Beware of .zip domains: The hidden risks of new top-level domains

Today, we’re diving into the curious world of top-level domains (TLDs).

You know, those web address suffixes that end in .zip, .google, or .literallyanythingyouwant?

While these new domains may seem like a breath of fresh air in the digital landscape, they also bring along a set of risks that organisations must be aware of.

So, grab a cup of coffee as we explain top-level domains, explore the potential dangers within these seemingly harmless domain extensions and share how you can protect yourself. Let’s get started.

What is a top-level domain?

Whilst a top-level domain (TLD) might seem alien, you can’t use the internet without them. In fact, we’d wager that you’ve seen them in use millions of times. So, what are they?

Quite simply, they’re suffixes at the end of every URL, like ‘.co.uk’ and ‘.com’. Initially indicating the country of origin for the website, today there are literally thousands of TLDs, ranging from .academy to .zone.

New TLDs are periodically introduced to open the web to more websites and more descriptive domains.

The latest round of TLDs are:

  • .Foo
  • .Zip
  • .Mov
  • .Nexus
  • .Dad
  • .Phd
  • .Prof
  • .Esq

How do TLDs open the gates to cyber criminals?

Confusion and mimicry

Picture this: You receive an email from a trusted-looking source, and the sender’s domain ends in .zip. It seems legitimate, right? Wrong!

The introduction of new TLDs has given cybercriminals an extra tool to deceive unsuspecting victims.

Scammers can now easily create domains that mimic popular brands or institutions, making distinguishing between the real deal and a malicious imposter harder. It’s like a virtual camouflage!

The subtle art of phishing

We’ve all heard of phishing attacks, but the new domains have taken this age-old threat to a new level.

With domain names like .google or .bank, scammers can easily craft deceptive URLs that appear trustworthy.

Imagine receiving an email from your bank, urging you to click on a link to resolve an urgent issue, only to find out later that it was an elaborate ploy to steal your sensitive information.

Sneaky, right?

Poor reputation management

Remember when we used to judge a website’s trustworthiness based on its domain?

Well, the rise of new TLDs has shaken that foundation.

Organisations now face a greater challenge in managing their online reputation.

A reputable company could own a .com domain, but someone with malicious intentions could also registers the same name with a different TLD.

This can create confusion among customers and tarnish the organisation’s brand image. It’s a digital identity crisis!

Confused security systems

As new domains continue to evolve, security measures struggle to keep up.

Traditional security systems may not be equipped to handle the unique risks these unfamiliar TLDs pose.

The algorithms and filters that once reliably detected suspicious URLs now face an uphill battle against the ever-expanding domain landscape. It’s a constant game of cat and mouse between cyber defenders and attackers.

What does this mean for your organisation?

In this brave new world of ever-expanding top-level domains, it is paramount for organisations to recognise the hidden risks that accompany such territory.

Cybercriminals are seizing the opportunity to deceive, phish, and impersonate using these new domains.

To protect against these malicious schemes, businesses must prioritise education and awareness among their employees and customers.

It is vital to inform them about the dangers lurking within unfamiliar TLDs and implement robust security measures.

The next time you receive an email from your favourite online store or trusted bank, exercise caution and double-check the domain before taking any action.

As technology continues to advance, so do the risks. However, we can navigate the digital realm safely and confidently, armed with knowledge and vigilance.

AI updates: May edition

Artificial Intelligence (AI) continues to evolve rapidly, offering exciting advancements and potential benefits across various industries.

However, as with any transformative technology, it is crucial to understand its risks and challenges.

In this blog, we will explore the latest updates in AI from the past month and shed light on the potential risks organisations need to be aware of.

Let’s dig in.

AI in the news

Addressing the risk of an AI arms race

The race for AI dominance has garnered attention globally. Now, the United States has announced measures to tackle the risk of a nation-based AI arms race, highlighting the need for international collaboration and regulation to ensure responsible and ethical AI development.

This initiative emphasises the importance of balancing innovation and safety in AI, keeping potential risks in check.

