Replay: How to protect yourself from business email compromise

[Visual] The screen opens displaying a slide tile that says, ‘The webinar will start shortly’. The host, John Mollo  appears in a small window at the top right-hand corner. Throughout the video, the webinar slides change to match what the speaker, Tom Roberts, is discussing. At times John, the host will cut in – as each speaker speaks, they appear in the top corner.

[Audio: Host/John] We’ll get this webinar started very shortly. We'll just allow it a couple of minutes. Allow people to join. Allow people to sort their audio, and we'll get started very shortly.

Alright, we've hit 10 o'clock, and we have critical mass. So we'll get this webinar underway. So welcome, everybody. It's great to have you all on board to hear about business email compromise. So, if we just jump to the next slide there, Tom, this webinar, as I said, will be business email compromise, which we'll go through and explain in a second. 

[Slide change]

And while it is mostly focused on businesses, a lot of the things that we’ll talk about can obviously be taken on as us as individuals as well.

[Slide change]

Just some housekeeping before we get started. So, if you have any questions at any point, use the Q&A box at the bottom of your screens there. So, use the Q&A box as opposed to the chat box, that just makes it a bit easier for us to manage. We'll try and ask those questions at a natural pause in the presentation, or we'll try and keep those to the end of the best suited towards the end.

So quickly, just to introduce ourselves. My name is John Mollo. I'm the team leader here at the NCSC. I manage our engagement and partnerships team, essentially, that team looks after the Own Your Online website and our Cyber Smart Week campaign that you may have seen around. So I'll be the MC today, and our subject matter expert is Tom, and I'll allow Tom to introduce himself.

[Audio: Speaker/Tom] Kia ora koutou I'm Tom. I'm the team lead for the threat and response team here at NCSC. We're responsible for responding to everything that sort of comes through to the NCSC from state sponsored threats down to individuals having issues with their home networks and security concerns there. 

[Audio: Host/John] Awesome, thank you very much there, Tom. So now we just go into a bit around what NCSC is. 

[Slide change]

So if you haven't heard of us before we are the government's lead agency for cyber security. So last year they merged CERT NZ and their focus of individuals and small businesses, and merge that into the National Cyber Security Centre.

And now we are the lead agency that's focused on the whole of economy when it comes to cyber security. So right from individuals, small businesses, big businesses, government, and nationally critical infrastructure as well, so that whole economy there.

One of the platforms, one of the websites that we provide is Own Your Online. What it is, is a website targeted for individuals and small businesses to make cyber security easy to understand. So on there you'll find a whole bunch of resources and guides to help educate people around cyber security, help them to see what are the latest scams and threats coming up. So by all means won't be offended while we're on this webinar go and check Own Your Online in the background. Have a look through might help inform some of the questions that you have for Tom and I this morning.

Cool. All right, Tom. I'll hand over to you to kick us off into our presentation.

[Slide change]

[Audio: Speaker/Tom] Excellent. So I'll just start a wee bit broad at first and talk about the scale of incidents that we see across the country. So in the last 12 months, or now in the 2023 to 2024 period, we saw a total of 7,122 total incident reports are reported to the NCSC. We know that numbers a lot higher when we have numbers from police and some of the other reporting mechanisms as well. But from the NCSC view that's how many we had.

Out of those 110 were linked to or indicated links to state sponsored actors. So that's nation states acting against our own infrastructure or businesses within New Zealand, for whatever reason that they are doing that for, and that varies. Significantly out of that number, so the rest of the you know 7,000 odd, a large number of that was the sort of financial crime elements. The business email compromise is one of these, the phishing. And we saw a total of $21 million dollars in reported financial loss. Interestingly, we're seeing a wee bit more bitcoin, and all those sorts of different monetary measures or angles coming through into these.

But yeah, $21 million was total financial loss. And then, again, if you include the numbers that are recorded by the banks and the telcos, that numbers certainly starts to skyrocket.

The majority of these incidents that we had were handled through sort of a general flow of how we respond to incidents just because that sort of managed by the small to medium businesses and what they require is very sort of similar advice, which is really good, and that we've put all the advice on Own Your Online and then the 110 there were for those you know specialist technical attention where we'll go and provide the remediation steps to get that those State sponsored threats out of there. Yeah.

[Slide change]

Importantly, though, what we've seen so that 198 million dollars in scams and fraud slightly different to pure soft security incidents. But that's basically anything from people being duped to seeing something on Facebook marketplace or you know other online trading platforms not just to call out Facebook marketplace.

And you can see that number is quite high. Worryingly as well, it's the mental stress that we've seen, especially around you know, what is everyone's aware of the sort of cost of living at the moment, people losing even $20 here and there, a couple hundred that adds to the personal stress and the mental toll that takes on the individual and we've certainly seen that come through.

And some responders are dealing with a lot of anxiety and mental hardship that has come through these online security incidents. Worryingly though, if you're the person that's been impacted, there's it can sort of spread out from there and so you might have information or information and data loss on a site and this is where business email compromise starts to come into it, is that they, you, the business might be impacted. But then it's the sort of secondary impacts to people that might have just lost, you know, a username or an email and then that opens them up for further attacks from these criminal groups.

