News

The latest news from Anson Evaluate

by Laura Spencer Laura Spencer No Comments

What is Anson Evaluate?

Award-Winning Business Services:

  • We make the complex simple.
  • We create long-term solutions rather than short-term fixes.
  • We never provide “tick box” or “binder on shelves” services that do not provide any true value to a business.

Data Protection:

  • Audits/Assessments: These are required to ensure business compliance with data protection regulations, as we provide an independent and comprehensive service that includes a “road map” for any improvements or changes. This makes it easy and straightforward for our clients to understand and manage their risks in a way that fits how they work, not how we decide that they should.
  • Data Protection Officer (“DPO”): Everything from fully outsourced DPO services to one-off advice on a tricky matter or support for an in-house DPO. The service is tailored to your needs, not pre-determined tiers we could invent.

Tools:

Cyber Security Technology:

  • Accessibility: We strive to make complex concepts and issues understandable to everyone. We remove the highly technical jargon and use straightforward analogies and visuals (like a Rubix Cube or a physio ball!) to demystify the most mystifying concepts, such as AI, crypto-currency, blockchain, and smart contracts.
  • Readiness Exercises: Anything from full, war game scenarios to more high level tabletop exercises. We create the exercises to meet your business needs and environment.
  • Expert Advice: Are you using the right software or technology service provider? Which service providers are best for you? We answer these questions and more, with expertise honed by decades of experience and continuous research.

Our Motto:

“If we can’t help, we will find you someone who can.”

Promises:

We will not pay to speak at conferences in order to sell you our services, to write articles to convince you that we are experts, or to buy a table at an awards dinner to increase our chances of winning. We believe in our expertise and our worth, and we have earned our spots on stages, pages, and the awards that we are very proud of.

We will never recommend a product unless we truly believe it is a good product based on our own vetting. Although we usually turn down referral fee arrangements, even with companies we trust and recommend, we will always tell you if we are getting paid by a company that we recommend.

We believe in ourselves and our expertise, and we believe these promises will help you trust and believe in us too.

by Laura Spencer Laura Spencer No Comments

USING WHATSAPP FOR BUSINESS PURPOSES? YOU REALLY SHOULDN’T BE…

The Information Commissioner’s Office (‘ICO’) has called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps. This comes after the announcement of an enquiry into the messaging systems used by government throughout the pandemic, earlier this year.  The ICO report details a yearlong investigation, launched in 2021 by Commissioner Elizabeth Denham, into the use of these channels by Ministers and officials at the Department of Health and Social Care (‘DHSC’) during the pandemic.

The investigation found that the lack of clear controls and the rapid increase in the use of messaging apps and technologies – such as WhatsApp – had the potential to lead to important information around the government’s response to the pandemic being lost or insecurely handled.

Action Taken:

  • The ICO has now issued DHSC with a practice recommendation ordering the department to improve its management of FOI requests and address inconsistencies in its existing FOI guidance. This will ensure FOI requests are better managed, particularly in relation to any material created or contained in personal accounts.
  • A reprimand has also been issues
  • To make sure wider lessons are learnt, the ICO is also calling for the government to set up a separate review into the use of these channels and how the benefits of new technologies, including private messaging services, can be realised whilst ensuring data protection and transparency requirements are met.

This is a particularly important story when we think about WhatsApp. If you are a regular on our podcast or a regular newsletter reader, at Digital Law we regularly mention WhatsApp and the dangers of using this platform for business related purposes. This year alone, we have discussed multiple stories, including one from the MOD, informing service personnel to use alternative messaging apps such as Signal due to WhatsApp’s security. This is because while the app is ‘encrypted’, due to the fact that the messages are stored on the cloud, this makes it more accessible for hackers. Alternative messaging apps such as Signal are more secure because no messages are stored on the cloud, rather they are stored on the device themselves, effectively then the only way to get the messages would be to take the device itself.

Finally, for the avoidance of all doubt, this is not a new policy. You should not be using WhatsApp for business purposes. Especially considering highly regulated sectors such as law, finance and government. Highly regulated sectors, in this particular case, relating to the government, really highlights why, for a regulated sector, using unsecure platforms can be a real problem. It also highlights the stance that the ICO are likely to take if you, as an organisation, have a breach and you are using WhatsApp or other similar messaging platforms such as Telegram.

For more information as well as advice and guidance, please do not hesitate to contact us at admin@ansonevaluate.com.

by Laura Spencer Laura Spencer No Comments

GDPR v PECR: The ICO Multi-Million Pound Enforcement

Since May 2021, the Information Commissioner’s Office (‘ICO’) have issued 37 fines for a total of £3.04 million to companies for nuisance calls and messages.

These fines fall under the Privacy and Electronic Communications Regulations (‘PECR’) and not the General Data Protection Regulation (‘GDPR’). This is an important distinction when we are thinking about ICO fines, due to the fact that the ICO typically focus on PECR fines over GDPR. Looking at the amount of fines that will have had to have been given out, the figures would suggest that it is mainly mid-tier SME businesses that have been subject to these fines.

