Security Awareness

Security Awareness is the foundation of any strong cyber defence strategy. This category focuses on educating individuals and organisations about everyday threats such as phishing, ransomware, social engineering, and poor security hygiene. By developing a culture of security awareness and responsibility, we empower people to recognise risks, make safer choices, and reduce the likelihood of incidents caused by human error.

QR Code Threats: Quick Response or Quick Risk

Robert Broxup

QR codes (Quick Response) are not new but have become extremely popular over the last several years. Sadly, as technologies and human behaviours evolve, so do the risks as fraudsters often adapt faster. QR code creators convert this information into binary and display it as a pattern of squares and spaces; a square barcode. QR code readers do the reverse, converting the binary into usable information. Businesses use this technique and technology for many legitimate purposes, but unfortunately, scammers can also misuse it for fraudulent activities. This article explores the risks and countermeasures.

  • Phishing – Scammers can create QR codes linking to fake websites that mimic legitimate businesses in much the same way phishing emails include links to fraudulent sites. Scanning the QR code may unknowingly provide fraudsters with sensitive information. E.g., login credentials and credit card numbers.
  • Malware – QR codes can link to websites with malicious content, such as viruses and spyware. Again, this is similar to what happens with phishing emails, but with a difference: you are looking at a square barcode rather than at a link. The link information will not be available until your scanner reads the code.

There are many legitimate uses of QR codes, and it would be a shame if the fraud discourages businesses from using the technology and realising its benefits. Protecting yourself from becoming a QR code fraud victim requires examining the context and situation in which you use them.

Here are some detailed examples and scenarios to illustrate how the technology is in use, how fraudsters target their unsuspecting victims, and countermeasures, which primarily involve being more mindful and taking extra precautions when scanning:

  • Business cards, product packaging, and printed advertisements – linking directly to websites to allow quick access to product and service information
  • Utility bill payments
  • Airline tickets
  • Cinema or theatre tickets, concerts, conferences, or other venues that facilitate paperless entry
  • Contactless payments through Google Pay, Apple Pay, or any number of mobile banking applications
  • QR codes at tourist attractions to link through to historical information or provide current map locations
  • Labelling equipment, spare parts, and other warehouse items makes it practical for supplier chain, inventory management and tracking products from production to distribution. The QR code originates from labelling car parts in Japan.
    • The Universal Product Code (UPC) Barcode consists of 12 digits and often needs multiple barcodes to capture the required information.
    • QR codes provide the capacity to store significantly more data (3k).
    • The quantity of useable information differs depending on the data type.
  • Patient wristbands to provide quick access to critical health information in hospitals
  • Emergency contact information
  • Restaurant menus, ordering and bill payment

General countermeasures to help protect you against QR code fraud include:

  • Don’t scan QR codes from sources you don’t trust
    • Verify the origin and legitimacy of QR codes
    • Use official websites and apps from reputable companies.
    • Avoid scanning QR codes if you have never heard of the company
    • Avoid scanning QR codes from unsolicited sources
  • Be suspicious of unsolicited QR codes received via email, text messages, or social media, as these are unnecessary:
    • Scammers use these channels to distribute malicious QR codes
    • Businesses would never need to send the information through a QR code; they would send readable text and links through these channels.
    • The exceptions include, for example, QR codes for train tickets, theatre tickets, airline tickets, or other events in the future where the QR code allows paperless entry but would be in response to making a purchase and not unsolicited.
  • Examine QR codes closely before scanning. Look for any signs of tampering; if anything looks suspicious, don’t scan the code. Consider:
    • Anything that looks like an alteration or anything added
    • If someone has placed a new QR code sticker over an original
  • Check the web address before entering personal information or making payments, and make sure it matches the business’s official website.
  • Keep operating system and application software up to date as developers frequently release new updates to address security vulnerabilities.
  • Install reputable antivirus or anti-malware software to help detect and prevent malicious software.

The above list is not exhaustive, and it is necessary to change your mindset when using this kind of technology and develop a healthy level of suspicion. As with all types of fraudulent activity, QR code fraud is evolving; therefore, staying informed and being cautious to protect yourself and your personal information is essential.