The UK government has also released a white paper outlining its pro-innovation approach to AI regulation.

The document recognises the transformative power of AI while emphasising the need for appropriate safeguards to protect individuals and society.

It’s a delicate dance between encouraging AI advancements and establishing regulatory frameworks that promote responsible development and deployment.

Apple joins Samsung in banning Chat GPT usage

Even AI models themselves face inherent challenges.

For instance, ChatGPT, a powerful language model, has encountered issues related to misinformation and biases, alongside safety issues with users sharing confidential company information with the chatbot. This month saw Apple ban both ChatGPT and Google Bard, for example.

They aren’t wrong to take a sceptical look at large language models right now, either. Look at our blog, which covers the risks your organisation needs to be aware of when using Chat GPT.

While AI systems like ChatGPT have enormous potential, these incidents underscore the need for ongoing research and development to address such limitations.

It reminds us that we must remain vigilant and continue refining AI models to ensure they align with human values and societal standards.

New NIST Framework launched for AI

The National Institute of Standards and Technology (NIST) has released a new framework to guide the management of AI and promote trustworthy and responsible use and development.

This framework emphasises transparency, accountability, and the establishment of risk management processes. Such guidelines can help organisations navigate the complex AI landscape and ensure responsible and reliable AI deployment.

New AI tool launches

TikTok’s AI chatbot “Tako”

TikTok’s AI Chatbot, “Tako”, aims to enhance user experiences on the platform by providing personalised recommendations and assistance through conversational interactions. This AI chatbot represents TikTok’s foray into leveraging AI to deliver tailored content suggestions and improve user engagement.

CommandBar’s AI-powered HelpHub

CommandBar recently released HelpHub, an AI-powered tool to streamline customer support processes. HelpHub leverages natural language processing and machine learning to provide automated responses to customer queries.

By harnessing the power of AI, organisations can enhance customer service efficiency, improve response times, and empower customers to find solutions more quickly.

Adobe Photoshop’s Generative Fill: AI image generator

Adobe Photoshop, a popular image editing software, has introduced Generative Fill, an AI-powered tool that simplifies image editing processes.

Using advanced algorithms, Generative Fill can automatically generate content to fill in selected areas of an image. From removing unwanted objects to seamlessly extending backgrounds, this AI tool saves time and enhances productivity for graphic designers and photographers.

What can organisations learn?

The field of AI continues to evolve and captivate the world with its transformative potential. However, as organisations embrace AI, it is vital to be cognisant of the risks involved.

International collaborations, regulatory frameworks, and responsible development practices are essential to harness AI’s benefits while mitigating potential pitfalls. By staying informed and adopting an ethical approach, organisations can unlock the true potential of AI while safeguarding their interests and those of society as a whole.

Remember, the AI journey is an ongoing adventure, and we must ensure that every step we take is well-informed.

ChatGPT and your organisation: what are the risks?

Welcome to the new age, where artificial intelligence (AI) has revolutionised communication and interaction.

One such innovation, ChatGPT, has gained rapid popularity for its ability to generate human-like text and engage in meaningful conversations.

ChatGPT is an AI Language Model, commonly known as a chatbot. To us, they seem a bit like a search engine, a text box where you put in a prompt or question. But what happens next is different.

Using the billions of pieces of information provided for the chatbot to learn from, it simply works out which words are most likely to follow from what it’s been asked. Unlike the autocomplete on your phone, however, chatbots can write poems, draw pictures, compose music and much more.

While ChatGPT offers tremendous potential for organisations, it’s essential to understand and mitigate the risks of its adoption.

In this blog, we’ll explore the potential pitfalls and provide valuable insights on leveraging ChatGPT safely and effectively within your organisation.

But first of all, what can ChatGPT help your organisation with?