[Slide change]

Businesses are where we are being targeted in New Zealand and it's something that isn't really talked about within the business community and we're trying to really raise that here at NCSC. 36% experienced a cyber attack in the in the last 6 months that that's pretty high and incredibly high.

Though 55% say that the cyber security is a top priority for them. But people sort of have this sort of different perceptions around cyber security and everything like that. 

After I've sort of explained what a business email compromise is, and why we want to talk about that right now and show some low hanging fruit that we can, you know, pick and then stop the attackers having easy targets, because that's where they go, for a lot of the time is easy targets. 

[Slide change]

They [cyber criminal] are a business and that's what a lot of people sort of think is that you know that just sort of some like, as the picture there shows that someone in their basement, or you know not that New Zealanders have many basements, but you know, in a dark room with the windows you know, blacked out and the curtains pulled, and that, you know, just doing it alone. They're very complex groups, very complex groups. And they do work 9 to 5. And sometimes they have followed the sun models right. So they'll have different crews placed around the world. So that the 9 to 5 is consistent, much like a multinational business does with the IT help desk and they are looking for that low-cost solution. So they will send mass phishing emails out. They'll go and go on to the dark web, you know, which is essentially for those that don't know that is, that's just like that's Google. But it's not referenced by Google. Is the easiest way to describe that and they trade things. They just trade credentials. They'll trade people's passwords, and then they'll send out very convincing, either phishing or target emails. 

[Slide change]

So, these are the sort of things that they send out. Phishing and credential harvesting. Credential harvesting sounds like something you've done a paddock, but it's actually when someone will like try and get all your credentials out of you or someone, you know, or something like that and they'll use that as a vector to get into your networks. Investment scams, recovery room scams, they're exactly what sounds like that try and get money out of you, or your business, or things like that. Another one is very similar to investment scams and the methodology behind it is actually very similar to romance scams as well. That's certainly something that a lot of kiwis are falling for day and day. But it's not really talked about that one, certainly because of the shame that it can bring, and the isolation that it can bring in the mental sort of aspects to that.

[Audio: Host/John] So Tom, by credentials, right we mean essentially people's passwords and usernames. Essentially right. Those are what we mean by credentials?

[Audio: Speaker/Tom] Yeah, absolutely. Yeah, absolutely. So it could be anything that’s sort of like the keys to get into your house. Essentially. It could be something small. You know, people have the date of birth, or the kids name or things like that they use as credentials. And so even just small bits of information, you can think of it as information. Yeah.

[Audio: Host/John] And just got a question that's popped in. So what is recovery room scam? How would you explain it to someone?

[Audio: Speaker/Tom] Yeah. A recovery room scam it's quite a complete sort of attack and a scam. So that is essentially where something might happen to your computer and as a precursor someone might have done something to you. And then someone will call up you know, a week later, or sometime later, or you might get an email saying, hey, we're Microsoft or Amazon, or Google, or you know, whoever Spark whatever and they'll say we're here to fix that problem. The are ones that caused it. But now they're coming in as an authoritative you know we're here to help you sort of the other firemen coming to save your house from burning down and then so that automatically has trust in it. And then they go through your entire bank accounts.

[Audio: Host/John] Yeah, perfect. And that's really good example. And I think quite often we also see it on Facebook, right where people post and say, sorry my account has been hacked, and you all of a sudden get a whole bunch of comments. Saying, oh, I can, I can help you with that. So there are few different forms of recovery room scams that people should just keep an eye out for. So yeah, you keep going.

[Audio: Speaker/Tom] Typically, we're trusting - I think so. It's a great, it's great sort of attitude. It's a great sort of aspect of our culture, but it does make us prone to things like this and the cyber attackers, you know all these, they know about it. They know that Kiwis are trusting. And so that one is quite yeah, malicious.

[Audio: Speaker/Tom]  And then spoofing. So spoofing is basically they pretend to be you. It is different from business email compromise. It's when your email address is spoofed, the attacker has made it appear that email has come from you but doesn't actually have access to your account.

Whereas business email compromise as we'll get into is when they have actual access into your account. So there’s ways that you, and some of the methods that we'll describe later on in here, will prevent spoofing it's becoming less and less common just due to things being secure by design. So that's when tech companies are actually taking the onus on them and making things secure. It's certainly something that we're pushing to the tech companies and of course with our partners overseas, you know, we don't get in a car and expect it to come without seat belts, you know, you get in a car you expect it to have basic safety features. And that's what we're sort of pushing out to these big tech companies as well. And I can notice which is really good. So but yeah, spoofing is where they'll pretend to be you, but they don't have access to your accounts.

That can happen on Facebook and stuff as well like, you know there's all these other mechanisms that apply to that as well. And before I dive into business email compromise, I'll just open up the floor to any sort of any questions on that. I'm happy to take any questions about what's sort of talked about or alluded to.

[Audio: Host/John] We do have questions, folks. We can just use the Q&A box at any point. We'll make the most of Tom's expertise, and we'll try and ask those questions at some point throughout the webinar. We'll hold them to the end. But yeah, keep going otherwise there, Tom.

