DISCLAIMER: The solutions presented on this page are the property of ACME LABS Sp. z o.o. and are subject to legal protection in Poland and abroad, on the basis of intellectual and industrial property rights.

YOU SHOULDN'T HAVE CLICKED ON IT

Unfortunately, this is the most common answer when the aggrieved party calls the entity from which he believed he received the email. And yet, according to the information on the website in the cybersecurity tab, you checked the address from which you received the e-mail exactly letter by letter. You also know that for uppercase letters, you need to check that it is not replacing lowercase with other uppercase letters and numbers. You are in the group of 4% of people who, according to the SGH (Warsaw School of Economics) report, read information and warnings about cyber threats. It turns out, however, that it did not help much. You have fallen victim to phishing. 

Now, all you can do is search for the latest backup files, if you have one, or to recover important documents and family photos, pay a ransom in bitcoin. Do you feel safely now? You think you are looked after by your suppliers? 

Why do suppliers not take responsibility for allowing someone to impersonate them and causing damage to their customers? Those who are most often impersonated by criminals are large companies that have the appropriate infrastructure, human resources and resources to ensure the security of electronic communications for our consumers, most of whom do not have the appropriate expertise. 

eZNACZEK is a solution that allows, among others the financial institutions, telecoms, courier companies and other entities communicating with the client, and enhances security of mass electronic correspondence. Thanks to it, these companies can offer their clients the security and comfort of cooperation in e-mail correspondence.

WHEN IS THE SIM-SWAP-FRAUD OVER?

Gdy zauwa?ysz, ?e Twój telefon nagle milknie i traci dost?p do sieci, a aktualnie nie odpoczywasz na pla?y na Zanzibarze, to natychmiast powiniene? podj?? zdecydowane dzia?ania i skontaktowa? si? ze swoim operatorem telekomunikacyjnym. Ze swoim Bankiem te? nie zaszkodzi. Dlaczego? Nie mo?na wykluczy?, i? sta?e? si? w?a?nie ofiar? SIM-Swap-Fraudu, czyli oszustwa bior?cego swoj? nazw? od nieautoryzowanego dost?pu do duplikatu karty SIM. Twojej karty SIM.

In order for an attack to occur, criminals need to know your phone number, some personal details and the name of the bank where you have your account. It is not difficult to obtain such a set of data, some of them are, among others, on the so-called "white list" of the Ministry of Finance, but we can also unknowingly equip the fraudster with them as a result of a phishing attack. The only thing missing for the fraudster is a false identity document with your data - despite criminal sanctions, it is still not a problem for someone who wants to obtain a collector's ID with your data and a photo of the fraudster.

Having a complete set of information, the fraudsters report to the operator a desire to get a duplicate of your SIM card, and then use the phony card to authorize the transfer of funds from your bank account. In the case of this type of attack, time is of great importance, so we should act quickly so that there is no worst-case scenario, i.e. withdrawing funds from our account. 

Is there a way to protect yourself from these types of attacks? We should protect our data, especially related to logging in to electronic banking, and not share it with anyone. It is also worth getting acquainted with the procedures of contacting the bank and telecom in the event of such a "failure". 

The eZNACZEK is a solution that provides an additional layer to protect your electronic communications, reducing the risk of becoming a victim of phishing. The eZNACZEK is also an additional option to verify the customer's identity in the operator's showroom or bank branch.

If you want to minimize the above mentioned risk, ask your service provider (bank, telecom, media, etc.) to ensure that the messages sent to you are additionally secured and that you can additionally authorize with an eZNACZEK at the point of sale.

DEADLY ATTACHMENTS

90% of malware is sent by cybercriminals as attachments in e-mail, and, as a consequence lack of our attention, can destroy our data and deprive us of money. If we add that 90% of hacker attacks are successful due to human error, then we have a recipe for a fraud scenario. 

Virus scanning mechanisms in place that scan our email are not effective enough to catch all messages containing attachments infected with malware. Our vigilance is dormant when we are dealing with attachments in the known file formats generated in business applications or by data compressing programs, but we are more vigilant when we have to run an executable file - e.g. exe. 

In the case of popular office application files, we do not always take into account that, for example, you can enter the macros. If, after running such a file, the program asks us if we agree to enable macros, then a red light should light up in our head when we are not 100% sure of the origin of the message. Consent may mean running a script that installs malicious software. 

In the case of compressed data archives, i.e. popular ZIP, RAR, 7ZIP and others, the virus is usually activated after unpacking the archive contents. 

Each of the above file types can only pretend to be a format file, or it can simply be a hidden .exe format file. It may happen that you receive an unexpected invoice in PDF format, but its full name that you may not notice is, for example, "Invoice_25 / 04.pdf.exe". After downloading and running such an attachment, which looks like a "regular" PDF, your device is infected with malware. 

There is another threat hidden in PDF files that most of us are not aware of. PDFs have a specific layered nature and therefore are not completely safe as criminals can manipulate the layer of the file we see. A scam using this feature of PDFs is that, for example, we can electronically sign a PDF document, the real content of which is different from the one we see at the time of signing. There are three types of manipulation of the content of such a PDF document: hiding a document layer, replacing it with a modified version, or hiding and replacing it in one. 

As you can see from the above list, our email correspondence is not secure and even if we are careful, we may become the next victim of the attack, as fraudsters keep coming up with new ways and methods of cyber attacks. 