Here are some scenarios and consequences:

  • Restaurant bill payments
    • A scammer adds a QR code sticker over the original on a restaurant menu
    • The customer scans the code and visits a fake restaurant website
    • The customer pays the restaurant bill to a fraudster
    • The restaurant may challenge the customer when they get up to leave, or it may involve authorities at a later date
  • Fake event tickets
    • Fraudsters use a fake website to sell tickets to a popular event and deliver the tickets with QR codes to unsuspecting victims.
    • The ticket website and the tickets look convincing and official
    • The customer is unaware of any problems until they are unable to gain entry to the event
  • Restaurant orders with upfront payments
    • A scammer covertly swaps official menus with a reproduction containing a different QR code that directs the customer to a convincing website copy.
    • The customer places an order for food and makes a payment
    • The food never arrives
    • The customer complains and provides evidence of payment
    • The restaurant apologises and delivers the food, and suffers a loss in reputation through negative word of mouth
  • Parking tickets
    • A scammer places a QR code sticker over the top of the original code
    • An unsuspecting  driver scans the QR code to buy their parking ticket
    • Scanning the code directs the driver through to a fake car park payment website, enters payment details along with the car registration number
    • The site sends a text message confirming receipt of payment and the valid duration of their parking
    • The car parking attendant, traffic warden, or Automatic Number Place Recognition (ANPR) identifies the vehicle as parked without payment
    • The driver receives a fine in the post, and the process to challenge such fines is complex, time-consuming, and in many cases more expensive than paying the fine and moving on
  • Free parking – a variation on the previous parking ticket example
    • A scammer prints posters and places them in free-parking areas
    • The parking tariff and payment instructions look official and well-presented, but they are fake
    • Drivers park up, pay for parking, and receive a confirmation email or text message
    • The scammer takes the money, and the driver is unaware of what has happened
  • 20 days train travel for the price of 2 days – this example illustrates where passengers avoid paying their fares, which takes advantage of poor staffing levels on some routes and the absence of ticket gates at many stations. In this example, the traveller needs to commute every day. In this case, the unexpected victim is the train company.
    • For day one, the traveller purchases two return tickets using an official ticket website such as Train Line. The 1st is an open-return ticket from Station A to Station B, and the 2nd is an open-return ticket return from Station B to Station A
    • On day one, the traveller uses the outbound portions of both tickets for the outbound and return journey. On this day, it doesn’t matter if there is an unexpected ticket inspection as they are only valid for one day.
    • On day two and subsequent days, the traveller uses the return portion of the 2nd ticket for their outbound journey and the return portion of the 1st ticket for their return journey. Both return portions are valid for 30 days.
    • If a ticket inspector scans the QR code, it will no longer be valid for subsequent travel on the journey. The traveller can buy a replacement open return ticket and continue.
    • Accepting the losses is likely cheaper than increasing the workforce and ticket gates for the train operators and stations.

To conclude, you should be careful when using QR codes and exercise the same level of caution, scepticism, and suspicion as when you receive social media messages, text messages, or unsolicited emails containing website links.

Reducing the cost of cyber insurance

Robert Broxup

Cyber insurance protects against risks that come with storing and handling data. It covers business liability for data breaches involving customer or employee information, including credit card details, passwords, and personally identifiable information (PII). Cyber insurance claims could arise from either:

  • An accidental privacy breach by an employee
  • A situation involving hacking, extortion or ransomware

Cyber insurance can cover many financial costs, varying with each provider. Here are some examples of cover:

  • Crime investigation
  • Loss of income
  • Legal costs
  • Recovering lost data
  • Restoring computer and security systems
  • Locating and removing viruses
  • Reputation management activities
  • Extortion payments
  • Third-party claims for damages
  • Hiring IT specialists

Insurance companies conduct risk assessments and set premiums accordingly through a combination of factors, including:

  • Actuarial analysis – consideration of historical data, industry trends, statistics, and various other factors to determine the likelihood of events occurring and associated costs
  • Underwriting – evaluating individual insurance applications to accept, reject, or modify cover. Underwriting involves assessing the applicant’s risk profile considering many factors.
  • Historical Losses – analysis of historical claims data to identify which types of claims are more likely and use the frequency and severity to influence the premium