ChatGPT can assist organisations in various ways, offering a range of benefits:

  • Enhance customer support by providing quick and accurate responses to inquiries, reducing response times, and improving overall customer satisfaction.
  • Automate routine tasks, freeing up employees’ time to focus on more complex and strategic activities. This increases operational efficiency and productivity within the organisation. Microsoft Co-pilot has recently launched with this functionality in place.
  • Serve as a knowledge repository, providing information and guidance to both employees and customers. It can offer personalised recommendations, suggest relevant resources, and facilitate self-service options, enhancing user experiences.
  • Support decision-making processes by analysing data, providing insights, and helping organisations make informed choices. For example, it can spot patterns in data like what times of the day particular products spike in popularity.
  • Acting as a sounding board for ideas and validating decision-making processes.

What are the risks associated with ChatGPT to your organisation?

Bias amplification

One of the risks associated with ChatGPT is the potential amplification of biases.

AI models are trained on vast amounts of data, which may inadvertently include biased content. ChatGPT may unintentionally reinforce existing biases or generate new ones without careful monitoring and curating the training data.

Organisations should regularly evaluate and update their training data to mitigate this risk to ensure fairness and avoid perpetuating discriminatory outcomes.

Copyright infringement

ChatGPT, like any large-language model, isn’t truly creative in the sense that a human can be. In actuality, it’s a product of the data that it is trained on. As such, any output from it might constitute plagiarism and land you in deep water in regards to copyright.

It’s another reason why nothing that ChatGPT creates should be used wholesale.

Trustworthiness and liability

While ChatGPT can provide valuable assistance, it’s essential to acknowledge its limitations.

ChatGPT is an AI system that may only sometimes provide accurate or reliable information. Indeed, the version available to the public at publication is trained on data that runs only to 2021 and due to the nature of language models, it values academic papers and fairytales equally,

Organisations must take precautions to prevent potential harm arising from incorrect or misleading responses generated by ChatGPT.

Clear disclaimers, user education, and implementing human oversight mechanisms can help manage these risks, ensuring users are aware of the limitations and not overly reliant on ChatGPT for critical decision-making.

Ethical considerations

Ethics are vital when integrating AI systems like ChatGPT into organisational workflows.

It’s essential to consider the ethical implications of automating specific tasks and ensure that human values and principles are upheld.

Organisations must establish clear guidelines on how ChatGPT should be used, defining boundaries and addressing potential issues such as manipulation, misinformation, or unethical content generation.

Regular ethical audits involving diverse perspectives help identify and rectify any ethical concerns. Indeed, AI companies are also working to self-regulate here – you can’t ask ChatGPT for the best way to harm somebody, for example.

Data breaches

For many use cases, implementing ChatGPT involves handling sensitive information, such as customer or proprietary business data.

If not properly secured, this data could be vulnerable to breaches, potentially resulting in unauthorised access, theft, or exposure of confidential information. Indeed, inputting client or employee data into a language model is a misuse of data and can make you liable for GDPR fines.

Tech giants like Samsung and Apple have already banned its use within their organisations because staff members share confidential business information with the platform.

Ensuring robust security measures, including encryption, access controls, and regular security audits, and giving cybersecurity awareness training to all staff can mitigate the risk of data breaches.

Phishing and Social Engineering

ChatGPT systems are a potential goldmine for phishers and social engineers. At present, large language models like ChatGPT are easily convinced to act in dubious ways.

A few smart prompts to the AI and it can generate realistic phishing email templates or share ideas on how to manipulate workers.

Organisations must educate users about the risks of interacting with ChatGPT, give appropriate phishing training, promote vigilance, and implement measures to verify user identities and prevent fraudulent activities.

In conclusion…

Incorporating ChatGPT into your organisation can bring significant benefits, but being aware of the associated risks is crucial.

By addressing potential pitfalls such as bias amplification, security and privacy concerns, trustworthiness, liability, and ethical considerations, organisations can harness the power of ChatGPT while safeguarding their interests and those of their users.

By maintaining a proactive and responsible approach, organisations can balance utilising cutting-edge AI technology and ensuring a safe and ethical environment for all.

Remember, understanding and managing the risks is the key to unlocking the true potential of ChatGPT within your organisation.

