Plenty of phish in the sea

Plenty more phish in the sea


the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
"an email that is likely a phishing scam"

These days receiving an email from a Nigerian Prince offering to “share their fortune” with you may bring back a warm sense of late 90’s nostalgia, but you might be surprised to learn that in 2019 this same, original, scam continued to rake in over $700,000 – averaging  $2,133 per person1.

As has always been the case, criminals like to take advantage of people when they are vulnerable.

Phishing emails have spiked by over 600% since the end of February 2020, as cyper-criminals look to make the most of the fear and uncertainty created by the COVID-19 pandemic, according to Barracuda Networks2. Around 2% of the 468,000 global email attacks detected by the firm were explicitly classified as COVID-19 themed.

As is so often the case, the attacks used widespread awareness of the subject to trick users into handing over their log in details; financial information; and/or unwittingly downloading malware to their computers.

Security awareness training company KnowBe4 claimed that 38% of untrained end users are susceptible to phishing, i.e. they will fail realistic phishing scenarios. This is up by over 8% from 2019 figures3.

Of the phishing emails sent, these were the subject lines that hooked the highest percentage of people.

Password check, or change of password, required immediately 19%
Your order with Amazon, or Amazon order receipt 16%
Announcement: Change in holiday schedule 11%
Happy Holidays! Have a drink on us 10%
Problem with bank account 8%
De-activation of [recipient’s email] in progress 8%
Revised holiday and sick time policy 7%
Last reminder: Please respond immediately 6%
[Yodel] label delivery 1ZBE312TNY00015011 6%

Whilst many of us may scoff at the Nigerian Prince scam these days, there are plenty more sophisticated and better executed scams out there.

You know when celebrity photos end up on the Internet? That is often dismissed as “I was hacked” but, almost without exception, the truth is that the celebrity was scammed into revealing their login information – and the images were simply downloaded.

It is on all of us to remain vigilant, and to take steps to minimise our exposure.

Protecting yourself from getting hooked

Nobody need be fearful of the Internet, but we should all be wary. These are a few ways that you can help protect yourself.

1. Think before you click
It’s fine to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, isn’t such a great idea. However over links that you are unsure of before clicking on them. Do they lead where you expect them to lead? A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website. The email may ask you to fill in the information but the email may not contain your name. Most phishing emails will start with a generic “Dear Customer” style welcome, so you should be alert when you come across these emails.

When in doubt, go directly to the source rather than clicking a potentially dangerous link.

2. Verify that the website is secure
Most people are familiar with the “padlock” you see next to a website address, but few know what it actually means. The presence of the padlock means that the data you enter in a website is transmitted securely between you and the website. It does not necessarily mean that the website isn’t a “bad actor”. The fact is that bad guys can secure their websites too.

As a general rule, you should never enter personal or private information into a website that doesn’t have the padlock (SSL encryption).

3. Use different passwords for every website
This might sound like an enormous hassle, but if you use a password manager (of which hundreds of options, including free ones, are available), it is easy to do this. By using separate passwords, even if your password is stolen from a site you use, it cannot be used elsewhere.

One of the most popular ways of hacking sites is to use “credential stuffing” (see below). Using different passwords for each site negates this risk.

As another rule, you should always use a unique password for highly sensitive websites/apps, such as your bank account.  Resist the temptation to use a password you use elsewhere for these sites.

4. Keep your browser and phone apps up-to-date
The browser companies are continually patching and adding new security features to their browsers. Keep them up-to-date to benefit from these.

5. Always run a virus killer
You should always have an up-to-date virus killer on your computer.  These days one of the very best is Microsoft’s free virus protection built into Windows. You don’t need all of the extra tools thrown in with the chargeable anti-virus products, and Microsoft’s is known to be one of the most efficient.

6. Never give out personal information
As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of AOL and Compuserve, when users had to be warned constantly due to the success of early phishing scams. When in doubt, go visit the main website of the company in question, get their number and give them a call. Most of the phishing emails will direct you to pages where entries for financial or personal information are required. An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”, but remember… secure doesn’t always mean legit.

7. Don’t share logins
Quoox is designed explicitly for each staff member to have their own login. At all times, you should strongly resist using the same login, or allowing other staff members to use your account. Sharing logins compromises your system and your member’s data, and makes it impossible to track who did what. You should also resist leaving Quoox logged in when not in use. This is why the system will automatically log you out after a period of inactivity.

Your data is your business. Do not compromise it for the sake of saving a few seconds of time!