The UK government, outlined in the new Data Reform Bill proposal, have proposed an increase in fines to organisations that breach PECR, with the aim of preventing companies contacting people for marketing purposes without consent. It proposes that the ICO’s power to fine companies will increase from the current maximum of £500,000 to up to four per cent global turnover or £17.5 million, whichever is greater.

Why is this important?

If you are a business who regularly calls customers and potential customers, you may want to consider your marketing strategy and how this may be affected by the change. Similarly, this is a testament to the increased powers that the ICO will have under the proposed new legislation.

As it stands, the ICO can only penalise organisations for calls that are answered however, legislation, outlined in the Data Reform Bill, will allow them to take action over high volumes of unanswered calls. However, a key thing to mention here is the fact that these calls do need to be reported before the ICO can take action and therefore, while the fine increase is a step in the right direction, arguably it does not do enough to protect consumers.

by Laura Spencer Laura Spencer No Comments

CONTENTIOUS COOKIES: IS THE UK BREAKING AWAY FROM THE MOLD?

General Data Protection Regulation (‘GDPR’) and  Privacy and Electronic Communications Regulations 2003 (‘PECR’)

The UK had to follow rigid guidelines in relation to data protection and electronic regulations as a result of being an EU member. However, as the UK have left the EU, the government is trying to move away from EU standards and ‘cut the red tape’ for organisations and businesses. Hence, changing the laws and regulations around data, in order for businesses to prosper.

Current Regulation:

Under the current legislation, cookies are not allowed to be placed on a device without the consent of the user. There are currently only two limited exceptions from gaining consent. These are:

  1. for purposes that are essential to provide an online service at someone’s request (e.g. to remember what’s in their online basket, or to ensure security in online banking); or
  2. where needed to transmit a communication over a communications network.

Consent is usually sought through a pop-up notice or banner which appears when a person visits a website. However, as you are no doubt aware, most of the time when a cookie consent banner pops up, you click the accept button without taking the time to read the terms. The UK in trying to change these regulations, aims to ensure that the ‘tick box’ attitude is adapted so that users are more aware, in practice, as to how their personal data is being used.

Proposed Changes:

The government intends to remove the need for websites to display cookie banners to UK users. This would see the government allowing cookies to be installed on a user’s device without explicit consent (for non-intrusive purposes). Moving forward, the government would operate an opt-out model of consent for cookies. This would mean cookies could be set without seeking a user’s consent however, the website must give the user clear information on how to opt out. Objectively, this would achieve a more hands on approach, breaking away from the ‘tick box’ consent that we are using currently.

How could this affect my business?

As a business, this may mean that you will no longer have to display a cookie banner on your website, in turn, this may provide a smoother and more enjoyable experience for your users. However, this is a change that the UK are considering and therefore it does not apply to other country’s regulations. Therefore, it may still be necessary for you to display such banners if you plan on operating outside of the UK. Although, this being said, the EU are also consulting plans to make changes to cookies and the consent surrounding this however, any such changes are unclear at the moment.

So what?

As it stands, the UK has been granted data adequacy by the European Commission, this means that personal data can travel freely (as it did before Brexit) between countries in the EEA and the UK. Without adequacy, it would make carrying out business and trade by UK businesses with customers outside of the UK very difficult. Therefore, when the proposed changes are being made, the UK will need to keep the EU ‘on side’ in order to retain this adequacy decision. Hence, if any drastic changes are made, the EU may revoke the decision.

by Laura Spencer Laura Spencer No Comments

Continuing Professional Development (“CPD”) Webinars

Anson Evaluate are back with a brand new series of premium Continuous Professional Development (“CPD”) webinars.

These webinars are available and suitable for all and will be focused on the following subject areas:

  1. Cyber security, including ransomware, targeted cyber fraud, cyber breach response and best defences.
  2. Data Protection, including data protection in the UK post Brexit, analysis of data protection enforcement by regulators, international data transfers, Data Protection Impact Assessments (“DPIA”) and data subject rights. 
  3. Digital Economy, including libel, business promotion, Digital Technology Market Regulation as well as Blockchain, Cryptocurrency and NFTs.

Heather Anson, Anson Evaluate’s managing director, will be working up with Digital Law’s managing director Peter Wright to deliver these webinars to you in 3 rounds, beginning on 5th May 2022.

Pricing:

£45 per webinar (per organisation).

Discounted prices are available for those who purchase the full round of webinars, for example all 4 Cyber Security webinars (Ransomware, Targeted Cyber Fraud, Cyber Breach Response and the Best Defence).

> For each full webinar round £145.

> For all 3 webinar rounds (12 singular webinars) £395.

Please note that the full courses are not available for purchase directly through the platform therefore, if you would like to purchase a full round or all 3 rounds please email Events@AnsonEvaluate.com for more information.

Registration for each webinar is listed below its respective title and description.
For more information and to register your interest, email us at Events@AnsonEvaluate.com

Round 1 – Cyber Security (total of 4 webinars)

Webinar 1: Ransomware (5th May 2022)

The first recorded example of ransomware was in the late 1980’s which proves that ransomware isn’t anything new. However, over the last 3 years alone there has been a drastic rise in the number of companies who have fallen victim to ransomware attacks. Not only have such attacks become more common, they have also become a lot more sophisticated, even since the commonly known WannaCry and NotPetya attacks back in 2017. 

