the formation of the Risk Avengers?

When I initially started working in the fraud prevention arena, I was always told “your contacts are gold and that networking is of paramount importance” as you’ll never know when you may need them either for an investigation, case work, employment prospects etc, so I set about networking and meeting like-minded peers and found that they were predominantly men.  The few women I did meet, it transpired (back then), didn’t know each other.  So in 2004 I set about informally bringing together women who worked in the fraud prevention arena to share best practice, support each other and to network.  Subsequently, this informal gathering formalised in 2007 as the Fraud Women’s Network, which is still going strong today with over 140 Members and will be celebrating its 10th Anniversary in 2017.

After many years (far too many to think of) of working in the public and private sector, I decided to embark into (excuse the pun) the world of consultancy and established Into Consultancy which provides expert advice and guidance on fraud prevention, training and awareness and the operational risk elements of a business helping with everything from fraud risk management to strategic and operational management of critical threats and critical security contracts.

However, at the same time as doing this, I felt very strongly and passionately that there would be benefit of and value add to collaborating with people that work in the cyber security and social engineering arenas.  Why, aside from supporting and wanting to work with other female peers?  Generally speaking, the MO of fraudsters and criminals attacking our systems hasn’t changed but the enablers and vectors to committing these crimes has.  With the advancements of technology and the ever increasing usage of social media, fraud, cyber and physical security are all cross cutting themes and are now intrinsically linked. 

Therefore, by collaborating with such industry experts, in the fields of cyber security, social engineering and penetration testing provides a full complement of services; a wealth of knowledge and skills; and expertise to our clients from one place, a niche offering. Hence the formation of The Risk Avengers a collaboration with two of my industry peers, the very well respected Dr Jessica Barker and Sharon Conheady, who I truly am honoured and delighted to be working alongside!  

We will still be managing and running our own respective consultancy businesses, but by forming the collaboration, The Risk Avengers, we can now offer our clients, a true end-to-end service incorporating fraud prevention and awareness; cyber security; social engineering; penetration testing; incident management and physical security. 

The Risk Avengers’ Top Tips to Improve your Organisation’s Security

By Toni Sless and Dr Jessica Barker

With the launch of The Risk Avengers, we thought it a timely reminder of our top tips to improve your organisation’s security combating fraud and cyber crime. Whether you’re big or small, fraud awareness, prevention and cyber in security is a real issue that we all need to address. Security shouldn’t be about locking down all information or getting in the way of people working, but it should be proportionate, holistic and tailored to the needs, context and risk appetite of your organisation.

With that in mind, here are our Top Tips:

1. Undertake a third party audit of your information security. Expert, external eyes will help you work out what you’re doing right as well as where – and how – to improve.

2. Get your policies and processes in order. Policies should be clear, concise, accessible and appropriate to the business. They also, very importantly and often overlooked, need to be well-communicated and enforced.  Processes should be simple but understandable by all stakeholders so that in the event of an incident (be it fraud, a critical threat or a cyber attack) everybody knows who is handling what and communicating to whom.

3. Everyone in your organisation should have training – whether this is in-depth specialist training or general awareness-raising will vary depending on the organisation and people’s roles.  Your training need analysis matrix will assist with this.

4. Consider your culture and if you find there’s a tendency to scaremonger, scapegoat or rule by fear, it’s time for cultural change.

5. Review your governance. Who owns information risk and fraud prevention and how is this disseminated throughout the rest of the organisation? If you don’t already have them, consider approaching some keen staff members to see if they would act as ‘cyber and/or fraud awareness ambassadors’.

6. If you’re launching a new product, refreshing an existing one or implementing changes in the business, make sure you engage with your fraud and information security teams so that they can stress test them and make them robust against attack.  If you don't have this in-house, consider seeking external expertise.

7. Focus on passwords. Often the quickest and easiest way for an attacker to compromise your network, which is not surprising considering ‘123456’ and ‘password’ were the two most common passwords of last year.

8. Put two-factor authentication in place wherever you can, and make sure people understand it and use it. This is linked to number 7, in that two-factor means you are no longer relying on passwords alone. Despite the simplicity and effectiveness of 2FA, unfortunately most people are unaware of it and not engaging with it.