Consequently, reducing insurance premiums is about mitigating risks and demonstrating to insurance providers that effective countermeasures exist. For motor insurance, this could include:

  • Using a steering lock – a car is less likely to be stolen with a steering lock while parked and unattended. A car thief will likely move on to the next car without a steering lock.
  • Advanced driving test – a certificate holder is less likely to cause an accident. The advanced driving test demonstrates a higher standard of driving than the standard DVLA test. Some insurance providers offer significantly reduced premiums.

Not all insurance providers offer reduced premiums for all types of risk mitigation, so it is still necessary to shop around. Reducing cyber insurance premiums also involves mitigating risks and demonstrating to the providers that your business has adequate controls. In a nutshell:

  • Establish robust security controls to reduce the:
    • Likelihood of an incident
    • Severity of an incident
    • Overall risk
  • Have the necessary processes and resources to:
    • Recover quickly from security incidents and losses
    • Strengthen controls to prevent reoccurrence
  • Have the insurance policy as a backup

When applying for cyber insurance, you should expect to receive a detailed questionnaire from your insurance provider, like one that you may obtain from clients as part of their due diligence process or one that you might give to vendors as part of your due diligence. Also, expect a follow-up meeting with a security expert from the insurance company (or working on their behalf). This audit activity will allow the insurer to decide what cover to offer at a price that reflects the risk.

At the heart of this process is the requirement to establish credibility. A great starting point is to work within a specific framework and obtain third-party certification where available and appropriate to the business. Here is a selection:

  • Cyber Essentials and Cyber Essentials Plus
  • ISO 27001 Information Security Management Systems
  • Payment Card Industry Data Security Standard (PSI DSS)
  • National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF)
  • National Institute of Technologies (NIST) Cybersecurity Framework (CSF)
  • Control Objectives for Information Technology (COBIT) Framework

Obtaining a third-party evaluation of business maturity can add credibility to the current risk posture and provide essential information, such as the next steps in developing maturity and mitigating further risk. Not all insurance providers will recognise all the frameworks and certifications and may use a breakdown of controls when calculating premiums.

Here are some examples of controls demonstrating that your risk management, information security management, and risk posture are under control. These details provide a good starting point for building your case for reducing cyber insurance premiums.

  • Implement strong network security, firewalls, and intrusion detection systems. Use strong encryption to protect sensitive data; both in transit and at rest. Deploy end-point protection.
  • Employ multi-factor authentication (MFA)
  • Regularly update and patch software and systems to address vulnerabilities. Remove deprecated or unsupported software from the estate. Establish vulnerability management practices and remediate weaknesses.
  • Conduct regular security audits. Conduct penetration testing. Identify weaknesses, manage remediation, and continuous security improvement.
  • Create and enforce clear policies and procedures for information security. Stay up-to-date with emerging threats and update countermeasures accordingly to protect the business.
  • Have secure/air-gapped backup copies of data. Regularly test the restore process to make sure you can recover you data if needed.
  • Provide security awareness training for employees to recognise and respond to threats. Create a security aware culture within the business. Evolve to the point where the people become the greatest strength in cyber defence.
  • Define and document an incident response plan to address and contain threats. Regularly update and conduct tests to demonstrate readiness.
  • Establish a 24/7/365 security monitoring regime. If this is cost-prohibitive because of a need to operate multiple shifts, consider partnering or outsourcing the security operations centre to a third party specialising in security monitoring and offering a round-the-clock or follow-the-sun service.
  • Regularly assess your risk profile. Implement treatment plans based on the assessments. Identify and prioritise potential vulnerabilities and threats.
  • Comply with data protection regulations such as the Data Protection Act the GDPR. Implement data protection measures to safeguard customer and employee information. Maintain a data breach response plan to meet regulatory requirements.
  • Assess the security posture of third-party suppliers during the selection process and at periodic intervals to ensure they meet your contractual requirements and security standards.
  • Establish a robust risk management framework and proactive measures to prevent security incidents. Continuously improve security posture in response to evolving risks and emerging threats. Update policies and procedures as needed to align with current requirements.