This webinar aims to take real life case studies as well as expert knowledge to better your companies response and defence mechanisms to such attacks. As well as this, the webinar will answer the following key questions:

  1. What are the drivers behind the growth in ransomware attacks?
  2. What should boards be doing to manage the risk from ransomware attacks?
  3. Should you feed the “beast” and pay the ransom?
  4. In the case of a ransomware breach response, who do you need to do and who do you need to notify?
  5. What counter measures and proposals have been put forward by governments and legislators around the world?

Webinar 2: Targeted Cyber Fraud (12th May 2022)           

According to official statistics from the National Cyber Security Centre (“NCSC”) in their 2021 Cyber Security Breaches Survey, the most common by far are those commonly known as phishing attacks, followed by impersonation. Both of these attacks fit into the targeted cyber fraud category.

As well as referring to real life case studies of companies/firms like yourself who have been the target of such attack, this webinar will focus on the following: 

  • The different modes of attack including email, SMS, instant messaging and social media.
  • How to spot a potentially fraudulent communication.
  • What to do if the worst happens, including law enforcement and notification.
  • The best methods of defence.

Webinar 3: Cyber Breach Response (19th May 2022)

The previous 2 webinars in this cyber security series have focused on the impact cyber security attacks can have as well as preventative measures that can be implemented to avoid such attacks being successful. However, this webinar will focus on your response should the worst case scenario occur and will cover the following key points:

  • Case studies, including examples of some of the best and worst cyber breach responses.
  • What needs to be in your breach response plan.
  • Testing and simulation of your breach response plan.
  • When a cyber breach should be communicated and who with, for example, internal comms, customers, clients and wider PR.
  • Cyber liability and insurance.
  • Working with law enforcement.
  • Legal and regulatory risks and responsibilities.

Webinar 4: Best Defence (26th May 2022)

Having technical security measures and systems in place, as well as staff awareness and training, are some of the best defence measures of any cyber security attack. This webinar will look at real life case studies of companies that have managed to limit the impact of such attacks based on the strategies they have implemented, whilst also covering the following key points:

  • Cyber policies, procedures and internal governance.
  • Identifying risks and pinch points.
  • The risks associated with remote working and working from home.
  • Technical security measures and systems that can be implemented to reduce risk.
  • Insurance.
  • War games.
  • Training and assessment.

Round 2 – Data Protection (total of 4 webinars)

Webinar 1: Data Protection Regulation in the UK Post Brexit (Date TBC)

The General Data Protection Regulation (“GDPR”) is incorporated into UK law by the UK Data Protection Act 2018 (“DPA’18”). Consequently, the principles of GDPR still apply in the UK despite the UK’s departure from the European Union (“EU”) at the very end of 2020. This means that compliance with data protection hasn’t really changed since Brexit except for when it comes to data sharing and data transfers to and from the EU. This webinar will first summarise the UK GDPR and DPA’18, including discussing its key principles, before moving on to covering the following points:

  • The EU-UK Data Adequacy Decision from the European Commissioner.
  • The Information Commissioners Role (“ICO”) in regulation and enforcement of data protection in the UK. 
  • An introduction to Codes of Conduct.
  • UK Departure of Culture, Media and Sport consultation “Data: a new direction” and the UK National Data Strategy.

Webinar 2: International Data Transfers – EU, US and the rest of the world (Date TBC)

Webinar 1 focuses on data transfers to and from the EU since Brexit. However, this webinar goes beyond this, discussing both transfers to and from the UK as well as the rest of the world. Therefore, this webinar will cover the following key points:

  • The implications Brexit has had on data transfers, including the EU-UK Data Adequacy decision from the European Commissioner.
  • Schrems II decision and the implications it had on the EU-US Privacy Shield.
  • An introduction to Data Transfer Agreements, including how and when they should be used, as well as what they need to contain.
  • An overview of Standard Contractual Clauses (“SCCs”), Binding Corporate Rules (“BCRs”) and Codes of Conduct.

Webinar 3: What goes into a Data Protection Impact Assessment (“DPIA”)? (Date TBC)

DPIA’s are an important part of risk assessment and analysis when it comes to launching a new business venture or simply carrying out a new processing activity. This webinar will not only discuss what a DPIA is and when it should be carried out, it will go into detail about the different topic areas that should be included in a DPIA.

The key points this webinar will cover are as follows:

  • When a DPIA should be carried out.
  • What a DPIA should include.
  • The purposes of and reasons for carrying out a DPIA, including discovery and assessment, and identifying and reducing risks.
  • Ownership and responsibility of the DPIA carried out as well as what to do with its recommendations.
  • Recommendations when it comes to the ongoing regular review and updating of your risk management system.

