Hats off to the UK’s National Cyber Security Centre, or NCSC for short.
They’ve just announced a simple-to-follow set of instructions on what you can do with the apparently ever-growing number of scammy, spammy and phishy emails that coronavirus stay-home rules seem to have unleashed on us.
With an admirably broad vision, the NCSC is pitching its new campaign in two complementary articles, headlined:
We approve.
Because the last thing we want to see is that we all end up so focused on coronavirus-themed scams that we inadvertently create a loophole for those crooks who are carefully sending non-coronavirus scams in the hope of attracting less scrutiny – hiding in plain sight, as it were.
We’ve seen this problem before in the history of cybersecurity.
An early example is what many people used to call “Nigerian scams”, which was always a divisive and dangerous term to use.
Firstly, we know many Nigerians who aren’t scammers and at least some non-Nigerians who are, so it’s misleading and xenophobic to apply a criminal epithet to an entire country. (Especially a country as populous as Nigeria and with such a large diaspora.)
Secondly, and ironically, the phrase “Nigerian scammers” ended up playing into the hands of actual Nigerian scammers, who found that by openly claiming to come from one of several other countries in West Africa, they automatically became more believable, without needing to change their scams in any significant way.
In other words, the adjective “Nigerian”, when associated with the sender or the content of an email, became a proxy for “scam”, and therefore by a specious and invalid leap of logic, “non-Nigerian” came to be a proxy for “non-scam”.
A more recent example is the issue of ransomware, which tends to dominate any modern discussion of malware, to the point that some people think it’s enough to protect specifically against ransomware and to worry much less, or even hardly at all, about all the other malware threats out there.
The problem with that approach is that many, perhaps even most, ransomware attacks actually start with an infection by some other sort of malware such as a keylogger or data-stealing Trojan…
…and in many of those cases, the keylogger or data-stealer originally rode in on the back of a malware infection that arrived before that, for example malware such as the remote-control bot known as Emotet.
In other words, if you focus too narrowly on ransomware alone, then even if you block all the ransomware attacks that come your way, you may end up in very serious trouble from multiple malware infections that preceded them.
Think big!
Cybersecurity responses don’t need to be quite this targeted – because the extra cost of protecting against malware in general is negligible compared to the cost of protecting effectively against ransomware in particular.
Similarly, if you simply redefine “Nigerian scams” as “Advance fee fraud scams” – in other words, you focus on how they work instead of who may or may not be perpetrating them – you learn how to recognise fraudulent money-up-front schemes in general and protect yourself much better.
So we’re happy that the NCSC has identified that their new Suspicious Email Reporting Service (SERS) helps you deal specifically with coronavirus-themed scams.
It’s right to recognise that coronavirus scams have an importance all of their own, and to acknowledge the understandably huge community disgust they attract.
To paraphrase George Orwell, all scams are equal, but some scams are more equal than others.
But it’s also vital to remind people that phishing of all sorts is still a clear and present danger with a very broad reach, and the NCSC has done just that, too.
As the NCSC says:
Cybercriminals love phishing. Unfortunately, this is not a harmless riverbank pursuit. When criminals go phishing, you are the fish and the bait is usually contained in a scam email or text message.
The criminal’s goal is to convince you to click on the links within their scam email or text message, or to give away sensitive information (such as bank details).
So if you see something bogus and want to report it to someone, whether it’s the latest sextortion porn scam, a bogus home delivery or counterfeit face masks for sale…
…you can submit it to the easily remembered email address: report@phishing.gov.uk.
As the NCSC points out, it won’t reply to your submission – but every sample helps, because the long arm of the law says that it’s ready to act on our behalf:
If we discover activity that we believe is malicious, we may:
- seek to block the address the email came from, so it can no longer send emails
- work with hosting companies to remove links to malicious websites
- raise awareness of commonly reported suspicious emails and methods used (via partners)
Whilst the NCSC is unable to inform you of the outcome of its review, we can confirm that we do act upon every message received.
Remember that if ever a bunch of phishing scammers get their day in court, submissions of actual scam emails from real recipients around the world are powerful evidence of the global impact of their crimes.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Lory
Presumably this NCSC reporting service is only applicable to persons in the U.K. who are the targets of SPAM?
I’d love it if there was a pro-active SPAM reporting service like this in Canada.
Paul Ducklin
I don’t see why you can’t or shouldn’t contribute samples from outside the UK. The announcement carefully doesn’t say “you must be from UK to send data”.
Spams and scams are a global problem and AFAIK it can be a huge help to law enforcement in one country to get reports from another. It would IMO be a pity if the NCSC couldn’t do a takedown inside the UK because all the attacks had gone offshore and no one inside the UK had any evidence of incoming malicious traffic to make the case.