How Quoox helps to protect you, your business, and your data

There are many, many different systems, practices and processes that we have in place to protect your Quoox system. As registered data handlers, this is a responsibility that we take very seriously.

Below are a few examples of some of the things we have in place. This list is deliberately far from exhaustive, as secrecy itself is a key element of system security.

1. Passwords
At Quoox, we will never ask you for your password. If/when we need to identify you, we shall use other means.

In actuality, we don’t even know your password! The data we store in our database is known as a “hash”. This is an encrypted form of your password, but is irreversible. When you log in, we encrypt your entry and check it matches that in our database.  There is, however, no way for us (or anyone) to decrypt the value we have stored to reveal what your actual password is. This means it stays between you and your browser!

2. Financial data
We do not store any financial data within Quoox. Credit/debit card data is stored with Stripe, and bank account details for direct debit mandates with GoCardless. None of this data passes through our system, even during data entry. The most detail we can retrieve from these 3rd party systems is the last few digits of the card or account number.  This ensures your data remains completely safe, and reduces the interest for hackers in attempting to infiltrate our systems.

3. Data encryption
All data sent between our servers and our users is encrypted. The encryption certificates are replaced every few months. Sensitive data within Quoox, such as tokens used to retrieve your Fitbit® or Myzone® data; or certain medical information is all encrypted to a high level within the Quoox database.

4. Phishing emails
All emails arriving into the Quoox message centre are passed through the Microsoft Office 365 mail filters. Whilst this can never be guaranteed to remove every phishing and scam email, it does catch almost all.

5. Firewalls and attack protection
Quoox employs multiple levels of firewall and attack protection. These are provided and managed by Cloudflare and Microsoft. Our partners at Cloudflare are constantly deploying new firewall rules based on threats they see elsewhere in their network, and typically ensuring Quoox is protected before the threat even comes close. By default, we deploy every rule they recommend. Very occasionally this may result in “false” positives, but these are easily & quickly remedied – and far better than false negatives!

6. Bot protection
Whilst some of us may find the Google CAPTCHA on the login page a bit annoying, it serves a critical purpose. This is one of the layers that prevents “credential stuffing”. That is the practice where hackers get a list of known emails and passwords, and use a computer program to try each in turn (at great speed) on different websites. Sooner or later, where someone has used the same password (see above) they get a result, and get in. The Google CAPTCHA prevents the use of these automated process, and typically makes it not worth the hacker’s effort.

7. Two-factor authentication
Logins to the Quoox back-end systems are all protected by two-factor authentication. This means that, on top of a valid email and complex password, a unique number (valid only for 30-seconds, and available only from that staff member’s phone) is required to login.  This ensures that, even if a login email and password is compromised, the bad actor is still unable to login.

8. Activity tracking
Within Quoox we employ several different activity tracking models.  These are particularly in force in the areas where financial data is handled. These scripts and models will prevent any activities seen as being suspicious, and will er on the side of caution.

9. System separation
The live Quoox servers are located in data centres that are not network linked/connected to our corporate network or employee computers in any way.  Access to our production servers is extremely limited – with only the two co-founders and 2-3 senior technical personnel having access.

10. 3rd party review
On a regular basis, our systems are reviewed by trusted 3rd parties. We comply with “OWASP – Application Security Verification Standard 4.0”, and implement & deploy additional security elements if/when they are found to be relevant and prudent.

The most vulnerable part of any system

In this day-and-age, the most vulnerable part of any system tends to be it’s users. As human-beings we typically avoid confrontation, and our “good manners” can cause all sorts of problems. Yes, we may swipe into our facilities, but how many people hold the door open for a stranger out of “politeness”?! Likewise, if we are asked for details by an official sounding person, many feel uncomfortable questioning their motives.

At Quoox we are committed to continuing striving to do our best for our customers and, in turn, for their members.

We will seldom talk about our system infrastructure or the protections we have in place, as doing so goes against best practices. However, with the current spike of phishing attacks (taking advantage of people’s vulnerabilities and anxieties), we wanted to share these few tips and insights with you.

Dedicated to your success,

Chris Windram signature

Chris Windram | Co-Founder

a: Quoox Ltd. | 71-75 Shelton Street | London, WC2H 9JQ
e: [email protected] | w: quoox.com
p: +44 (0)203 745 1090 | p: +1 678-496-7209

Request a call

To request a call and to receive information about Quoox, complete the form below.
At Quoox we take your privacy seriously, and never sell or share your information.