Webinar 4: Data Subject Rights (Date TBC)

Under the GDPR and DPA’18 all data subjects have a range of rights relating to the processing of their personal data. This webinar will look at each of these rights in turn before moving onto discussing how each of these rights should be responded to, including the following key points:

  • An overview of the 5 main rights a data subject has.
  • How to answer a Subject Access Request as well as the fair and reasonable use of exemptions.
  • How to ensure the right of rectification is performed correctly.
  • How to demonstrate the “right to be forgotten” in practice.
  • How and when to apply the right to data portability.
  • How to respond to a request for the restriction of processing.
  • Other rights regarding automated decision making including profiling.

Round 3 – Digital Economy (total of 4 webinars)

Webinar 1: Libel (Date TBC)

Where exactly do users stand with comments they make on social media? Cases over the last decade in the UK suggest that you are not free to say absolutely anything you like. While some users fall foul of the Terms of Service operated by social media companies and find their accounts blocked, some litigants with deep pockets have taken those who have made comments that they felt were libelous to court and in many instances have won. Consequently, it is important to think carefully before posting a tweet or making a comment on Facebook but evidence suggests that this message is still not filtering through to the majority of users. This webinar will explore the law as it stands with reference to leading cases and key legislation as well as posts that have featured cases before the employment tribunal.

  • Examples of libel cases, including Arlene Foster and Christian Jessen.
  • How did we get here? – the landmark cases of The Lord McAlpine of West Green v Sally Bercow.
  • Posts and the police – Offences under The Communications Act.
  • Examples of social media posts ending up in the employment tribunal.

Webinar 2: Business Promotion (Date TBC)

Marketing through social media remains the cheapest and easiest way to target potential customers in volume and has become a valuable promotional tool for many businesses. However, the potential legalities surrounding its use are significantly more complex than more traditional forms of marketing that used to involve advertising agencies, newspapers and tv. Cutting out the middle man advertising agent means that a business may run an advert or sponsored post that could fall foul of anything from advertising standards regulation to contravening basic copyright law. This webinar will explore examples of businesses that got it wrong and in some cases have destroyed their reputations through social media posts that went wrong, as well as some of the problems that can arise when high profile celebrities recommend a product or service.

  • Social media business pages, content and ownership.
  • Preserving digital copyright.
  • Handling online customer reviews and ratings.
  • Disputes with social media platforms.
  • Celebrity product use and endorsements

Webinar 3: Digital Technology Market Regulation (Date TBC)

  • EU Digital Markets Act  (“DMA”)
  • EU Digital Services Act (“DSA”)
  • Regulation and Enforcement under DMA & DSA in EU member states
  • UK Digital Technology Market Regulation – Competition and Markets Authority (“CMA”)

Webinar 4: Blockchain, Cryptocurrency, NFTs (Date TBC)

  • What is Blockchain?
  • Definition of a Cryptocurrency
  • Cryptocurrency Regulation
  • Non-Fungible Tokens

Meet the Speakers!

Dr. Heather Anson

Heather is Managing Director of Anson Evaluate Ltd, a specialist Regulatory Compliance and Training Provider in the UK. Anson Evaluate provides a range of compliance services including assessments and training. She believes in training as a key to compliance and provides this service through a variety of in person training seminars, webinars, online e-learning courses and podcasts. Her company clients include a wide range of corporations advising on regulatory matters across multiple jurisdictions in Europe, the United States, Middle East, China and Malaysia. Heather is also a specialist Consultant for the niche law firm Digital Law UK.

Peter Wright

Peter is a solicitor and leading expert in Data Protection, Cyber Security Regulation and Social Media Law. As Managing Director of Digital Law, he has been advising clients across the UK, US, Europe, Middle East and Asia for over a decade. He is the former Chair of the GDPR Working Group of the Law Society of England and Wales and is also a form Chair of the Technology and Law Committee of the Law Society. He is also author of the Law Society Cyber Security Toolkit and has co-authored a manual on practical GDPR compliance.

by Laura Spencer Laura Spencer No Comments

Romance Fraud: A take on the ‘Tinder Swindler’

Starting with the basics, what is ‘romance fraud’?

According to Action Fraud (https://www.actionfraud.police.uk/a-z-of-fraud/dating-fraud) romance scams involve people being duped into sending money to criminals who go to great lengths to gain their trust and convince them that they are in a genuine relationship. They use language to manipulate, persuade and exploit so that requests for money do not raise alarm bells. These requests might be highly emotive, such as criminals claiming they need money for emergency medical care, or to pay for transport costs to visit the victim if they are overseas. Scammers will often build a relationship with their victims over time.

One of the best, current examples of romance fraud, is the hit Netflix documentary ‘The Tinder Swindler’ SPOILER ALERT!

If you have not watched it/read about it or simply have not seen any media outlets recently! The Tinder Swindler is about, Shimon Hayute aka Simon Leviev who poses as a man who has wealth and power. He seems to be able to corroborate this story, showing his victims himself and his family, who appear to own a diamond business. However, we learn that this is not his reality, this image has been photoshopped. The reality is, that Shimon Hayute came from an impoverished background – he is wanted in both Finland and Israel and possibly many other countries too for fraud as well as other crimes.

