An FBI announcement has warned that scammers are now directing victims to use physical cryptocurrency ATMs and digital QR codes to complete payment transactions.

What Are Cryptocurrency ATMs?

A cryptocurrency ATM is a physical kiosk/terminal/device that connects to a cryptocurrency network (e.g. bitcoin) and allows customers to purchase crypto tokens with deposited cash. Cryptocurrency ATMs are connected to the Internet and can use QR codes to send and receive tokens to users’ digital wallets. The UK, for example, already has bitcoin ATMs in many cities, for instance there are 50 in London and 10 in Manchester.

What Scams?

The FBI’s warning relates to scams that are using impersonation schemes, where the scammer falsely identifies as a familiar entity, for example the government, law enforcement, a legal office, or a utility company. Scammers are also using romance schemes (establishing a fake online relationship with a victim), and lottery schemes where scammers falsely convince victims that they have won a prize and need to pay lottery fees.

How Do The Scams Work?

According to the FBI, regardless of the scheme, the methods using cryptocurrency ATMs and QR codes appear similar. The scammer requests payment from the victim and directs the victim to withdraw money from their financial-accounts (e.g. bank or investments). The scammer then provides a QR code associated with the scammer’s cryptocurrency wallet for the victim to use. The scammer directs the victim to a physical cryptocurrency ATM to insert their money, purchase cryptocurrency, and use the provided QR code to auto-send the money. Reports indicate that the scammer is in constant contact online with the victim, providing step-by-step instructions until the payment is completed.

Why Cryptocurrency?

The reasons why the scammers are using cryptocurrency are:

– The decentralised nature of cryptocurrencies makes them very difficult to recover.

– The transfer is immediate. As soon as the victim makes the payment, the recipient instantly owns the cryptocurrency and can immediately transfer the funds to an account overseas (making it even more difficult to trace).

– It creates extra hurdles for the police/law enforcement agencies in trying to recover the funds.

Protection

Ways to protect yourself from falling victim to this type of scam include:

– Never send payments to a person you have only spoken with online.

– Don’t respond to callers claiming to be representatives of a company where you are an account holder, and who request personal information or demand cryptocurrency, or to callers from an unknown telephone number who request cryptocurrency.

– Don’t respond to anyone who says they can only accept cryptocurrency and (for example) identifies as the government, law enforcement, a legal office, or a utility company.

– Avoid anonymous cryptocurrency ATMs as they may be used for money laundering.

– Report any such calls to ‘Action Fraud.’

What Does This Mean For Your Business?

Cryptocurrency ATMs are still uncommon in the UK, but crimes such as romance fraud are quite widespread and for victims in large UK cities it’s only a short step before this type of scam is operated on a bigger scale. The story also illustrates how manipulative and ruthless scammers can be if the return is rewarding enough. Since the big increase in remote working during the pandemic, the UK has seen a huge rise in various scams. In June, for example, Citizens Advice reported that more than two-thirds of UK adults (36 million) have been targeted by a scammer since January, and that 12 per cent were offered a fake investment or ‘get rich quick’ scheme. There was also a very sad report from Citizens Advice Consumer Service of an elderly man who contacted the charity after he sent £240,000 to an account he thought belonged to his bank. Fraudsters prefer vulnerable targets but anyone, if caught off-guard, is a potential victim. It is vitally important, therefore, that experiences of scam calls/texts/emails are shared, and suspected scams are reported to Citizens Advice and Action Fraud so that the nature of the scams can be identified which can lead to the fraudsters being stopped.

Microsoft has unveiled the new ‘Loop’ collaborative app which it describes as “a flexible canvas with portable components” designed for assisting with new hybrid working patterns.

Background

Microsoft says that the new app is part of a “reimagining” of Office, and a response to the new opportunities created by new (hybrid) working patterns that can make Office more of a universal, interactive canvas for creators of all kinds. Loop (which incorporates AI) is, therefore, positioned as an enhanced, collaborative, flexible canvas that can be customised to suit any project with portable components that move freely and stay in sync across apps, thereby, Microsoft hopes, enabling teams to improve how they think, plan, and create.

Three Elements

Loop consists of three elements, which are:

1. Loop pages. These are the scalable, “flexible canvases” which are the shared collaborative spaces into which the components and other relevant elements are dropped for each project.

