Hats off to the UK’s National Cyber Security Centre, or NCSC for short.
With an admirably broad vision, the NCSC is pitching its new campaign in two complementary articles, headlined:
Public urged to flag coronavirus related email scams.
Phishing: how to report to the NCSC.
Because the last thing we want to see is that we all end up so focused on coronavirus-themed scams that we inadvertently create a loophole for those crooks who are carefully sending non-coronavirus scams in the hope of attracting less scrutiny – hiding in plain sight, as it were.
We’ve seen this problem before in the history of cybersecurity.
An early example is what many people used to call “Nigerian scams”, which was always a divisive and dangerous term to use.
Firstly, we know many Nigerians who aren’t scammers and at least some non-Nigerians who are, so it’s misleading and xenophobic to apply a criminal epithet to an entire country. (Especially a country as populous as Nigeria and with such a large diaspora.)
Secondly, and ironically, the phrase “Nigerian scammers” ended up playing into the hands of actual Nigerian scammers, who found that by openly claiming to come from one of several other countries in West Africa, they automatically became more believable, without needing to change their scams in any significant way.
In other words, the adjective “Nigerian”, when associated with the sender or the content of an email, became a proxy for “scam”, and therefore by a specious and invalid leap of logic, “non-Nigerian” came to be a proxy for “non-scam”.
A more recent example is the issue of ransomware, which tends to dominate any modern discussion of malware, to the point that some people think it’s enough to protect specifically against ransomware and to worry much less, or even hardly at all, about all the other malware threats out there.
The problem with that approach is that many, perhaps even most, ransomware attacks actually start with infection by some other sort of malware such as a keylogger or data-stealing Trojan…
…and in many of those cases, the keylogger or data-stealer originally rode in on the back of a malware infection that arrived before that, for example, malware such as the remote-control bot known as Emotet.
In other words, if you focus too narrowly on ransomware alone, then even if you block all the ransomware attacks that come your way, you may end up in very serious trouble from multiple malware infections that preceded them.
Cybersecurity responses don’t need to be quite this targeted – because the extra cost of protecting against malware, in general, is negligible compared to the cost of protecting effectively against ransomware in particular.
Similarly, if you simply redefine “Nigerian scams” as “Advance fee fraud scams” – in other words, you focus on how they work instead of who may or may not be perpetuating them – you learn how to recognize fraudulent money-up-front schemes in general and protect yourself much better.
So we’re happy that the NCSC has identified that their new Suspicious Email Reporting Service (SERS) helps you deal specifically with coronavirus-themed scams.
It’s right to recognize that coronavirus scams have an importance all of their own and to acknowledge the understandably huge community disgust they attract.
To paraphrase George Orwell, all scams are equal, but some scams are more equal than others.
But it’s also vital to remind people that phishing of all sorts is still a clear and present danger with a very broad reach, and the NCSC has done just that, too.
As the NCSC says:
Cybercriminals love phishing. Unfortunately, this is not a harmless riverbank pursuit. When criminals go phishing, you are the fish and the bait is usually contained in a scam email or text message.
The criminal’s goal is to convince you to click on the links within their scam email or text message, or to give away sensitive information (such as bank details).
So if you see something bogus and want to report it to someone, whether it’s the latest sextortion porn scam, bogus home delivery, or counterfeit face masks for sale…
…you can submit it to the easily remembered email address: email@example.com.
As the NCSC points out, it won’t reply to your submission – but every sample helps because the long arm of the law says that it’s ready to act on our behalf:
If we discover an activity that we believe is malicious, we may:
seek to block the address the email came from, so it can no longer send emails
work with hosting companies to remove links toâ€¯malicious websites
raise awareness of commonly reported suspicious emails and methods used (via partners)
Whilst the NCSC is unable to inform you of the outcome of its review, we can confirm that we do act upon every message received.
Remember that if ever a bunch of phishing scammers gets their day in court, submissions of actual scam emails from real recipients around the world are powerful evidence of the global impact of their crimes.