How Bob’s Business can help protect your organisation against the risks of ChatGPT

We’re Bob’s Business, the Most Trusted Cybersecurity Awareness Training Provider 2023.

We’re dedicated to assisting organisations like yours in tackling the ever-evolving landscape of cybersecurity and compliance issues.

How do we achieve this? By offering engaging and interactive training programs that cultivate a culture of cybersecurity awareness within your organisation.

Our training modules are carefully crafted to equip your employees with the knowledge of the latest cybersecurity threats and industry best practices, empowering them to protect themselves and your organisation.

Want to learn more? Take the next step and click here to explore our comprehensive range of products, designed to strengthen your organisation’s security posture and protect it from potential cyber threats.

What is multi-factor authentication (and why do you need it)?

Online security is more important than ever – we rely on the internet for everything from banking to socialising, and with so much of our personal information online, we must protect ourselves from cyber threats.

There are dozens of positive behaviours we can adopt to protect ourselves and our organisation. One powerful tool for improving online security is multi-factor authentication (MFA). In this blog post, we’ll explain MFA, why it’s essential, and how to use it. Let’s get started.

What is multi-factor authentication?

Put simply, multi-factor authentication verifies your identity when you log in to an account or service.

With MFA, rather than a single password, you need to provide one or more additional authentication factors to prove that you are who you say you are. There are three main types of authentication factors:

Something you know

This is typically a password or PIN. It’s something that only you should know. For example, your online banking password or your email account PIN.

Something you have

This is something physical, like a smart card or a mobile phone. It’s something that you physically possess. Many services employ MFA by having your phone receive a verification code to confirm that it’s you.

Something you are

This is a biometric factor, like a fingerprint or facial recognition. It’s something that is unique to you and cannot be duplicated. You might already be using biometric information to unlock your phone!

Why is multi-factor authentication important?

Single-factor authentication, such as a password, is vulnerable to hacking and cyber-attacks.

Hackers can use sophisticated (and unsophisticated!) tools and methods to uncover passwords or trick users into revealing their passwords through phishing attacks.

Once a hacker has your password, they can access your account and steal your personal information. Worse still, if you use the same passwords across multiple locations, a single breached password will give a criminal access to potentially dozens of accounts.

Multi-factor authentication adds an extra layer of security. Even if a hacker manages to steal your password, they won’t be able to access your account without the second factor of authentication.

That’s enough to stop a hacker in their tracks, and can protect you against unauthorised access and data breaches.

How to use multi-factor authentication

Many online services and accounts now offer multi-factor authentication as an option. To set up MFA, you typically need to go into your account settings and enable it.

Once it’s enabled, you’ll be asked to provide an additional authentication factor when you log in. Some popular MFA methods include:

  • SMS codes: When you log in, you’ll receive a text message with a code that you’ll need to enter to complete the login process.
  • Authenticator apps: You’ll install an app on your mobile phone that generates a code you must enter when you log in.
  • Smart cards: A physical card that you insert into a card reader or tap against a sensor to verify your identity.

Common misconceptions about multi-factor authentication

Despite the many benefits of multi-factor authentication, there are still some common misconceptions about it.

It’s too complicated or time-consuming to use

While it’s true that MFA adds an extra step to the login process, the added security is well worth it. In fact, many MFA methods are designed to be fast and easy to use.

It’s only necessary for high-security accounts like online banking

Any account that contains personal information, such as social media or email, can benefit from multi-factor authentication. It’s important to prioritise strong authentication methods for all of your accounts to protect yourself and your sensitive data.

MFA eliminates the need for strong passwords

MFA is an additional layer of protection, but it’s still important to use strong and unique passwords for each account. MFA and strong passwords work together to provide the best possible security.

In conclusion…

Multi-factor authentication is a powerful tool for improving online security. MFA adds an extra layer of protection against cyber threats by requiring two or more authentication factors to log in.

We recommend adding more than one form of authentication to your accounts, just in case you have a problem with your primary means of MFA. For example, if you use your phone to receive a code but then lose your phone, it will be handy to have a backup option.