If you look at the average cybercrime bust these days there may be cops in dozens of countries working at the same time to effect takedowns and arrests.
Geoff Krone
Great news but the article fails to make clear (unless I missed it) whether reports are only wanted from UK recipients or can others also use this?
Paul Ducklin
The article takes the same approach as the announcement from the NCSC :-) – we said nothing about where you need to be, merely that you need to be willing to submit. I suggest that global submissions will surely make the NCSC’s corpus of data more useful than less useful. (For example, in an sextortion scam, are the Bitcoin addresses unique per email; unique per country; or what? Do widespread scams have regional modifications or not? Are emails send from outside the UK to outside the UK nevertheless linking to servers inside the UK, or vice versa?)
To quote the NCSC: “Have you spotted a suspicious email? If you have received an email which you’re not quite sure about, forward it to the Suspicious Email Reporting Service (SERS).”
The only thing to bear in mind is that this is not the way to report something *as a crime in the UK*, such as if you are actually scammed or defrauded of money. For one, you don’t have to complete any documentation to identify yourself as you would for a formal crime report; secondly, you have to accept that you won’t hear back. You are just feeding a law-enforcement database of known bad stuff in the hope it might help a takedown or three in the future.
(The privacy implication under UK law of forwarding emails is explained in the announcement. For example, the email contents might get shared – presumably both inside and outside UK jurisdiction if needed – to help with investigation and mitigation. Also, for understandable reasons, any submissions are exempt from subsequent Freedom of Information requests.)
Michael
its been bounced a couple of times,today isnt the first
Unknown user: report@phishing.gov.uk
RCPT TO generated following response:
550 5.7.1 TLS required by recipient
Paul Ducklin
This suggests that whatever mail server or service you are using doesn’t support TLS (encrypted transmission), but the phishing.gov.uk server not only supports it but understandably expects it.
What email client were you using and how did you send the email? If you use any of the popular webmail clients out there, they should all prefer and use TLS, so you might want to try sending again from, say, Outlook.com or Gmail and see what happens. (Seems to work for me from Office 365.)
If you are sending directly from your own computer and letting your email software talk directly to the other end, you can almost certainly turn TLS on somewhere in its preferences or accounts window.
Please let us know how you get along!
Spryte
If you feel the urge you could also volunteer for this project (https://isc.sans.edu/covidclassifier.html) if you have a computer that can be rebuilt easily.
I use an older clean laptop with bare bones Linux. I have the USB just in case I pick up something I don’t want.
If you’re cooped up at home and can’t think of anything better to do, identifying and classifying these sites would be a great thing.
Paul Ducklin
To be clear to interested parties: the nature of the two projects is very different.
In the NCSC’s case you are simply sending suspicious stuff without the need to create an account, to visit any links in your email first, or to see anything you haven’t yet seen in your email already. And there’s no need to zoom in on coronavirus-themed domains. You can send all types of spam, scam, fraud and phish.
In the SANS case you are signing up for and joining a club to do coronavirus-specific malspam classification live on real scam sites in your spare time, which carries an admittedly small but non-zero risk to your own network or computer. Or to your retina and optic nerve. There are things you just can’t unsee out there…
Just so no one is in any doubt :-)
Ian Collier
I am confused.
The title of the NCSC page you refer to is “Phishing: how to report to the NCSC”. The title of this article is “a use for all those phishing emails you’ve been getting”. The email address to which you should send suspicious missives is report@phishing.gov.uk. So they want reports about phishing, yes?
Advanced fee fraud scams are not phishing. Sextortion scams are not phishing. Counterfeit face masks are not phishing. These are frauds. The difference is that a phishing email wants your credentials while a fraudster wants your money. I think it does us all a disservice when people – particularly security experts – refer to frauds and phishing emails in the same breath. Sometimes the difference is important.
But the other page at NCSC solicits “coronavirus related email scams” (which would include the fake masks) and, confusingly, tells you to send it to the same place.
If your scam is neither a phish nor related to the coronavirus, do they still want it? How do we know this? Why is the address called “phishing”? Am I being too pedantic in pointing out the difference and is “phishing” the new word for anything that’s a bit dodgy?
Paul Ducklin
I think you are over-analysing this – like people who get upset when the words “computer virus” are loosely used to refer to any overtly malicious software, including non-self-replicating malware, or people who demand that “computer viruses” and “computer worms” are disjoint sets because their technical definition demands it. (FWIW, my own opinion is that worms are a proper subset of viruses, but that’s diving back into details that don’t help in common parlance.)