Information Security is a journey, not a destination, and the same applies to reducing cyber insurance premiums. By implementing strong security measures, demonstrating risk management practices, and working with insurance providers, it is feasible to:

  • Obtain lower insurance premiums. Keep premiums to a minimum through a commitment to continuous improvement.
  • Maintain an adequate level of insurance coverage. Review and adjust the insurance coverage and policy limits as needed to meet the needs of the business.

Reducing fraud with virtual cards

Robert Broxup

Avoiding untrustworthy vendors is sound advice, but it is not always straightforward to evaluate them ahead of making an online purchase for the first time. This article introduces virtual credit cards, the reasons for needing them, and how they work as a viable countermeasure to reduce or avoid fraud.

A virtual credit or debit card works in the following way:

  • New bank account – you first need to open a bank account that supports this feature to use virtual cards. This part of the process is the same as other bank accounts. Your existing account may already include such a feature.
  • Create a virtual card – using your bank’s online portal, create a virtual card. The virtual card will include the 16-digit card number, the expiry date and the Card Verification Value (CVV) number found on the back of physical cards. The difference is that your bank will create the virtual card instantly.
  • Make purchases – use the virtual card details to make online and telephone purchases without disclosing your physical card details
  • Delete your virtual card – deleting your virtual card will immediately block all further transactions. You can keep your card details for multiple transactions or delete your card once a single transaction is complete.

Reasons for implementing these countermeasures include:

  • Online accounts that don’t allow card removal – as customers, you should have the option and the right to delete your card details, but in practice, many vendors have not implemented this and refuse to cooperate if you ask for the removal of your details
  • Avoid subscription scams – some vendors have hidden terms and conditions that state that you are joining a club by making a purchase. Consequently, the vendor takes money from your bank account and adds it to your online vendor account, ready for future purchases. This type of purchase deviates from how people buy goods and services and, combined with the fact that very few people read terms and conditions on websites because they are too long and convoluted, this can catch people out. This kind of behaviour will show up when reading online reviews.
  • Stealth auto-renewal – vendors often keep hold of card details and set payments to renew automatically without informing their customers, either during the initial purchase or ahead of renewals
  • Reduced need to cancel physical bank cards – the option to create and delete virtual credit cards means that if anything untoward takes place involving your bank account, it will not be necessary to request a replacement card. Removal of virtual cards will eliminate the risk.
  • Free trials – many services offer free trials and require the use of a credit or debit card so they can take payment from your account at the end of the free period unless you choose to cancel the service. You must ensure that you are not legally obliged to make payments if you fail to cancel a service explicitly. Use of virtual cards for trial registration followed by immediate deletion will offer protection against vendors that:
    • Make it difficult to cancel services
    • Mislead you into believing you have cancelled a service
    • Don’t respond to customer support requests for cancellation
    • Refuse to let you remove your card details

Banks are unlikely to investigate issues if you have given your card details to a vendor and will likely tell you to speak to the vendor to resolve the problem. The outcome will depend on the overall credibility and trustworthiness of the vendor.

Other countermeasures include:

  • Looking for reviews online – vendors often have reviews and testimonials on their websites, third-party websites, and discussions on social media. Sadly, fake reviews are commonplace, so you can’t always trust what you read.
  • Looking for online complaints – if a vendor misbehaves, refuses to cooperate with their customers in resolving problems, customers lose money, or gets upset for any other reason, complaints will find their way to review websites and social media
  • Only having the money you need for the transaction in the account – works if your bank account doesn’t have any credit facilities attached to it, so you can never have a negative balance. The vendor can never take more than expected during the first transaction. Even with free trials, it is possible to have items added to your shopping basket by default or pre-selected checkboxes, including a surprise purchase.

Remember that when you give your credit or debit card details to a vendor, you have no control over how they store or use them.