While some people may be hesitant to use MFA due to misconceptions about its complexity, it’s important to prioritise strong authentication methods for all of your accounts.

By using MFA, you can significantly reduce your risk of data breaches and protect your personal information.

While MFA is a valuable tool, it’s not a bulletproof solution

In addition to protecting your accounts, using MFA can help protect your organisation from cyber threats.

However, it’s important to note that MFA is not a complete solution on its own. Training your employees to recognise and respond to cyber threats is just as crucial.

At Bob’s Business, we understand the importance of cybersecurity for all industries.

That’s why we offer unique and engaging online cybersecurity training designed to empower everyone in your team to identify and respond to cyber threats, protecting your business from the 90% of breaches that occur due to human error.

Take action now to protect your business and your customers from cyber threats. Click here to discover our range of cybersecurity awareness training products and start reducing your risk today.

Why every organisation needs a robust cybersecurity plan

It’s not exactly breaking news, but the year is 2023, and cyber-attacks remain a legitimate threat to organisations large and small, causing chaos and potentially resulting in substantial financial and reputational harm.

That’s why having a thorough cybersecurity plan is crucial to safeguarding your organisation and its customers’ data.

In this blog post, we’ll explore the significance of having a cybersecurity plan and how it can protect your organisation from cyber threats. Let’s begin!

What are the benefits of having a robust cybersecurity plan?

Having a cybersecurity plan in place can provide several benefits for your organisation:

Reducing the risk

A cybersecurity plan can help organisations reduce the risk of a cyber attack by identifying and mitigating potential vulnerabilities. This can help prevent financial losses and reputational damage.

Improving compliance

A comprehensive cybersecurity plan can also help organisations comply with data protection regulations, such as the General Data Protection Regulation (GDPR). This can help organisations avoid fines and other penalties for non-compliance.

Enhancing customer trust

Customers are increasingly concerned about data privacy and security. Organisations can enhance customer trust and loyalty by implementing a cybersecurity plan and communicating its effectiveness to customers.

The risks of cyber attacks for organisations

Cyber attacks can take many forms, including phishing scams, malware, and ransomware, which can result in the theft of sensitive data, such as financial information, customer records, and intellectual property.

This can cause significant financial losses for organisations and reputational damage if customers lose trust in the organisation’s ability to protect their data!

In addition to financial and reputational damage, organisations face legal liability for data breaches. In many countries, data protection laws require organisations to take appropriate measures to protect sensitive data and report any breaches.

Failure to comply with these regulations can result in fines and other penalties. So ensuring that your organisation has a solid strategy is critical.

How do I create a cybersecurity plan?

The four key elements of a cybersecurity plan

Risk Assessment

A risk assessment can help your organisation identify system and process vulnerabilities.

This involves identifying and classifying sensitive data, assessing potential threats, and evaluating current security measures.

It’s also important to consider the potential impact of a data breach on your operations and reputation.

Best practices for risk assessments include:

  • Identifying and classifying sensitive data, such as customer records or intellectual property
  • Assessing potential threats, such as phishing scams or malware attacks
  • Evaluating current security measures, such as firewalls and encryption
  • Conducting regular audits to identify new vulnerabilities

Incident Response Plan

An incident response plan outlines the steps to take during a cyber attack. This includes a clear chain of command, defined roles and responsibilities, and procedures for containing and mitigating the damage caused by an attack.

The plan should also include a communication strategy to inform customers and other stakeholders about the breach.

Best practices for an incident response plan include:

  • Establishing a clear chain of command and defined roles and responsibilities
  • Creating procedures for containing and mitigating the damage caused by an attack
  • Developing a communication strategy to inform customers and stakeholders about the breach
  • Conducting regular drills to test the effectiveness of the plan

Employee Training

Employee training is critical to any cybersecurity plan, as employees are your business’s most commonly attacked part. So, it is crucial to educate them about cybersecurity best practices.

This includes training on identifying phishing scams, creating strong passwords, and reporting suspicious activity.