The Swindler manipulated women using his wealth to impress them at first, taking them on lavish dates and flying them around the world. However, months in, suddenly there are ‘enemies’ after Simon and he encourages his victims to send vast sums of money in order to help protect him and in turn their relationship. This money was alleged to cover the fact that the ‘enemies’ could track the Swindler through his bank accounts and therefore in some cases the victims were asked to physically bring him large sums of money in cash.

It’s worth mentioning here that the victims had been sent pictures of both the Swindler and his body guard in the back of an ambulance, with graphic injuries sustained. The Swindler would send these images to his victims (sending the same images to multiple victims) to prove the danger that he was in. It is interesting that he would build suspense when sending these messages by sending these images without an explanation for a number of minutes in order to gaslight his victims and send them into panic. This therefore, added credibility to the story as his ‘enemies’ had attacked him. This was a double pronged attack too, in the sense that because these ‘enemies’ were after him, he was using it as an excuse to stay away from his victims for prolonged periods of time in order to keep his victims ‘safe’.

But why is this guy not in jail?

The Tinder Swindler, had previously been in jail for 5 months, after being convicted for fraud in Israel. However, he was released early from his 18-month sentence.

However, in relation to the ‘crimes’ explored in the documentary, the trouble here is the fact each of these victims gave the Tinder Swindler money of their own volition. They believed that they were giving him money in order to protect him and their relationship – all the Tinder Swindler did was lie. While this lie resulted in these women losing large sums of money, it could be argued that at no point he committed a ‘crime’. It was all just a lie.

Unfortunately, therefore the Swindler has not faced charges in relation to his ‘crimes’ filmed in the Netflix documentary. This may be because the Swindler was never in once country for very long, when we are looking at carrying out an investigation, law enforcement does not have time to put a case together and establish the facts. Not to mention the fact that the Swindler is known to be using false identities when traveling, which adds an additional level of complexity to the case. In times where departments receive very little funding, it is easier to understand why the Swindler has not been charged.

You will also notice, if you have watched the documentary, that the investigation carried out by the newspaper containing the original story (https://www.vg.no/spesial/2019/tindersvindleren/english/) took months. When the Swindler is flitting from country to country it is distinctively harder to keep track of his movements. Not to mention the fact that in country hopping the Swindler will be operating in different jurisdictions.

From a digital law standpoint, the definition of fraud is not broad enough at this point to include cases such as the Tinder Swindler. Despite the fact that these victims, who have taken out huger personal loans and lost vast amounts of money to this catfish, will have to pay the money back. While to an extent the Consumer Credit Act 1974 (click here for an explanation of how this Act aims to protect consumers https://www.which.co.uk/consumer-rights/regulation/consumer-credit-act-ayvHZ8H0jVl8) may apply to a small amount of the lost funds, this however cannot be applied to the likes of the personal loans. Therefore victims, whether the victims involved in the documentary or other unknown victims will be left with a serious amount of debt which they will need to pay.

Romance Fraud

Going back to our initial definition of ‘romance fraud’ from Action Fraud, you can clearly see here that the Swindler is gaining his victim’s trust through these lavish gestures to convince them that their relationship is real. This is why then when he convinces his victims that he is in danger and by association, they are too, it is easier to ignore the serious red flags here. From an outsider looking in, it would seem obvious that this is a red flag. Who would give someone such a huge amount of money in order to stop some alleged ‘enemies’?

While this example is an extreme case of ‘romance fraud’, when a trusting relationship has been formed it is foreseeable that what may start as a small favour can then be built upon until criminals are ‘borrowing’ large sums of money.

In a report published by the UK’s National Cyber Security Centre (‘NCSC’), the average financial cost of romance fraud being conducted through social media apps such as Facebook, Tinder and Plenty of Fish, is estimated at £6100 per victim, according to a recent report by TSB Bank. Whilst all age groups are susceptible to romance fraud, the average age of victims is 47, with women losing on average £6,300, compared to £4,600 for men.

The TSB report reveals alarming details of romance fraud cases, with the average ‘relationship’ seeing victims of romance fraud making payments for two months (62 days) – and with over a third of all cases starting on Facebook. Across the banking industry, romance fraud almost doubled during the pandemic with a recorded increase in losses of 91 percent compared to pre-pandemic levels – and an average loss of £6,100.

TSB have revealed the online platforms that accounted for the highest number of fraud cases where a source of origin was recorded; these are:

  • Facebook – where fake profiles led to over a third (35%) of all fraud cases.
  • This is followed by almost a quarter (24%) on Tinder, over a fifth (21%) on Plenty of Fish and almost one in 10 (9%) from com.
  • The following platforms all account for three percent of cases in which the platform was recorded: com; Bumble and Instagram.

While this article has explored what romance fraud is, arguably the most important takeaway here is how to spot and avoid romance fraud.

Tips for avoiding romance fraud:

(https://www.msn.com/en-gb/lifestyle/relationships/understanding-romance-fraud-and-how-to-avoid-it/ss-AAUbNPL#image=30)

1.     Be careful of what information you share online; scammers will often try to gather as much information about you as possible so they can build their arsenal. The more they know about you as a person, the easier it is for them to gain your trust and manipulate you.