2. Loop components. These are the “units of productivity” which could be anything from lists, tables, notes, and tasks, to a customer sales opportunity from Microsoft Dynamics 365. These components can be used in the Loop page, a chat, email, meeting, or a document. They are synchronised and the idea of being able to arrange and work with different components is to help the team keep a flow to the work, thereby improving productivity and efficiency. As part of its Loop announcement, Microsoft also announced two new Loop components. These are a voting table to make it easier for teams to ideate, drive consensus, and finalise decisions together, and a status tracker to help track the progress of projects.

3. Loop workspaces. These are the shared spaces where teams can see and group together everything that’s important to a project.

Start Rolling Out This Month

Microsoft says that Loop components across Microsoft 365 apps like Teams, Outlook, and OneNote will start rolling out this month, and more details about the availability of the Microsoft Loop app will be made available in the upcoming months.

Like Google’s ‘Smart Canvas’

Loop is a similar idea to Google’s collaborative working ‘Smart Canvas’ tool, announced in May this year, which uses ‘building blocks’ and ‘smart chips’ to connect and share information between apps such as Docs and Sheets.

All-In-One Document Concept

The idea of an all-in-one document concept is not new (other examples include the Airtable platform, the Notion collaborative app, or the Coda doc) but it now represents a logical, competitive move for Microsoft.

What Does This Mean For Your Business?

The shift to hybrid working, whereby employees work part of their time at home and part in the office, is now a pattern that is (after the pandemic) embedded in the working culture of many organisations. Collaborative working platforms are, therefore, very much in demand and although a little late to the party (two years in the making) Microsoft hopes that Loop’s flexible format and, coupled with familiar apps, will prove popular with businesses. Microsoft has seriously turned up the competitive heat (for Apple) over the last year with features and services designed to be compatible with new ways of working (e.g., Teams Connect, the 365 cloud PC, and Windows 11 including Android apps). For businesses, Loop may prove to be a useful, compatible, collaborative tool that could help improve productivity in uncertain times. For Microsoft, Loop is a way of re-imagining how Office programs can be used more flexibly for business customers as part of a system where projects can be customised to maximise workflow.

In this insight, we look at ‘smart’ doorbells and how the outcome of a recent legal case has highlighted the legal responsibilities that owner/operators of smart doorbells have under UK law.

Smart Doorbells

Smart doorbells, such as Eufy, Ring, Nest Hello, Arlo, Vuebell, IseeBell, and more are Internet-connected replacements for traditional doorbells. Smart doorbells use a smartphone app to enable the home occupant to see and talk in real-time with a caller using the doorbell’s built-in high-definition (infrared) camera and microphone. Smart doorbells can be activated by motion sensors and/or the pressing of a button, and the pictures and audio conversations can also be recorded.

The Issues

As outlined in a recent legal case in Oxfordshire, a judge ruled that security cameras and a Ring doorbell installed in a house broke data laws and contributed to harassment. Although the background of the case highlighted a long-running neighbourly dispute and one security camera was placed on a shed, the outcome focused on some very real legal issues relating to smart doorbells such as privacy, security, and regulation of increasingly normalised domestic surveillance.

In this particular case, some key issues were that:

– The smart doorbell could capture personal data (audio of conversations and video) from people who were not even aware that the device was there, and that it recorded and processed audio and personal data (there was no consent).

– The capturing of the audio data was found by the judge to be “even more problematic and detrimental than video data”.

– The extent of the range that the doorbell could capture audio was judged to be well beyond the range of video captured and, therefore, not reasonable (in this case).

– The device’s ability to capture conversations at ranges of between 40ft and 68ft away was excessive.

– An update to the doorbell in 2020 meant that it could not be switched off.

– Even if the ‘activation zone’ (motion-activated area) feature of the doorbell cameras was disabled, it could still film the whole area due to movement in one of the other non-disabled activation zones.

Pro Privacy Campaigners

Privacy campaigners such as Hannah Hart of ProPrivacy have highlighted how, using devices such as smart doorbells, “a small number of residents can effectively transform public spaces into surveillance hotbeds, and even share their recordings with police.”