Best practices for employee training include:

  • Providing regular training on identifying phishing scams and other social engineering tactics
  • Encouraging employees to create strong passwords and use multi-factor authentication
  • Establishing clear policies for reporting suspicious activity
  • Conducting regular phishing simulations to test employees’ awareness and effectiveness

How to overcome the challenges of implementing a cybersecurity plan

Implementing a cybersecurity plan can be daunting, especially for small and medium-sized enterprises (SMEs) that struggle for internal resources or expertise.

Additionally, employees may resist cybersecurity training or feel it is irrelevant to their job responsibilities.

To overcome these challenges, organisations should prioritise their cybersecurity needs based on their size, industry, and potential risks.

SMEs can also partner with cybersecurity firms to outsource their cybersecurity needs, such as risk assessments, vulnerability testing, and threat monitoring.

It is essential to ensure that employees are trained in cybersecurity best practices to reduce the risk of human error and data breaches.

Engaging your team in training that they enjoy can help them understand the importance of cybersecurity and make the training more relevant to their daily work responsibilities.

How can Bob’s Business help protect your organisation?

We’re Bob’s Business, a leading cybersecurity awareness training provider that helps organisations address increasingly complex cybersecurity and compliance challenges.

How? Through engaging and interactive training that focuses on building a cybersecurity-aware culture within an organisation.

Our training is designed to educate employees on the latest cybersecurity threats and best practices to help them protect themselves and the organisation. Worried that training isn’t for your company? We work with organisations of all sizes to deploy training that’s affordable and tailored to their requirements.

Ready to learn more? Click here to explore our range of products and how we can help protect your organisation.

The five cybersecurity tools every business should be using

We live in a data-driven world, and the amount of information available to us is constantly increasing. As a result, the need to protect this data is more pressing than ever.

This is where the wide world of cybersecurity tools comes into play.

These tools are specifically designed to protect businesses from malware and data breaches through various security measures.

From firewall protection to parental supervision on digital sites, spam filters and more, there are countless cybersecurity tools available to help us protect our organisations’ valuable data.

In this blog, we’ll be sharing the 5 cybersecurity tools that every business should use, so you can get back to what matters most – growing your company.

Let’s get started!

The five cybersecurity tools every business needs

Antivirus Software

Antivirus software is one of the most basic and essential tools for protecting against malware and other cyber threats.

Malware can come in many forms, including viruses, spyware, and ransomware. Antivirus software scans your computer or network for malicious code and quarantines or removes it.

It can also provide real-time protection to prevent new threats from infecting your system. Many antivirus software options exist, including Norton, McAfee, and Kaspersky.

However, it’s important to keep your antivirus software up to date and to use additional security measures alongside it for maximum protection.

Password Managers

One of the most significant security vulnerabilities for any business is weak passwords.

Many people reuse passwords across multiple accounts or choose easy-to-guess passwords. Password managers help users generate and store strong, unique passwords for all their accounts.

This reduces the risk of a hacker gaining access to sensitive information by guessing or cracking passwords.

Password managers can also automatically fill in login information for users, saving time and making it easier to use strong passwords.

Popular password managers include LastPass, Dashlane, and 1Password. Using a reputable password manager that uses strong encryption to protect your information is important.

Cybersecurity Awareness Training

While the previous tools focus on technological solutions, the fact remains that 90% of breaches occur as a result of human error. As such, training is essential for reducing the risk of cyber-attacks and data breaches.

Employees are the key to a company’s security, as they can inadvertently fall prey to phishing scams or other social engineering attacks.

As such, cybersecurity awareness training is an essential part of any company’s risk reduction strategy. Through effective training, your team become the strongest part of your defence.

Bob’s Compliance offers full access to the engaging and short-form training catalogue from Bob’s Business, to help educate employees on best practices for cybersecurity.

This includes topics like phishing, password security, and social engineering. With affordable pricing and month-to-month plans, Bob’s Compliance is an excellent option for businesses of all sizes.