[Slide change]

[Audio: Speaker/Tom] Easy! So, why are we talking about business email compromise now? It's something that's endured for a wee while. But what really got us concerned was the spike in reports that we saw from law firms in particular.

And why, you know, why are they targeting law firms? Well, that's you know where a lot of commercially sensitive, personally sensitive information is held. It's also lawyers are protected, have certain legal privileges under the law themselves. Which means, you know in terms of interacting with authorities and stuff like that. They've got certain legal privileges that they hold, which is really important, but also for the vast majority of law firms in New Zealand is that they are small businesses. 

Think about law firms up and down the country, whether you know Balclutha, Gore, or you know, whatever they will all have a small law firm that's representing them wherever they are. When you've got small law firms typically, or small business typically, they're not, you know, they’re thinking about keeping their head above flow. They're thinking about keeping employees paid, especially, you know, as people are tightening their belts. Thinking about how they can expand their business, you know all these things, and then sort of cyber and IT is  sort of that thing that just happens under, you know, it's the engine in the car that just keeps on going. But sometimes we sort of need to make sure that's tuned up. I’ll try not to use too many car analogies. I promise. I'm not a car person. But so that's why law firms in particular, we think, saw a spike and also got picked up.

[Slide change]

Because of that spike we also saw that there was a large pickup in the media because of it. So you can see there that there's a bunch of different businesses spread around the country. And yeah, it was quite the same, especially speaking to some of those victims on the phone. Yes, they lost money, but at the mental toll, I think is, was a lot higher than I personally thought it was going to be. The feeling of almost being betrayed was, yeah, was quite worrying.

[Slide change]

But what is a BEC? So oh, there we go! 

It's when an attacker gets into your email account without you giving them permission. More often than not, you probably have actually given them permission, but not knowingly given them permission. And then they use your email account to carry out attacks. It's also like unauthorised access, the difference there being is hopefully sorry, not hopefully, but with a business email compromise that typically just located to your email environment, so I think Gmail, Outlook, whatever you're using.

Whereas unauthorised access is when they've got access to the wider network and the file storage systems and things like that. The line does get pretty blurry when you're talking about those cloud accounts. So if you're using Office 365, or a Google Workspace, or the common ones, Amazon's got their own, it's getting more popular more popular in New Zealand. But when you've got access to that, essentially, you can get access to all the different files in the network as well, especially if you're the business owner who has or a highly privileged user, they can pivot and run rampant.

But unlike getting it so unlike other attacks, business email compromise is where they target. Sorry I will go on to the next one. 

[Slide change]

They basically go and very like a like a scalpel. They might get information through phishing and things like that. But more often than not, if you're subject to a business email compromise, you're the target, it's a targeted activity. The reason is, is it's hard, it's hardest to get in when you're phishing for money or information, or whatever. And say, you know, a big box retailer comes and sends you an email and says, hey, we've got a deal for you. And for whatever reason that day you're just like, I really want that, they're after money. Business email compromises, they want money, but more importantly, they want your access to others. It's sort of like a centre point or it's hub and spoke and because of that, that's where it gets really dangerous. So how they do it they can use or code correct weak passwords without two factor authentication. That's where it gets worrying. They can find details in credential dump. So, this is a whole industry that exists where people, as I said before, trade information and so you might be, I don't know using a web service their security is weak, but your information then can get exploited because someone else's security was weak.

Remember, when we had this, the covid lockdowns it was because we needed to protect others.

[Audio: Host/John] So I think Tom's frozen there for a second. Do you just want to go over that point again around Covid.

[Audio: Speaker/Tom] Yeah, that's the same thought process around Covid, right? A lot of the reason why people were isolated or asked to isolate was because, you know we didn't want to be we didn't want to give the chance to infect others right. When you've got credential dumps, and someone is infected, or they've been accessed they've got the ability, you know.

[Visual] John appears full screen. 

[Audio: Host/John] So I think that's the internet going there again. What Tom's gets trying to outline there is the credential dumps or data breaches that can happen, so you might sign up to a service could just be like an online game, right? And you've inputted your email and email and password that is compromised but you've used that same password for your email. Or you've used that same password for your banking. And that's where the sort of issue lies there.

So, Tom, I don't know if you've Internet has.

[Visual] Tom appears full screen. 

[Audio: Speaker/Tom] Yeah, hopefully, that wasn't a cyber security issue. That would be a bit embarrassing.

[Visual] John appears full screen. 

[Audio: Host/John]: Yeah, well, it's good. I guess it's good to see even a cyber security organisation’s internet not be as reliable. But.

[Visual] Tom appears full screen. 

[Audio: Speaker/Tom] Alright, let's get that back up and running. Sorry about that folks.

[Visual] Slide appears

[Audio: Speaker/Tom] Okay, kind of slide, is it all? Is it all good?

[Audio: Host/John] Yes. Good. Yeah.

[Audio: Speaker/Tom] Cool, excellent.

Yeah. So yeah, there's many different ways. I'll just keep going. There are many different ways that they can get in. And but yeah, importantly, to know if business email compromise it is targeted. And they want those businesses because of their access to others.

So I'll just move stuff around the screen? So then, what happens?