The Laws

The laws that apply to issues around the use of smart doorbells are the UK Data Protection Act 2018 and UK GDPR. Also, a 2014 case (albeit in the Czech Republic) means that domestic surveillance systems are regarded as being within the scope of the data protection legislation where data is captured beyond the boundaries of a homeowner’s property.

The Manufacturer

The doorbell (Ring) manufacturer in the Oxfordshire case mentioned above was Amazon. Amazon may have:

– Built privacy and security features into the smart doorbell e.g., customisable privacy zones, motion zones, and Audio Toggle to turn audio on and off.

– Added end-to-end encryption to its smart doorbell technologies to keep personal data captured secure against misuse by third parties….

BUT the responsibility for HOW the equipment is used (in relation to the law) lies with you, the user.

How Can You Use Your Smart Doorbell Legally?

The important points to remember for using home surveillance devices, including smart doorbells are:

– Use home surveillance equipment in a way that respects the rights of other people, including neighbours.

– Be transparent (e.g., with neighbours) about what the equipment has been installed for and how it operates, thereby retaining your data protection obligation to process data in a lawful and transparent way, and not to collect personal data without a specified or lawful purpose (as required by the Data Protection Act 2018 and the GDPR).

– Ensure that the scope (e.g., the distance) of data capture is reasonable for its purpose.

– Consider putting up a sign that states recording is taking place, and why.

– Follow published guidance, such as ICO guidance for using CCTV: https://ico.org.uk/your-data-matters/domestic-cctv-systems-guidance-for-people-using-cctv/

What Does This Mean For Your Business?

Smart surveillance products may have some particular advantages (e.g., being able to hold real-time conversations with visitors when you’re not at the premises) but despite their in-built privacy and security features, how they are used and operated and contextual factors mean that you, the owner/user still have legal responsibilities. The recent Oxfordshire (Fairhurst Vs Woodward case) shows that simply installing such devices without the correct consideration of transparency about their use, their operating scope, and how they could affect the legal privacy rights of neighbours could land you with a large fine.

A report from Consumer watchdog Which? reveals that as many as 1.1 million people in the UK may have been caught up in a parcel delivery ‘brushing’ scam.

What Is Brushing?

Brushing is where people are sent packages of goods to their address that they didn’t order, apparently purchased on Amazon, by a person not known to them. Which? believes that third-party unscrupulous sellers, or agents acting on behalf of the sellers may be sending the goods. The reason for the scam is so that third-party sellers can log the deliveries as genuine sales, thereby boosting their own rankings on the highly competitive Amazon platform which favours products with high sales volumes and good reviews.

Where Do The Sellers Find The Addresses?

According to Amazon, sellers find the names and addresses from publicly available sources. The Which? website, however, gives an example which suggests that names and addresses can be easily collected and ‘consolidated’ from a variety of sources, such as Amazon itself (via its seller platform for merchants), from a seller’s list of customers that it serves on other marketplaces and platforms, or from previously unconnected website security breaches.

Accounts Set Up In Some Cases

Which? also reports that some unscrupulous sellers take the brushing scam a step further by creating a fake Amazon account linked to the unsuspecting recipient’s address to ‘purchase’ the item themselves and then leave a glowing (fake) review.

What Kind of Items?

A separate Which? survey showed that a wide variety of items have been received by victims of the scam including LED strip lights, books, envelopes, sunglasses, and headphones.

What Is Amazon Doing About Brushing Scam?

Amazon says it has ‘robust’ processes in place to prevent brushing, which it says are carried out by ‘bad actors’ using data from ‘external sources.’

What Happens To The Parcels?

Amazon’s reported position is that customers don’t need to return the items and can choose to keep the parcels or throw them away, whichever they find more convenient.

The Which? research shows that where there was an Amazon parcel not ordered by the recipient, not sent by a known person, and not taken in for a neighbour, 63 per cent said they kept them, 18 per cent said they threw them away, and 16 per cent said they gave the item away.

What Does This Mean For Your Business?