By educating employees on how to stay safe online, companies can reduce the risk of cyber-attacks and protect their sensitive information.

VPNs

A virtual private network (VPN) encrypts traffic and provides a secure connection between a user’s device and the internet.

This protects against snooping on public Wi-Fi or other insecure networks. VPNs can also be used to bypass geo-restrictions and access content that is blocked in certain regions. VPNs create a secure tunnel between your device and a remote server, which encrypts all data that passes through it.

This ensures that even if someone intercepts your internet traffic, they won’t be able to read it. VPNs can also help protect against man-in-the-middle attacks, where an attacker intercepts communication between two parties and alters it. Popular VPN options include ExpressVPN, NordVPN, and CyberGhost.

However, choosing a VPN provider with a good reputation and doesn’t log your activity is essential.

Two-Factor Authentication

Two-factor authentication (2FA) adds an extra layer of security to online accounts by requiring users to provide a second form of identification besides their password.

This could be a code sent to their phone, a fingerprint scan, or a security key. By requiring a second factor, 2FA reduces the risk of an attacker gaining access to an account even if they have the correct password.

Many popular services, including Google, Facebook, and Apple, offer 2FA options. It’s important to enable 2FA on all accounts that offer it and to use a secure second factor, such as an authenticator app or a hardware key.

CEO Fraud: Everything you need to know

Don’t be fooled by the name: CEO fraud has nothing to do with your CEOs trying to deceive anyone.

In actuality, it’s an increasingly common type of cyber attack where scammers impersonate CEOs, executives or high-level employees to trick others into sending money or sensitive information.

CEO fraud can cause severe financial and reputational damage to organisations of all sizes.

So, buckle up and let’s dive into what makes CEO fraud more complex than traditional phishing attacks, how to spot it, and how to avoid it. Let’s get started.

What is CEO fraud?

As mentioned in our introduction, CEO fraud is a form of phishing scam in which cybercriminals impersonate a high-level executive or company leader to trick employees, vendors, or customers into transferring money or sensitive information.

Also known as business email compromise (BEC) scams, these attacks can cause significant financial and reputational damage to organisations of all sizes.

What makes CEO fraud more complex than other types of phishing attacks?

Scammers cast a wide net in traditional phishing attempts, hoping to catch a few fish. They send out generic emails that look like they’re from reputable sources, such as banks or online retailers, and try to trick people into clicking on a link or opening an attachment.

In contrast, CEO fraud is a highly targeted attack, utilising powerful psychology.

Scammers research their victims, learn about their organisations, and craft convincing emails that appear to come from a trusted source within the company.

They might even use a closely related email to the CEOs or spoof it to make it look real. The goal is to make the recipient believe the request is urgent and legitimate and to act quickly without questioning it.

The stakes are high in CEO fraud because scammers are after big payouts.

They often request large wire transfers or access to sensitive company data. Because the emails appear to come from within the company, victims are more likely to comply without verifying the request.

This is what makes CEO fraud more complex than traditional phishing. It’s not just about fooling people into clicking on a link; it’s about gaining their trust and manipulating them into doing something that could have serious consequences.

So, how can you spot CEO fraud? There are a few red flags to look out for:

Urgency

Scammers will often create a sense of urgency to pressure their victim into acting quickly. They might say that the wire transfer needs to be completed immediately or that a time-sensitive issue needs to be addressed. Because you respect their authority, this can bypass your scepticism and make you act without due thought.

If you receive an email that demands immediate action without proper explanation, it could be a sign of CEO fraud.

Unusual requests

Scammers will ask for unusual or out-of-the-ordinary requests, such as a wire transfer to a foreign bank account or access to sensitive company information. If you receive a request that seems odd or doesn’t make sense, it’s important to double-check with the supposed sender before taking any action.

Spoofed email address

Scammers can spoof email addresses to make it look like the email is coming from a trusted source. If you receive an email that appears to be from your CEO but the tone or wording seems off, the email may be fake.

Unusual language

Scammers may use unusual or incorrect language, especially if English is not their first language, which could indicate that the email is not from a legitimate source. Take time to consider whether an email sounds like it has come from your boss before acting.