Mobile Number Hijacking

Robert Broxup

Many people don’t think much about their phone numbers. They feel replaceable, something you keep until you switch providers, upgrade a handset, or lose a SIM. But today, your number is more than just a way to call or text. It’s one of the master keys to your identity. Banks, email services, and social platforms use it to decide whether you are really you. Mobile number hijacking allows attackers to steal your number and use it as a gateway into your digital life. When it happens, it’s usually quick, silent, and devastating.

What is mobile number hijacking?

Mobile number hijacking occurs when someone persuades your provider to transfer your number to a SIM card under their control. The moment it works, your phone goes dead. Calls and texts stop reaching you and instead flow to the attacker, including the one-time passcodes banks and services send by SMS.

With your number, an attacker can:

  • Reset passwords for email, social media, and bank accounts.
  • Bypass two-factor authentication that relies on text messages.
  • Impersonate you to friends, family, or colleagues.
  • Drain money or harvest personal data before you realise what’s happened.

How does it happen?

Criminals prepare carefully:

  • Data gathering – Collecting personal details such as name, address, and date of birth from phishing, social media, or leaked databases.
  • Exploiting weak checks – Taking advantage of providers that still rely on simple, easy-to-fake identity questions. In some cases, insiders have assisted.
  • Impersonation – Contacting the provider, posing as you, and requesting that the number be moved to a new SIM.

Where criminals get your information

To make impersonation believable, attackers first gather personal details that let them sound convincing. They assemble fragments of data from public, commercial, and illicit sources until they can pass themselves off as you.

  • Data brokers collect, package, and sell information found in public records. Scammers can buy your phone number from these companies.
  • Public social media profiles. Many social media and other sites ask for a phone number when signing up, with some leaving that information publicly available.
  • Fraudsters can send fake emails asking you to confirm personal information and contact details or pressuring you into calling them.
  • Phone scammers use tools that automatically call random or sequential phone numbers, hoping that unsuspecting victims will pick up.
  • If you’ve been the victim of a scam in the past, you may be on a target list that scammers share with each other.
  • Spyware and other malware infections. Hackers can trick you into downloading software that allows them to spy on you or steal personal information, such as your phone number.
  • Hacking unsecured Wi-Fi networks. If you enter your phone number on a website while using public Wi-Fi, hackers may be able to spy on you or intercept the data.
  • Stolen mail. Some scammers prefer old school methods, such as mail theft, to collect sensitive personal details and contact information.

Once successful, speed is the weapon. Accounts can be reset and funds transferred within minutes.

Warning signs

You can’t always spot an attack in advance, but watch for:

  • Sudden loss of mobile signal.
  • Unexpected account lockouts.
  • Password reset messages or login alerts you didn’t trigger.
  • Fraud warnings or unrecognised transactions.

How to protect yourself

You can’t make yourself completely immune, but you can make attacks harder to pull off:

  • Share less personal information. Limit what you post publicly, especially birthdays, addresses, and work history.
  • Use strong, unique passwords. A password manager helps avoid reuse across accounts.
  • Switch to app-based authentication. Apps like Microsoft Authenticator or Google Authenticator generate codes directly on your device, unaffected by SIM hijacking. Microsoft Authenticator also supports secure passwordless logins.
  • Stay alert to phishing. Treat rushed or unusual requests for personal details with suspicion.
  • Monitor your accounts. Review bank statements, email logins, and cloud activity regularly.

What to do if you suspect hijacking

If your number is hijacked, speed matters:

  • Contact your provider immediately to block the fraudulent SIM and recover your number.
  • Secure your accounts by changing passwords and moving away from SMS-based two-factor authentication.
  • Notify your bank and credit providers so they can monitor for fraud.
  • Check connected services such as email and cloud accounts for unrecognised devices and revoke access.

You are not powerless

Your mobile number may feel disposable, but it is one of the most valuable keys to your identity. If a criminal hijacks it, they don’t just take your calls, they can take over your online life. By switching to authenticator apps, adding extra security with your provider, and staying alert to phishing, you can make hijacking far harder to pull off.

Most people never realise how much depends on that small piece of plastic until it’s too late. Think of your number like your wallet, passport, or house keys. Protect it with the same care, because losing it could unlock far more than you expect.