[Slide change]

So once they’re into your network or into wherever you know into your email account they can pivot, and they can do a bunch of other stuff. So they can use your account to send out invoice scams. And this is what this is when it typically looks like spoofing. They can send out malware. They can send out phishing emails. Worryingly, for the legal sector in particular, is the espionage and information gain aspect on it. They might often, or that they might be using your networks to find out information on clients. As we'll talk about in the next section of about a bit of a case study that can lead to massive financial harm for your clients or for the law firm itself. But also depending on who your clients are, they might be you know that might be people that they can then use that information for other malicious purposes.

[Slide change]

This is what a case study looks like, so basically, this is something that happened very recently. And but It’s pretty agnostic to, and pretty typical of what we see for a business email comprise. So, an attacker gains access into a staff member's account. And then the attacker can set up an auto forwarding rule so that all incoming and outgoing emails are sent to the attacker without the staff member knowing.

Why is that dangerous? It means that they don't need persistent access into your email account. Persistent access can be hard. It means that you have to dedicate resources to basically make sure the pipes open. If you just set up an auto forwarding rule, basically, that means they’ve got a wee, you know, spy on your network that is, just sending stuff out without it needing to be there.

The attacker, then monitors communications for a period of time, and identify some correspondence with a customer where they might be purchasing a home or making large deposits, you know, and you can, as people would know when they're buying a house or making any large transactions through lawyers, you know these, there's a few emails leading up to that point so they just need to look for those.

And the attacker then begins corresponding with the client acting as if they're the staff member and supplies them the bank account to pay the deposit into.

Also, they can do it because they've got access to you know what normal looks like from that law firm, very easy to trick them into that.

In this case though, the client thought it was suspicious that the payment was required earlier than it was originally planned. Which was good, they sort of had a wee red flag but went to the bank to and so went to the bank to facilitate the payment.

So, they thought something was fishy, and then they went to the bank and said, hey, is this, you know can we do this in a branch? Then the bank recognized that this was an offshore account facilitated by the bank and that this was unusual. The client then called the law firm to check the details, and the staff member who had that been communicating with confirmed they were not, that it was not them requesting payment.

And then that was stopped thankfully. And you know, think in that case it was a couple $100,000. So yeah, quite a lot of money.

[Audio: Host/John] So one of the important points there, Tom, is the attackers are staying on the network the kind of watching for a while. They're not just in and out right like that sort of taking their time and have got access quite easily relatively, to the emails because of things like either got the password through a data breach, or they've hacked it because the passwords was not a good password. So they've got an easy to spend a bit of time looking. And then all they need to do essentially is try and change a few digits or the digits on an invoice, essentially.

[Audio: Speaker/Tom]: Yeah, I mean, and that that's just if they want money as well. So you think of all the other things that they can change within a within a contract, or things like that. In this case it was the attacker was just wanting money. But if they want to, you know, alter data, or you know, things like that, that can be pretty easily achieved through the same mechanism of them getting into the email accounts. Yeah.

[Audio: Host/John] We've had a question just pop up in here. I think we'll get into some of the things that we can do. But they've asked, can you see the auto forwarded emails if you look in your sent folder? So they usually appear in your sent folder or do you need to look somewhere else for the rules that set up? What's our sort of advice there?

[Audio: Speaker/Tom] Depends on how they've set it up. But yeah, generally speaking, you should be able to see it in the sync folder but then, if they've set up a rule after it's been forwarded to automatically delete and then automatically delete that from the you know the deleted folder or the trash bin they've deleted the chain of evidence, or you know there's no chain of evidence there.

So, the way to check for, and we'll certainly go into this next but one of the ways that we check is going and seeing what rules are being applied. So, you know, these rules might be, you know, anything that comes from or has, I don't know has ‘whatever’ in the title move to this folder is typically what people have. Checking that the legitimate as well and people will name them similar. It takes a wee bit of time if it so to actually check for these things. They do cover up your tracks quite a bit.

[Audio: Host/John] Okay, thank you.

[Audio: Speaker/Tom] Cool.

[Slide change]

As I've alluded to, and you can see it there, they are sophisticated attack. They can be pretty hard to detect so but monitoring your business email compromise, sorry, your business email is important. And so if you're just doing continual monitoring, you know. Oh look, I wouldn't be doing things every week. But periodically checking. You know, checking that auto forwarding rules, aren't there. Or if they are there, the other ones relating to what you need them to be.

See if there's filtering rules, so you know, you can set up rules that filter spam out so they might filter out words or phrases in there. That's like, ‘is this a scam?’ or something like that, so then you wouldn't even know that someone's complaining to you about them, potentially receiving it wrong accounts. And the one that is a wee bit harder to implement if you don't have an IT provider, but look at logs for any foreign IP addresses that are logging into it.

If you're with an IT provider or you know there's a myriad of them out there, or manage security provider, or something like that. Then they will do that for you, or they should be able to do that for you. If it's the likes of, if you're just using a Gmail account or a small business Microsoft Outlook 365 account, and that's a wee bit harder to set up.