Yet when people ask what I do and I say “computer viruses? [knowing nod] – I work for a company that keeps all that stuff out”, they know at once what I mean. I know they know what I mean because they invariably want to ask about malware… as well as spam, and scams, and rogue emails, and people who crack encryption for good and bad, and hacking, and rootkits, and crooks who sell stolen credit cards, and the Dark Web, and SIM swapping…. and “all that stuff”.
I think (IMNSHO) that you have been far too specific by insisting that “phishing is about credentials”. I define phishing as “any electronic communication that persuades you to part with something you later wish you had kept to yourself.” That includes passwords, which are about taking over accounts, but also credit card numbers, which are about spending money, as well as addresses and other information that could later help a crook to assume your identity in some way. I think phishing also quite unexceptionably includes messages that lure you and reel you in to the point that you start trusting someone you don’t even known enough to send them money up front, or to cash “cheques” on their behalf.
I think that saying “please report phishing emails to NCSC” is an excellent and plain-English way of catching people’s attention and conveying what I think is meant – any emails that you think are out to get you in some dishonest way, well, they’d like to get a copy.
If you choose only to send in emails that link to websites with fake login pages to steal credentials, following a very strict and narrow definition of phishing, that’s absolutely fine.
If someone else chooses to interpret phishing as “a dishonest email that is fraudulently trying to lure me into a contract, an investment discussion, a money-muling job, a job application with CV included, an oil pipeline payout or even a long-term romance where I end up sending anonymous cash donations by wire transfer”, I think that’s fine too.
And I think this broader definition matches perfectly well with the NCSC’s words: “Have you spotted a suspicious email? If you have received an email which you’re not quite sure about, forward it to the Suspicious Email Reporting Service (SERS).”
Coronavirus scams, yes, included explicity. Emails phishing for banking passwords, yes, included explicitly. And every other email scam you care to think of where the crooks are the on the prowl, the email is the lure, and you are the potential victim… well, IMO, those too are included either implicitly or explicitly.
My 2p.
John
Why don’t email sites provide a scam address so we can contact the email site and forward the scam mail so they can terminate the scammers and inform the police.
Paul Ducklin
Many service providers do, and many security products have a way to do this. So you may be able to report this stuff not only to the NCSC but also, say, to your ISP.
As to why your ISP or remail proivider can’t just “terminate the scammers” – well, it’s not always that simple, especially if the crooks sendng spam are using other people’s computers and accounts. We’ve written about that issue here:
https://nakedsecurity.sophos.com/2020/04/22/porn-scammers-making-100000-a-month-from-sextortion-emails/
John
If the scammer is using someone’s computer and account they should stop the lot scammers are committing an illegal offence and what you say is let them do it and carry on but do not upset the computer/account owners.
Paul Ducklin
That is not what I said at all. You are putting words in my mouth. What I said is that it’s “not always that simple” to suppress spam by finding parts of the network to cut off.
Indeed, determining a proportionate response when dealing with spam senders is not trivial, because there is often no easy way to take down just the affected computer of the affected user without harming others. Having said that, users who get infected and therefore contribute to the spam problem may very well end in trouble with their ISP. In some countries, ISPs will kick users out if they are persistent offenders, even though they haven’t done anything illegal themselves. And spam filtering blocklists are usually fairly aggressive in throttling email traffic from devices that are busy spamming.
As an example, if you received spam from one gmail DOT com address, you wouldn’t immediately blocklist all of Gmail. Or if you did, good luck with that. In fact, even if you could surgically block a user’s Gmail account after seeing some spam, you might still be wasting your time if the sending of the email was down to a specific *device* on someone’s network, not a specific *email service*. (In other words, the spamming might depend on a specific infected computer, not a specific compromised email account.)
Likewise, if you notice malicious traffic from one IP number, you might decide to block or not block that IP number depending on how many computers you thought were on its network, and what community it was serving. If it were a free-standing suburban house, blocking it would probably feel justified, but if it were an entire high-rise apartment block, it would not. If it were an internet cafe that was a regular spam-sending offender, blocking it would probably feel like the right thing to do; if it were a hospital, it would not.
The IP blocklisting problem is compounded by the fact that many ISPs don’t give customers the same IP number every time they connect, to increase the quantity of IP numbers (32-bit IP numbers are a scarce resource) that are still available for allocation at any time.
(As an analogy – would you expect your bank to cancel all your direct debits unilaterally and close all your family’s accounts if it noticed a single fraudulent transaction on your credit card? Or would you expect a more nuanced response than to throw out the baby with the bathwater?)
Steve
Excellent explanation of something that might seem so simple, but definitely is not.
Paul Ducklin
Thanks! Appreciate the kind words.