2.     Don’t link to your other profiles, it’s probably safer not to link your dating apps to your social media profiles. Whatever info you provide on the app can be supplemented with that from your social media accounts.

3.     Be sparing with personal information, it’s a good idea not to provide your full name, date of birth, workplace, or any other information that could be used to find you online. They may pretend to have shared interests or friends in common to gain your trust.

4.     Go slowly, when chatting with a new match on a dating app, don’t feel the need to tell them your life story straight away. They might ask you questions about where you work, live, or studied (certain answers might even help them guess your passwords).

5.     Background check, try searching the info they provide in their profile to see if it has been used elsewhere. For example, if you find the same name and job title with a different photo, that could mean they’ve stolen personal info and photos from different people to create a fake profile.

6.     Recognise the warning signs, a major red flag for romance scams (or even the less malicious but still dangerous catfishing) is that they make excuses not to meet up. There may be a long-lasting reason they can’t meet, or they frequently make excuses to cancel plans.

7.     NEVER send money, this might seem obvious, but never ever agree to send someone money or provide personal information like IDs or bank details for any reason. No matter how good the story is, you should never be asked to send money to someone you haven’t met.

8.     Speak to someone you trust, if you’ve developed a relationship with someone through a dating app but suspect that something is off, reach out to a loved one you know has your best interest at heart. It may help to see if they are concerned about your situation. A romance scammer will usually try to create an “us against the world” mentality with their victim. It’s ideal for them if you become isolated from friends and family, who are more likely to be able to point out inconsistencies and red flags because they aren’t caught up in the romance. It’s important to notice if a relationship with someone you’ve never met in person is getting in the way of your relationships with friends and family.

Online relationship tips: 

(https://www.hsbc.co.uk/help/security-centre/how-to-avoid-romance-scams/)

If several of the points below apply to an online relationship, you’re in, it could be a sign you’re actually dealing with a fraudster:

  1. They seem to have fallen in love with you rather quickly;
  2. They soon want to leave the dating site or app, to use instant messaging, email or text instead;
  3. They claim to be from the UK, but say they’re away working or travelling; and
  4. They plan a visit to see you, but something comes up at the last minute to prevent them from coming.

One of these points on its own may be innocent. But more than one, together with a request for money, can be a sign that it’s a romance scam.

While romance fraud is unfortunately growing in the UK, documentaries such as The Tinder Swindler shine a light on the dark side of online dating. Particularly as we look at the huge online reaction that the world has experienced as a result of this documentary, looking towards the future there may be hope for fraud victims. Using their story in the documentary in order to expose criminals such as Shimon Hayute and open the public’s eyes as well as the governments in order to protect others against romance fraud.

by Laura Spencer Laura Spencer No Comments

Diary of a Fraud Victim: Lessons for Apple Pay Users

You may have seen the recent press coverage surrounding people who have fallen victim to fraud; Ofcom’s recently published research – almost 45 million cases – during summer 2021 alone!

You never think that it will be you. As someone, who would like to think that they are well versed when it comes to spotting a phishing link, I was surprised, to find pending transactions on my account with purchases that I had not made.

Ultimately there is the inevitable wave of panic. Trying to rationalise what has happened – going back through my previous purchases just to check that there had not been a mistake made. Then going through my phone and checking websites that I have used; emails I have received as well as text messages.

It was here that I realised my mistake. I had received a text message from my mobile service provider, asking me to update my payment details. Typically, this type of message about changing payment information would fly red flags. However, this text came through under my previous legitimate SMS chain, seemingly under the same number with my provider. Therefore, I clicked the link in the message, proceeding to resubmit my personal details. At the time, although cautious the link seemed to work legitimately. Despite this, I set a reminder to call my provider on Monday morning in order to double check that the details had been received correctly.

Unfortunately, I had fallen for a scam…

If it were you, you see a message from your service provider, asking for an update of information – from a SMS chain, which had been used before – what would you do? Would you hesitate or stop to think whether the message was indeed genuinely from the provider?

I received the ‘pending transaction’ alert from my banking app, I tried to report the pending transactions, however, it was still unclear as to the next steps. I received a call from a ‘no caller ID’ number, which naively, I answered. It sounded legitimate, they seemed to be telling me all of the things that I wanted to hear, but nonetheless I still couldn’t shake the feeling that I was being scammed for a second time. I eventually put the phone down mid conversation in order to ring my bank directly, after researching online my banking guidelines for such situations.

The advice from NCSC in such a situation is to: ‘Go back to something you can trust. Visit the official website, log in to your account, or phone their advertised phone number. Don’t use the links or contact details in the message you have been sent or given over the phone.’ (https://www.ncsc.gov.uk/guidance/suspicious-email-actions). This advice, published on the NCSC website offers guidance to both those affected by scam artists as well as acting as a prevention.

Thankfully, calling the number my bank advised for dealing with fraud, they had already flagged my account for some unknown purchases and therefore, they were aware of the situation prior to my call. While the unexplained ‘no caller ID’ is believed to have been my bank however, even they were unclear if this had been the case due to the nature of the call and the messages that I had received seemingly from them.