[Slide change]

Cool, so we'll just get into like the low hanging fruit. So, this is the stuff that we know stops like attackers. And typically these are like, very agnostic to the problem. So, it will protect your business from business email compromise, but because the protections are built in the way that they are, it will actually protect your online accounts from various different attacks. 

[Slide change]

So, the first one that highly recommend is turn on two-factor authentication, or multi-factor authentication is sometimes talked about. Basically, this means that you have another app, or it could be a hard key like a we stick that authenticates you in another way. So, it's not just using your username and password it's using another method. So, biometrics is another way of doing it, these you know, facial recognition, although that one you've got to be careful with facial recognition nowadays. But yeah, they will, they will basically protect you if someone tries logging in with breached credentials, which is, you know, which, unfortunately, is commonplace you'll get a notification saying was this you that logged into your account. 

If you are with Gmail or something like that, you and have logged in through another computer, for whatever reason you might have received an email saying, was this you? Very similar. 

[Slide change]

But not all two-factor is created equal. Unique code sync to your phone, that's the most basic form. But those apps so Microsoft have one, Google have one I won't recommend, there's multiple, I won't recommend any particular apps but the ones from your larger trusted providers are pretty good, and then they have various different things, and they might have biometrics or physical key that you plug into your device. 

[Slide change]

But ultimately two-factor authentication, multi factor is something that you know, something you have, which is your phone. So, for me personally. If I log into an account I need to put a biometric on phone and which is something I am. So, I've got all 3 so it's a 3 factor. I don't know but you know, that's multi factor.

[Audio: Host/John] Just while we've got to pause, there’s a question that's just popped in here. Hi Tom, you mentioned you need to be careful with facial recognition. Why is that? Is there a vulnerability, or is there something else that people just to be mindful of around facial recognition?

[Audio: Speaker/Tom] Yeah, so facial recognition is getting into the realms of you know, digital AI and all that sort of stuff. It's not. It's not quite there yet, but certainly with the speed at which it's going that is, it is getting there where someone can pretend to be you with your face on like a team's call, or something like that you know. So, at the moment if I turn my head that way it would be, if it was AI at the moment, it might be a blurry and it is quite like computer intensive in terms of creating it. And the attacker has to be sort of really dedicated and getting to it. 

So, for a normal business email compromise at the moment, that's all for multi-factor authentication. At the moment, it's still pretty good for most people. Because you know the amount of computing power that's required to fake that is very high. If you're like a celebrity or something like that, someone with a wee bit of notoriety then I'd strongly consider not using facial recognition for your very sensitive accounts. When it comes to face unlock on your phone and things like that's absolutely fine. It's more so logging into things through an application on online, or something like that, somewhere where there's more likely for someone to be in the middle and interjecting things. At the moment we it's still pretty good but the lifeline on the life on that is on that piece of technology is quickly, you know. 

[Audio: Host/John] Thank you, Tom. I think there's an article that we have Own Your Online that sort of ranks, or shows the different forms of 2FA, and what one's better than others. So we can post that for folks to have a look at as well, and that actually goes into one of our next questions is, can you explain biometrics please?

[Audio: Speaker/Tom] Biometrics are various things. It's like overarching term for like you physically - think fingerprints, think iris scanners. They’re the two sort of core ones, I could nerd out on this, but getting into deeper biometrics, you know, it's they might shine a light, you know, your phone might have an infrared light that shines into your face, and that detects just different ways that your face reacts and things like that. It's like who you are physically is probably the best way to describe it. 

[Audio: Host/John] Cool. Thank you, Tom, and I've got one other question here. Which we might just touch on we meet passwords around using the same password. So, I'll come back to that question, and you carry on.

[Slide change]

[Audio: Speaker/Tom] That's a nice segue, I will just go through these. Use long, strong, unique passwords -16 characters. Who's going to remember that, but if you use like a passphrase like ‘pumpkintreebluemap’ that's really good, and that's harder to it's harder to guess. A sentence is pretty good as well, and then you know you classically, you can replace you know alphanumeric characters with symbols.

[Audio: Speaker/Tom] Don't use the same password across multiple accounts and certainly avoid patterns and personal information. The way that a lot of people do it is, they will have something, and then they'll put like a ‘Facebook’ in the middle. Because, you know, that's the Facebook one, or they'll have whatever services in the middle. If you've been caught up in a data breach and someone sees that you've got, not to use Facebook as an example, but you've got Facebook in there then the scheme is pretty much the same, or the pattern of how you've done your words pretty much the same, and then if you if they want to see if you've got a Gmail  account and they can put Gmail in between, avoid doing that. 

Password managers can help, and they do help what you want to look for with a password manager, and I think there's we've got articles Own Your Online as well. But it should be on-device encrypted. So that means it's stored locally on your device. So, if you've got a phone, which is typically where people have their password managers, it's on your phone. It's not stored somewhere in the cloud or somewhere where it's more likely to be breached. The reason why it'd be more likely to be breached in the cloud is because for the attacker to go, you know, there's more bang for buck. They won't just get your password. They'll get everyone else' as well. That's not to say don't trust the cloud, but it's just that wee bit better if it's stored on your device and stored locally is another term that they use, and then a thing that you can do to see if you've actually been breached is go to. haveibeenpwned.com. So basically, this is a bunch of security researchers and people in rooms with curtains drawn and you know monsters sitting on their desks scouring the Internet and basically seeing if people's accounts have been breached and then posting it on here for you know. Basically, they just want to keep the internet a safer place. So, and then you can just enter in your password or enter in your email account and see where you've been caught up in a breach. A lot of people in New Zealand have probably, if you've travelled to Australia and used an Optus are probably caught up in the Optus breach that happened a few years ago. Basically, it gives you a checklist of stuff that you should probably go back and change. Or even if you don't use those accounts anymore, just delete them. It's pretty easy to set up new accounts.