Therefore, it is worth using additional solutions that increase the security of electronic communication. eMARKER (eZNACZEK in Poland) is a solution that gives credibility to the sender of the message and allows you to trust its content. If you use the eMARKER the dilemmas described above regarding popular file types may become a thing of the past. The eMARKER should soon become a good market standard in terms of security, distinguishing messages we receive from trusted sources. 

GODFATHERS OF THE CYBER CRIME

W ?wiecie rzeczywistym mafi? rz?dz? siln? r?k? ojcowie chrzestni. W ?wiecie cyberprzest?pczo?ci takimi ojcami chrzestnymi s? Phishing i Vishing. Dranie jakich ma?o. Nikt im nie mo?e dorówna? w zasi?gu i rozmachu z jakim dzia?aj?. Malware i Ransomware s? ich bezwzgl?dnymi ?o?nierzami ?lepo wykonuj?cymi rozkazy. Na rozkaz szefów wal? gdzie popadnie. Bez zgody Phishingu i Vishingu  wi?kszo?? z przest?pstw cyfrowych nie mog?aby si? powie??. Dlaczego wi?c, wiedz?c kim s? te najpot??niejsze figury w ?wiecie cyberprzest?pczo?ci, do tej pory nie uda?o si? ograniczy? ich wp?ywów? Czy dzieje si? tak dlatego, ?e wiemy kto pada g?ownie ich ofiar?? Ale po kolei.

Each of us is the greatest asset, the most valuable asset - of companies, corporations and institutions. Yes we are their key assets – we, their clients. At least that's what they tell us when advertising their products and services. But are you sure that’s the truth? We use the services of and utilities (gas, electricity, water, television, internet, telephony), provided by institutions (banks, insurance companies) and corporations (postal and courier services), and offices (patent office, tax office, social security office, etc.). We sign contracts. We promise to fulfill our duties with due diligence. We pay for the purchased services and goods. This is our responsibility as a customer, isn’t it? If we do not comply with contracts we are part of, we are threatened with various types of sanctions, that cover most of the text of the contracts that bind us. Also, the tariffs of fees and commissions are also constructed in a way that is not so friendly to us. We pay for foods and services on the basis of the invoices and bills we get.

What shall we do if Phishing and Vishing imitate our suppler? Why are we still responsible for the fact that our supplier has let Phishing and Vishing cheat on us? Do suppliers protect us against Phishing’s and Vishing’s attacks and how they do that? They mostly run social awareness campaigns and post warnings on their websites. Cool. We can feel safe right away. Anyway, the ineffectiveness of this security measures is such that it is not surprising that, according to research conducted at the Warsaw School of Economics, only 4% of bank customers read warnings posted on banking websites.

Campaigns and warnings suggest that in order to verify the sender of the message it is enough to carefully check the address from which we received the message(we know that this "security measure" is easy to get around),or we should check whether the data (e.g. personal) in the invoice attached in the message concern us the and whether attached file is in a safe PDF format. Or, we just have to click the link in the message to go to the supplier's website to log in. Are these really all possible security measures that protect us? Unfortunately, following the above advice may lead us to the fact that in many cases we get something that we did not necessarily expect. We are cheated on. We are mislead by Phishing and Vishing.  

Phishing knows how to do this. So, are these the only possible guidelines for message validation? We often hear that they are effective. Then why do our suppliers organize internal cybersecurity training for their employees? Not that we have a problem with training their own employees. Praise them for that. But the question arises whether the employees of our esteemed suppliers are not able to understand the message that is also directed to us - customers? Do they need a special explanation and knowledge of defense methods against cyber attacks? Is there really logic between social campaigns targeting the masses and the special actions of suppliers towards their employees? Unfortunately, it is not about logic here, but about the fact that the sactions undertaken by the suppliers are mostly aimed at ensuring the security of their own organizations. And Phishing and Vishing know very well how we are secured by our suppliers, and that is why we still may lose our data, savings, dreams and memories (photos, videos). Yes, mostly the individual customers of companies, corporations, institutions and offices, are anonymous victims of Phishing’s and Vishing’s attacks.

Is this supposed to be the way things are? Or maybe it is time to apply new solutions that increase our chances in the fight against Phishing and Vishing? Wouldn't it be safer if each of us would receive messages from suppliers containing a personalized eMARKER, which would be known only to each of us individually. There would be as many eMARKERS as there are clients (of a single suppler). Could Phishing guess our eMARKERs? Wouldn't it be safer if the consultant's phone call would be announced with a message containing information about the willingness to talk, and would also be secured with an eMARKER? Could Vishing be able to find all the eMARKERs?

Would the eMARKER, if used and personalized by each of us to secure communication with our suppliers of goods and services defeat Phishing and Vishing? We will be able to find out when, in accordance with the planned NIS2 EU directive , the entities listed in the directive will be required to apply appropriate security measures to protect communication with us. Most likely, our suppliers will time until end of 2022 to implement measures to comply with the provisions of the NIS2 directive. Shall we wait that long? Maybe not, if one of your suppliers will defeat cybercriminals in cooperation with eMARKER and will offer you greater security of electronic communication. So that we will not say again that "you shouldn’t have clicked that link/file or you should have hung up".    

KPMG: More companies targeted by cybercriminals during the pandemic

As KPMG indicates, in the opinion of over half of the surveyed companies, the COVID-19 pandemic contributed to an increase in the risk of cyber attacks, KPGM points out. According to research conducted by the company's experts, the pandemic also made people aware of the need to implement improvements in the areas of crisis management and ensuring business continuity. Details at the link on the website cyberdefence24.pl

CONTACT US