The legitimate call with the bank helped me to arrange voice ID on my banking transaction to ensure that this did not happen again. They equally transferred me to an additional line, to speak to the right department in order to. I would encourage everyone to take the time to set up voice recognition with their bank in order to aid the prevention of situations like this from happening.

After which,  I was transferred to my bank’s fraud department who took me through some basic questions such as:

  • When was YOUR last transaction and for how much?
  • Has anyone had access to your card or bank details, this could be a family member or a carer,
  • Are you still in possession of your card?
  • Do you use Apple Pay?
  • Which devices do you use Apple Pay on?

While there were many other questions asked in order to gauge the situation, these were a few of the most memorable. What struck me as interesting was the fact that the questions were asked about Apple Pay, the platform while popular and typically very secure ‘Apple Pay is a very secure way to make payments. This is because your card numbers are not stored on your device, and are never shared by Apple Pay, or sent with your payment. Instead, Apple Pay gives you a unique Device Account Number, that’s encrypted and stored in a secure part of your iPhone, iPad or Apple Watch. So, when you use Apple Pay, your Device Account Number and a specially created security code are used to process your payment.’ (https://www.barclaycard.co.uk/personal/help/contactless-payments/secure-applePay) As it turns out there had been a separate account set up using my personal details, with the code mentioned above.

While on the phone the bank informed me that over the weekend, there had been tens of thousands of reports of phishing from mobile phone providers – this specific attack was on Apple iPhone users. This is because when the fraudulent messages were sent, they were automatically filtered into what seemed legitimate messages from providers. Hence, many, including myself, believed that the link circulated was genuine.

Thankfully I had caught the transactions early and my bank will be able to refund me the money that had been taken while also closing down the Apple Pay account that had been created using my details. Additionally, I will be sent a new card, with new banking details as well as being instructed to carefully watch my account over the next few days – reporting any changes to my account. Alongside this I was sent some useful advice for the future.

This was resolved mainly because I had my pending transactions set up on my account to receive a notification whenever my transactions were being processed. This means that whenever money is ____ my account I am ‘pinged’ with a notification and made aware regarding any payments in my account. I would strongly recommend to anyone who does not check their bank frequently to ensure that such notifications have been set up – otherwise for me, there may have been a very different outcome to this experience.

Lessons to be learned:

  1. People should be aware that phishing is becoming more and more evolved, exacerbated by the pandemic. While this seems like the obvious warning, estimates from the Telephone-operated Crime Survey for England and Wales (‘TCSEW’) showed that there were 4.6 million fraud offences in the year ending March 2021, a 24% increase compared with the year ending March 2019 (https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/yearendingmarch2021). Demonstrating that despite advice given out, people are still being ‘scammed’.
  • Apple users need to be more cautious when receiving unexpected messages – since messages can be auto filled into seemingly legitimate contact numbers, already on your phone. In my experience this came in the form of my mobile service provider. To prevent this from happening Apple have produced an update where you can filter and block unknown messages (to find out more https://support.apple.com/en-gb/guide/iphone/iph203ab0be4/ios) which may help people avoid possible phishing messages.

by Laura Spencer Laura Spencer No Comments

Routed in the Past

Passwords, every 2 or 3 months they should be changed or adjusted slightly in order to keep your password protected account/device secure. So why do we not change our Wi-Fi password for our router? Most of us will still be using the awkwardly long password written on the back of our router or on a card, and not think twice about changing it.  In reality we should probably be changing this password as soon as we can, and then regularly modifying it to keep a secure network.

The complacency that we approach our router security with is quite frankly appalling – it  is so easy for an individual with malicious intentions to hack into a router. Particularly when working from home networks which are not designed for intensive business use. Throughout the  pandemic, working from home has been a necessity for millions of people  working in business of all shapes and sizes, however, the reality of the scenario is that our Wi-Fi routers are vulnerable and we need to adapt them in order to make them less susceptible to hacking as well as other security risks.

With lockdowns and COVID restrictions slowly coming to an end its foreseeable that more and more visitors will be coming into your home. And what is the first thing that most ask?

“What is the Wi-Fi password?”

So what?

Giving the Wi-Fi password to a visitor to your house seems so innocent and somewhat a rite of passage in this day in age. Even my grandad in his 70s asked for the Wi-Fi password when in my garden this weekend! However if working from home, individuals should perhaps consider partitioning your home Wi-Fi, one for work devices such as your computer and work phone as well as one for normal usage for both your personal devices, smart speakers, TVs, and any other internet enabled technology and keep a separate partitioned network for guests. On the same front you could also consider using a guest Wi-Fi and keeping a separate Wi-Fi for those who live with you.

The importance of outdated routers as well as router security comes after a recent report by Which? The report details problems found by its lab during extensive tests.