[Audio: Host/John] Cool. It's really useful there, Tom, and we sort of touched on this question already, but is it really as bad as I say it is to use the same password across different accounts and different devices? We sort of touched on it there earlier around using same password on one account that might not be as secure if that gets breached or hacked and they can use that same password across your email and your banking information. Is that right?

[Audio: Speaker/Tom] Yeah, essentially, it's like, having one key to your entire house. But maybe you want more room secure than others. With password managers they can randomly generate passwords, and technology is getting to a stage now where we've got, it's not mentioned in here, but pass codes and pass keys are sort of machine to machine authentication. And that's even better than passwords. There's an article on about that as well, but yes, certainly, using the same password across multiple accounts, would be highly recommended not doing that.

[Audio: Host/John] Cool. That's really useful, and I think I guess one of the main takeaways is, you know, we know people have a lot of accounts. But if you just focus on having a long, strong, unique password and implementing 2FA on your main accounts, so we think about main accounts as our banking our email, social media, and obviously any other sort of financial services in the first instance, at least. Just look at implementing 2FA, implementing this password advice those main accounts there, if you're going to do anything, and that leads nicely to this next question, which comes up a lot of the time. But do you have a password manager that you recommend, Tom? I think you touched on some of the things to look out for. But is there one that you can recommend.

[Audio: Speaker/Tom] Being government, I can't recommend a service personally. But the characteristics that I can point you in the right direction for it needs to be, on-device - secured on your device or on device encryption, or they use a couple of different ways for that methods for that. But what you're seeing now is your big service providers are doing a pretty good job with this, so the one that you're using might be okay. 

And that they're doing them for free again. This comes back from us and our partners pushing secure by design practice. As I said before, you don't expect jump in a car and have to pay extra for seat belts or things like a lot of these big organisations and big sort of companies are doing that intuitively so I would recommend having to look at those ones.

The downside to those big ones is, if there's a vulnerability, then you know, more people are likely to be impacted. But yeah on-device encryption or so, you know, they sell it different ways, and it’s usually free. If you're using a free one, that's not one of those big the bigger companies, just be careful and read the terms and conditions and things like that on them. Just do a bit more due diligence.

[Audio: Host/John] Cool. Thank you. That's really useful here. And this next question is, if you had old email addresses and no longer used them how can you kill those old passwords as you may reuse them for current email? So, this is kind of going to our point of we shouldn't reuse passwords and come up with new ones every time. Is that right?

[Audio: Speaker/Tom] Yeah, I'd say, they just need to redo those passwords. If there's an email account that you can't get into for whatever reason or you don't use anymore, see if you can delete it. If it's just sitting there and not causing any harm then that's fine. I would try and delete it, or you know, transfer emails away and things like that. But certainly change the password that you're using for your current device or your current email address should be different to the one that you've previously used.

[Audio: Host/John] Perfect cool, and we just got one more question for you before we move on, but do keep questions coming in team, and we can get to the remaining ones at the end of the webinar. But this is next question is, what do you mean by secured on-device encryption there, Tom, I think when we're talking about password managers, we mentioned that.

[Audio: Speaker/Tom] Basically it means where it's stored. It's the box that your password is kept in and the lock that's on that is really good. So, if it's the password is kept on your device, it's not it's not in another offshore server somewhere. It's, you know, kept on your device. And it's encrypted, which means that there's the information and it’s jumbled up in such a way that only you and your device has the ability to unlock it. I think that's probably the best way to describe it.

[Audio: Host/John] That's a great analogy. Yeah, awesome thanks, Tom. I’ll let you keep going.

[Slide change]

[Audio: Speaker/Tom] Cool. So, these next two are something that if you're more of a business owner or have the ability of a managed security provider things to look at which is setting up logs and preventing email spoofing. I won't spend a whole lot of time on these. But if you do want to know more information about it, we've got information on Own Your Online or on the NCSC website as well. 

Setting up logs, logs are basically a record of everything that your computer does and what that helps is if something's gone wrong. We’ll say, it won't necessarily prevent anything, but it will help people like myself and the National Cyber Security Centre and the teams and the people that will come in and help fix it, they'll be able to point, they'll be able to look through that and it's essentially a very large excel spreadsheet. It's not really fun to look through. But then they'll be able to basically say, oh, yeah, this is where the attack got in and this is what they did. This is where they accessed, etcetera.