Although it may sound like a positive thing to be the ‘victim’ recipient of lots of goods that you don’t have to give back, there are some serious issues here. Some would argue that it’s not enough for Amazon to simply say that recipients can do what they like with the parcels, and the fact that the scam exists is a sign that that the system of the platform is not working as it should. Which? wants Amazon to do more to increase its scrutiny of seller profiles and monitor for suspicious activity that could suggest product purchases and reviews are not genuine. The apparent fake reviews that result from the fake sales are also something that could adversely affect Amazon customers and create a more unfair situation for the other Amazon sellers who behave honestly. A better position by Amazon could be to encourage those who have received unsolicited packages to report them to customer services so that it can investigate fully and take robust action against sellers that are attempting to mislead consumers. This would benefit other Amazon sellers and customers alike. There is also an argument that laws should be introduced to crack down on brushing and force tech giants to protect people online. It should also be noted that, at a time when environmental issues are high on the world’s priority list, more goods simply being thrown away is not helping (as in the case of 18 per cent of brushing recipients) .

The latest “ThreatLabz: The State of Encrypted Attacks,” 2021 report has shown a 300 per cent increase in online attackers using HTTPS to cloak their activities and blend in with other traffic.

HTTPS

HTTPS, the encrypted version of the Hypertext Transfer Protocol (HTTP), enables secure communication over a computer network, using Transport Layer Security (formerly, Secure Sockets Layer). HTTPS is particularly important for protecting the kind of personal data that’s submitted in online activities like shopping, banking, and remote work.

Massive Increase

The ThreatLabz report showed that threats inside encrypted traffic have increased 314 per cent as online attackers choose HTTPS to cloak their activities.

How?

Cybercriminals can use HTTPS to hide threats like malware from web security tools that don’t fully inspect encrypted traffic.

Why?

The rise of this type of attack has been driven by factors such as:

– Google making it known that the presence of HTTPS is an important consideration for search-results rankings, and Chrome and Firefox showing warnings about sites without HHTPS, thereby fuelling a general belief that HTTPS is totally safe.

– Attackers (as well as legitimate businesses) can now enable and auto-renew HTTPS for their sites, regardless of whether the content is suspect.

– New types of malware are now being shared behind a lock symbol.

Types of Attack

The types of attack that criminals are using HTTPS to hide include:

– Malware (including ransomware). This type of attack has grown by 212 percent and nine out of ten attacks via HTTP(S) involved malware. Spyware has also shown a 435 per cent increase.

– Phishing has grown by 90 per cent on last year and is being driven by attacks launched through legitimate services. For example, Microsoft 365 was the most common attack vector for phishers.

– Web applications like credential stuffing. For example, the ThreatLabz report shows that attackers interacted with almost 70 per cent of HTTPS-based web-facing applications.

Who Was Attacked The Most?

The report showed that technology companies were attacked the most using HTTPS cloaking (a 2,344 per cent rise) followed by retail and wholesale companies which saw an 841 percent increase in this type of stealth attack. Increased scrutiny by law enforcement on healthcare companies/organisations and government (which have been heavily targeted before) appears to be the reason for a decrease in the numbers of HTTPS-based attacks on these targets.

What To Do?

Ways that businesses can protect themselves against cybercriminals hiding attacks using HTTPs include:

– Not assuming that SSL traffic is automatically secure traffic – the padlock icon of HTTPS does not guarantee security.

– Start from a position of zero trust, where there is no lateral movement, apps are invisible to attackers, and authorised users directly can only access needed resources, not the entire network.

– If possible, use AI-driven quarantine rather than firewall-based passthrough approaches.

– Use a proxy-based architecture and cloud-native performance to decrypt detect and prevent threats from SSL traffic.

– Make sure all company network users have the same high level of security at all times, at all locations (e.g., when working remotely or even when on the go). All traffic on and off-premises needs to be inspected to stop encrypted threats.

What Does This Mean For Your Business?

Even though HTTPS has been designed to provide a valuable layer of encryption, it has also become relatively easy for cybercriminals to create websites with the HTTPS distinction. Also, cybercriminals have been helped by an assumption that HTTPS and a padlock must mean that everything is secure, and by web security tools which don’t fully inspect and check encrypted traffic, on and off-premises. Businesses should not assume the HTTPS is totally secure and one of the key ways that many businesses are now protecting themselves from a wide range of threats, including HTTPS-based attacks, is to adopt a Zero Trust approach to IT Security where the approach is “never trust, always verify.”