The main concerns highlighted by the report include:

  • Weak default passwords cyber-criminals could hack were found on most of the routers
  • A lack of firmware updates, important for security and performance
  • A network vulnerability with EE’s Brightbox 2, which could give a hacker full control of the device

The UK Government plans to ban default passwords being pre-set on devices, as part of upcoming legislation covering smart devices. This would come under the UK’s Internet of Things (‘IoT’) ‘Security by Design’ law. The law is aimed at enhancing the security of consumer devices, this comes after the government introduction of a security code of practice for IoT device manufacturers back in 2018 – with the forthcoming legislation intending to build on that with a set of legally binding requirements. This therefore would encourage the individual to keep their device and network more secure – similarly in highlighting it in such report as this and equally solidifying it in legislation will aid the public’s understanding of the importance of keeping a secure home network.

The ‘Security by Design’ law is also planning to make manufacturers:

  • Tell customers for how long their device will receive security-software updates
  • Provide a public point of contact to make it simpler for anyone to report a vulnerability

This will enable individuals to have greater access to information and help in regards to their device security.

by Laura Spencer Laura Spencer No Comments

Pandemic Business Boom: Website Blunders

Living in the 21st Century it is increasingly easy for individuals to start their own businesses, especially during the pandemic new businesses have risen to around 407,510 new businesses were formed during this period (according to SKY news https://news.sky.com/story/covid-19-record-number-of-new-businesses-predicted-as-uk-comes-out-of-coronavirus-lockdown-12236841). However when it comes to marketing and advertising for your brand there are a few key points which need to be considered.

The first being what sort of platform are you going to use to build your website?

It is common and only natural to see an advertisement of a company on the TV or see an advert online which uses fancy advertising with offices around the world. However, often the knee jerk reaction is ‘this must be a good company, look at how well advertised they are’ and therefore you make the decision to build your platform using their platform and tools. This is not always the case. The most important aspect when looking to build an online presence is the legal and regulatory compliance of the platform. Read through their privacy policy in detail; read through their terms and conditions and then decide whether you think that they are in fact compliant – you would be surprised as to what the platforms that  spend money on advertising on the TV and online hide in regards to their compliance, or potentially lack of it. Recently we have been working for a client which has been using one of the highly advertised sites as his website platform and going through his website compliance documents raised too many red flags to ignore – hence the inspiration for this post!

In this case there were a few major red flags.

  • Their storage limitation (data retention)
  • Their data minimisation
  • Their server base location

Starting with the storage limitation of our client’s website provider; the Information Commissioner’s Office (‘ICO’) directs companies and organisations:

  • You must not keep personal data for longer than you need it.
  • You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
  • You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
  • You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
  • You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
  • You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.

The UK General Data Protection Regulation (‘GDPR’) does not dictate how long you should keep personal data for. It is up to the company or organisation to justify their retention of such data, based on their purposes for processing it. Personal data for many companies and organisations are kept for a maximum of 6 years – this is because UK statutory limitation – the period of time for which a contract could be subject to a legal dispute resulting in a court claim – is 6 years. After 6 years a transaction or contract cannot be the subject for a court case and by default many corporations destroy all such records after 6 years.

Ensuring that you erase or anonymise personal data when you no longer need it will reduce the risk that it becomes irrelevant, excessive, inaccurate or out of date. Apart from helping you to comply with the data minimisation and accuracy principles, this also reduces the risk that you will use such data in error – to the detriment of all concerned.

But why is storage limitation so important?

Personal data held for too long will, by definition, be unnecessary. You are unlikely to have a lawful basis for retention (e.g. 6 year statutory Limitation as outlined above). From a more practical perspective, it is inefficient to hold more personal data than you need, and there may be unnecessary costs associated with storage and security, either in hard copy or online. Remember that you must also respond to subject access requests for any personal data you hold. This may be more difficult if you are holding old data for longer than you need. Good practice around storage limitation – with clear policies on retention periods and erasure – is also likely to reduce the burden of dealing with queries about retention and individual requests for erasure.

Data minimisation is also covered under UK GDPR. The ICO directs companies and organisations, when processing data to ensure that the data is processed in way that are deemed:

  • adequate – sufficient to properly fulfil your stated purpose;
  • relevant – has a rational link to that purpose; and
  • limited to what is necessary – you do not hold more than you need for that purpose.

The idea of minimisation is based around companies and organisations only collecting data that they need, and is necessary. The website provider our client was using was ‘hoovering’ up information which why did not necessarily need – taking information from it’s users users. Minimisation is important because orgnisations should not be collecting more data than they need for the specific task the personal data is collected for.

Finally the server location through our client’s website provider is vague. It is important for companies and organisations to know where your data is being stored, whether the data is encrypted and if so to what standard (e.g. SSL 128- bit, TSL 256-bit). If your data is hosted with a cloud provider where the physical servers are not within the EU, then you can’t use that service unless the appropriate GDPR compliant international transfer conditions are met (adequacy, a data transfer agreement containing standard contractual clauses or binding corporate rules). These conditions are complex, hence it is helpful to know where the personal data, for which your organisation is responsible, is actually being stored. Any provider who either cannot confirm this simple information, or obfuscates when the question is asked, should be avoided. Even if they do have lots of shiny offices and a slick TV advertising campaign.   

Top