Then prevent email spoofing. So, this is setting up send policy frameworks and domain name domain-based messaging the whole thing, you can read it there. But that's basically policies on your email accounts that authenticate yourself with people that might receive things. Or, yeah if you're using most large sort of might say, Microsoft 365, or Google, or Amazon, or all those sorts of things. Even some of the other smaller ones, but that they usually have this stuff sorry. The DMARC and that that sort of last paragraph there. They've usually got those things turned on by default, which is fantastic, it's secure by design. Logs are something that if your business you would want to your security provider, or even if you're more technically enabled to have that running in the background.

[Audio: Host/John] Questions. It's on how do you set up logs? And so, I guess our advice there is to talk to your it. provider and I guess advice is, these are the sort of things to look at after you've sorted some of the basics out. Would that be right there, Tom?

[Audio: Speaker/Tom]: Yes, setting up. Yes, certainly do the low hanging fruit previously mentioned two-factor authentication, multi-factor authentication and passwords, and making sure that long, strong, unique. These things here are more like if you if you're in a business that can do that, setting up and actually how to set up the logs is different, depending on the technology you're using and how your networks configured and things like that. So, I won't go into specifics, but for different things. But yeah, I'll just to the person asking that question. Just look at the technology you're using search for how to set up logs. And that will give you different methods if you're using a security provider or say you're using OneNZ or you know, one of the ISP’s and things like that, you can just ask them. It's like, hey, is this logging enabled on my email account. Can you set up logging and maybe send me a report or things like that? It does require a bit of technical knowledge to actually read. But if you've got that availability, or capability then I'd recommend doing that. And you can have automated programs that will scan through the logs and say, actually, this isn't normal. Especially now that we've got AI machine learning. That makes it a lot faster as well.

[Slide change]

[Audio: Speaker/Tom] I'll go on to the key takeaway. So yeah, as it says, the online security incidents affect us all. So, so yeah, was, a 110 incidents were nationally, were those sort of state sponsored, and those sorts of malicious other nations are trying to get into our networks. But the big thing that happens in this country are businesses that are getting attacked through what is essentially cyber crime for financial reasons, or IP stealing or sorry intellectual property stealing and all those sorts of things. But if you do get the basics in place, two-factor or multi-factor authentication on your accounts. That really does stop you being the easiest target and then, if you do have an incident, or you are concerned, I'll show you in the next slides, but please do report it to us. We’re very fortunate to have the country's best people working to resolve cyber security incidents. And I definitely mean that they're the best people in the country and this is what they do for a living, and they really love giving help.

More the defence before, not just the ambulance at the bottom of the cliff, also the fence at the top, and Own Your Online has some great resources there as well. And if you've got a few more IT inclined the National Cyber Security Centre website has a lot more detailed. So, for that logging question as well, the New Zealand Information Security Manual, which I promise you is the worst reading that you've ever done, but it's really important. It sets the standards for how you should be doing things in terms of your own network.

[Audio: Host/John] I guess, just to sort of reinforce what Tom was saying there, just refocusing on those basics in the first place, and you've potentially heard a lot on passwords and 2FA, but we know people still aren't taking on that advice and going back to what Tom was saying, these criminals are business, so they can find the easiest way into our accounts, and that is through passwords and people not having 2FA, so you know, focusing on the basics. Trying to get all staff within the organisation to take on those basics is probably one of the main key takeaways we want people to take away from that. But Tom, keep going.

[Slide change]

[Audio: Speaker/Tom] Cool. And this is basically just how to get in touch with us. Report: call that 0800 number if you want to, or email incidents@ncsc.govt.nz for general inquiries, and we'll be able to help or point you in the right direction or sometimes. So, for Ransomware we get a few people, quite a few unfortunately, people getting ransomware, sometimes even just the authoritative pat on the back and we call it a cyber hug where like, actually, you're doing the right thing, you're doing everything possible to resolve. This can take a wee bit of stress off. And I think sometimes even just taking that wee bit of stress off can be helpful.

[Slide change]

Thanks for that, happy to open up to any questions around. This topic or cyber security, or whatever very happy to answer anything.

[Audio: Host/John] Cool. Thank you, Tom. We've got a few questions here, so if folks have more questions, feel free, send them through. Now, if we don't get to them we'll try and include them in the follow up email to send out to everybody, but we'll try and get through as many of the questions. Now, one question says, do you have any tips for remembering whether certain accounts require symbols, numbers, caps, etcetera. Is that just using the password manager there, Tom?

[Audio: Speaker/Tom] Yeah, yeah, using a password manager helps if you're using a passphrase. I forgot the example on the slide but you can replace, you know, an A for an @, or maybe if you want to throw people off even more a hashtag or whatever, I'm just looking at my keyboard. But yeah those sorts of things, or using a password manager is good. Password managers also have the added advantage of you can just copy and paste straight from the password manager so, and they often suggest passwords that are really hard to beat as well. So you could just use the one that they suggest, and good luck remembering 10 of those because they are very long, strong, and unique.

[Audio: Host/John] Awesome cool. And this next one, I think, is quite a good one, very topical. So,in the event that my email account is compromised, what is the best course of action we should take?

