NCSC catches 10 million phishes
The UK’s National Cyber Security Centre has received more than 10.5 million suspicious emails through its Suspicious Email Reporting Service (SERS), and has taken down 76,000 online scams relating to the NHS, online deliveries, cryptocurrencies and more, in the two years it has been active.
Launched on 21 April 2020, as the first wave of the Covid-19 pandemic reached its height, alongside an accompanying surge in cyber crime, scam-savvy Brits quickly took the service to their hearts, bombarding the NCSC’s reporting email inbox – [email protected] – with a million emails in its first two months alone. There has been no let up since.
This sustained increase in cyber crime – recorded offences linked to unauthorised access to personal information (which includes hacking) were up by 161% in 2021 in England and Wales – has today prompted the government to launch a new campaign across broadcast, online and billboard adverts to publicise actionable cyber security advice to the general public.
“The British public’s response to our Suspicious Email Reporting Service has been incredible and led to the removal of thousands of online scams,” said NCSC CEO Lindy Cameron.
“But there is even more we can do and by following our Cyber Aware steps to secure online accounts, starting with email, people will dramatically reduce risks, including financial losses and personal data breaches.
“We all have a role to play in our collective cyber security and I urge everyone to follow our Cyber Aware advice to make life even harder for the scammers.”
Steve Barclay, chancellor of the Duchy of Lancaster, added: “Online scams and fake ads target us all and we’re determined to stamp them out.
“Everyone can help contribute to the country’s cyber security by being vigilant, reporting suspicious communications, and using secure methods to safeguard accounts.
“I urge everyone to check out the NCSC’s website, which has some great advice on how to protect yourself online, including enabling two-step verification and using passwords with three random words.”
The campaign draws on the NCSC’s own Cyber Aware advice, recommending simple steps that anyone can take, such as setting passwords made up of three random words, a technique that it first started advocating some time ago, and says it has found an extremely effective means of encouraging people to set passwords that are, critically, memorable to them.
This is because the human mind struggles to remember random character strings or genuinely secure patterns of special characters, capital letters, and so on. Therefore, to abide by most organisations’ password policies, we will tend to set passwords that are not actually that complex at all.
For example, Jane Smith from Bristol, born on 5 January 1992, might set a password that replaces the E, S and I in her name with 3, 5 and 1 and then append her home town and birthday to the end. The resulting password, Jan35m1th050192Bristol, might seem long and complicated, and will satisfy most online services, but it presents no challenge to a determined cyber criminal.
By stringing together three randomly chosen words, for example, “shall”, “degree” and “decide”, the theory goes that Jane Smith can create a unique password that is strong enough to satisfy most policies, is easier for her remember, and lacks easily guessable conventions, such as swapping letters for lookalike numbers, or adding a ! to the end.
The NCSC said the main issue with enforcing password complexity requirements is that it makes it hard for users to generate, remember and enter their passwords accurately without needing to use password manager app, or to search out the notebook where they wrote them down, which encourages people to reuse them – a big no-no in the cyber world. “The power of three random words is in its usability, because security that’s not usable doesn’t work,” it said.
The campaign also encourages users to enable two-factor, also known as multi-factor authentication (2FA/MFA), where possible, so that when a user tries to log into an online account, they will have to confirm their identity by not only entering the password, but responding to a second challenge, such as a code sent to their device via SMS.
This makes it harder for the average cyber criminal to access a user’s account because even if they have obtained the target’s password from somewhere – or guessed it because the password was rubbish – they are less likely to have access to the target’s device.