9. Look at your physical and personnel security. Like many of these tips, a good information security audit should cover this as there is much more to information security than digital. Social engineering (or ‘people hacking’) takes advantage of poor physical security and organisations who fail to empower their staff to challenge strangers in the office or stop someone from following them through card access doors.

10. Keep up-to-date with threats. One of the most common, and successful, attacks right now is CEO Fraud, which often involves spoofed emails. Use team meetings to make staff aware of threats and try to make these discussions as engaging and interactive as possible.

11. Ensure your system is well-configured. Patches and updates should be timely, vulnerability scans should be regular, firewalls should be in place and penetration testing should be carried out and the recommendations implemented.

Bonus tip: it’s now widely accepted that, when it comes to information breaches, it’s not a case of ‘if’ but ‘when’. As such, your incident response plan (developed under 2 – get your policies in order) should be tested before a breach, so that the first time you put it into practice isn’t when you need it the most.  In the event of an incident, ensure you conduct a lessons learned exercise, implement resolves within a timely manner and ensure you’re stakeholders are informed.

There is no such thing as 100% security, but you can and should mitigate risk where possible – the tips above will help you do just that.

If you want more assistance or information, please contact us. Dr Jessica Barker, Toni Sless and Sharon Conheady – collaboratively, The Risk Avengers.

ONS fraud and cybercrime stats the tip of the iceberg

By Dr. Jessica Barker

Today the Office of National Statistics have released results from their latest Crime Survey for England and Wales (CSEW) which is understood to be the best measure of crime trends for the population. The survey shows a 6% fall in the number of ‘traditional crime’ incidents against adults, with 6.3 million incidents recorded. For the first time, the CSEW has started including fraud and cybercrime and the results highlight the extent to which these ‘new’ crimes have grown compared to ‘traditional’ crime. The survey estimates that there were 3.8 million fraud and 2 million computer misuse offences experienced in the year ending March 2016, therefore reaching almost the same number as traditional crimes. For the time being, these CSEW findings are ‘experimental statistics’ as they were only captured for six months (between October 2015 and March 2016). The ONS are going to continue recording rates of fraud and cybercrime as experienced by individuals and so, as more data is released, we will be able to more accurately assess levels of fraud and cybercrime.

The most common types of fraud reported in the CSEW were bank and credit account fraud, with 2.5 million incidents experienced by the population. Accounting for 1.4 million of the computer misuse incidents was a computer or device being infected with a virus. The statistics as a whole show that we are more likely to be a victim of fraud or cybercrime than any other crime, with one in ten experiencing an incident.

Apart from the huge magnitude of fraud and cybercrime as captured by the ONS report, a couple of other points are particularly telling about the findings. The fact that ONS have never recorded these forms of crime in the past reflects the extent to which organisations, and society as a whole, have failed to keep pace with fraud and cybercrime. These are not victimless crimes and the extent to which they affect individuals, businesses of all shapes and sizes and the overall economy has been growing for years. It is also worth noting that crime statistics generally do not reflect the true extent of criminality, especially when it comes to fraud and cybercrime. The CSEW captures the rate of incidents experienced by individuals, and so for a crime to become a statistic in this report, the victim must know that they have been attacked and must report it in the CSEW. Unfortunately, many acts of fraud and cybercrime are carried out undetected. Reports suggest, for example, that it takes an organisation approximately 229 days to detect criminal hackers in their system. It is safe to assume, therefore, that these recorded statistics are only the tip of the iceberg. 

The Risk Avengers: A collaboration

We're very excited to announce the formation of The Risk Avengers, as 3 very well respected and experienced industry experts come together. 

Dr. Jessica Barker, Sharon Conheady and Toni Sless, each running their own successful consultancies, are pooling their extensive knowledge and experience in the fraud prevention, physical security, cyber crime, social engineering and penetration testing arenas. 

The Risk Avengers will be offering their consultancy and training services to both startups and larger businesses wishing to ensure they have the right policies, processes and procedures in place to deal with the minefield that is information security, fraud awareness and prevention.

Risk Avenger Toni Sless states, "Business risk is evolving and creating a very challenging and complex environment. Businesses need to know where to concentrate their efforts and ensure that they are protected should something go wrong. With this in mind, we have created The Risk Avengers to help businesses on their security and fraud strategies and also train their staff so they are able to better respond and protect themselves against business risks and threats".

Don't wait until you've been a victim of fraud or cybercrime, contact us today for a chat to discuss how we can help.