[Audio: Speaker/Tom] Yeah, so you need to secure that account as fast as possible. So, what you don't want them doing is changing passwords and locking you out of the account. So, if you think your email account has been compromised essentially, you're trying to get someone back out of the house and then changing the lock on the door so they can't get back in again. So how you do that would be through, a quick way to do it would be to implement two-factor or multi-factor, authentication on your account and force everyone to log off, changing passwords and then having a look at you know, potentially other things after that. This would be, you know, checking that your wi-fi network doesn't have the default password and all those sorts of things, and you can get into sort of a bunch of things that you then go up and check, but the first one would be you're trying to evict the person that's in there. And to do that you would be to change your passwords. And essentially that would hopefully kick them off or see what devices are logged into your network. And you can do that through your Outlook or through your Gmail, and then kick them off, and just kick every device off except the one that you're on.

[Audio: Host/John] Yeah. And you know, once you've done that, or if you're still unsure, report to us and we can provide right, we can help provide some advice around what people can do if there is a compromise. So, we can put that contact screen up again if you like. Why don't we go back to that. 

[Slide change]

So yeah, but that's where you can reach out to us. Find out some more information and report an incident as well if you have an incident. So just jumping into another question here. So, what can people do if there is a breach showing on Have I Been Pwned like, put the email in, and they've come up. What should they do there, Tom?

[Audio: Speaker/Tom] Yeah, so see if you're using that account still and see if that password that's used on that account is a password that you use on other accounts and then go through and change them. So essentially, you, you want to secure that first then, depending on the breach there might actually be some information concerns about that. So, you know, if the information that you gave that services say, like your passport information, or hopefully, it's not but your IRD, or banking details or things like that. You need to go to those services and say, hey, look I've been caught up in a breach. Can I get those changed? They're very, very responsive on those. Certainly, the banks are very, very good, and are now very responsive to these sorts of things.

[Audio: Host/John] Cool. This next question here is, are song titles any good for passwords, Tom? Would you recommend a song title for a password. Guess we probably want them to be a bit more random, right? Like, you know, it opens up people to dictionary attacks maybe. So, I mean, better than this eight character password. But we could, you know, could make it a bit more random. Just so we're because essentially what people do is load up song lyrics on titles, into the computer, into their software, and they, it runs through a whole bunch of its operations trying to crack passwords. So, while it's better than having a small password, I think making a bit more random, maybe the song that only you know, using that, using that as a password.

[Audio: Speaker/Tom] Yeah, and what that could open up doing as well is that typically language follows a certain, you know, a pattern or way. You know, if you use the word, I, for example, it's going to be, I have. I am, etcetera. So that's the way that they get those passwords. If they're brute forcing it. I mean, so they basically just use the most common things that come after the next word, and then, when they think they've got the next word right that we use the most common, it's another way that large language models are trained as well. Yeah.

[Audio: Host/John] This question is a bit more practical. One. How can you access your device password manager, if you your phone is lost or damaged? Yes. How do you? How do you get your passwords? If that happens.

[Audio: Speaker/Tom] Yeah, no, that's a really good point. So, you probably you couldn't. You can write down, you know, a classic pen and paper, sort of the analogue techniques of writing stuff down and storing at a safe place still definitely work. So, if you say, got your main Google account or your main Outlook account, or Microsoft account even just storing that password in a really safe place, and you know, and wherever that safe place is for you, outside of it, outside of your phone and outside of your sort of digital environment. Would help you get there.

[Audio: Host/John] Cool. And I know, you know, if the phone is damaged, but you still can access it potentially download files from it potentially but obviously just something to think about setting those things up.

[Audio: Host/John] And we'll time just maybe for one more question. But if you do want to send through questions, do that. We can try and answer those in our follow up email. The questions been great team. And before we answer this just to remind folks, or just let folks know that when the webinar does end, you'll get a pop-up questionnaire with a bit of a survey. So, if you can give 2 minutes of your time to fill that in, that will be greatly appreciated. 

[Audio: Host/John] So this this final one there says, thanks Tom, for the detailed presentation separate from the BEC, you mentioned investment schemes. Has your team been seeing cases about Whatsapp account takeovers with attacker then uses the WhatsApp number to do similar activities like a BEC? What can people do in these cases to protect and to recover their accounts? And so, is that just kind of things 2FA that we talked about with that account there, Tom?

[Audio: Speaker/Tom] Yeah, absolutely. So, yeah, WhatsApp accounts, we've seen quite a few of those. And depending on how your account is set up is how you would resolve that issue. If your account is tied in with say your whole Meta account, or your whole Facebook, a password change, and you know, basically evicting them. Sometimes you might have to do that locally on the WhatsApp account itself or you might have to just change number as well, depending on how your account set up can vary how you would respond to it. I think that raises a good point, though, for some education material specifically around those sort of digital messaging apps as well. I know, certainly we've got someone Own Your Online, you know, that's detailed would be pretty good for us to do.

[Audio: Host/John] Cool. Thank you, Tom, and that brings us to the hour. So, thank you very much, Tom, for presenting. Thank you to everyone for joining, as I said, feel free to reach out to us. If you do have any questions, check out Own Your Online any ideas around what you want to hear about more from us by all means get in touch and let us know. But thanks for joining team, and we'll leave the webinar there.

[Audio: Speaker/Tom] Thanks. Everyone.

[Recording ends].