Changes in payment procedures

If you receive an email requesting a change in payment procedures or routing information, it could be a sign of CEO fraud. Scammers may try to divert funds to their own accounts by changing payment information.

Threats or intimidation

Scammers often use fear tactics to pressure their victims into taking action. For instance, they may threaten to terminate the victim’s job or initiate legal proceedings against them if they fail to comply with their demands. This kind of psychological manipulation is designed to make the victim feel vulnerable and powerless, forcing them to take actions they otherwise wouldn’t have

Requests for secrecy

Scammers may also ask the victim to keep the request confidential, saying it’s sensitive or confidential. This tactic prevents the victim from verifying the request with others.

How to avoid falling victim to CEO fraud

Verify requests

Always verify wire transfer requests or unusual requests with the supposed sender, preferably through a different communication channel than email. Pick up the phone and call the person who sent the email to confirm that the request is legitimate.

Use two-factor authentication

Use two-factor authentication for any systems or accounts that contain sensitive information or allow for wire transfers. This adds an extra layer of protection and makes it harder for scammers to access your accounts.

Limit public information

Limit the amount of public information available about your organisation and its employees. Scammers often research their victims before launching an attack, so the less information they can find, the harder it will be for them to craft convincing emails.

Educate employees

Educate your employees about CEO fraud and other types of cyber attacks. Teach them how to spot phishing emails and what to do if they receive a suspicious email. It only takes one employee to fall victim to CEO fraud to cause severe damage to your organisation.

How Bob’s Business can help prevent CEO fraud in your organisation

Phishing simulations are a powerful tool in the fight against cybercrime, specifically CEO fraud.

These simulations involve creating fake phishing emails that closely mimic the tactics used by scammers to trick employees into giving away sensitive information or making unauthorised payments.

These emails are then sent to employees within an organisation, and those that click are redirected to training, where they’re shown how they could have spotted this phishing attempt.

Bob’s Phishing from Bob’s Business is an award-winning phishing simulation service trusted by the likes of HM Government and tailored to your organisation’s specific needs.

Our simulations are designed to be non-punitive and to replicate the most sophisticated tactics used by scammers, making them a highly effective way to identify weaknesses in an organisation’s security infrastructure.

With the help of these simulations, your organisation can develop a comprehensive security awareness training program that educates employees on how to recognise and report suspicious emails.

Most common passwords of 2022: Is yours on the list?

Passwords, passwords, passwords. They’re the backbone of modern internet security, though you’d be hard-pressed to find anyone that actually enjoys using them.

Despite being an essential aspect of our information security, protecting our personal information from unauthorised access and keeping our digital assets safe, many of us seem unwilling to upgrade our passwords.

Think we’re being unfair? Join us as we explore what were the most common passwords of 2022, discuss the importance of creating strong passwords and share how to do it.

We’ll also discuss whether to use a password manager and why training your employees to create strong passwords is more effective than relying solely on a password manager.

Ready to get started? Let’s go.

What were the most common passwords of 2022?

The most common passwords of 2022 are, unfortunately, rather predictable.

According to new research from SplashData, the top three passwords are “123456,” “qwerty,” and “123456789.” Here are the top 10:

  • 123456
  • 123456789
  • qwerty
  • password
  • 1234567
  • 12345678
  • 12345
  • iloveyou
  • 111111
  • 123123

Comparing these passwords to what we wrote about last year, there’s a notable lack of progress with the security of these passwords. Indeed, these passwords are so weak that they can be easily guessed by hackers, putting your personal information and digital assets at risk.

Other commonly used passwords include “admin,” and “letmein.” These passwords are easy to remember but offer no protection against unauthorised access. But why do we make such insecure passwords?

Test your password strength

Password Strength Checker

Password Strength Checker





Password Strength:
Time to crack:

What makes us use weak passwords?

There are three key factors that contribute to the weak password epidemic: lack of awareness, convenience and resistance to change.

Lack of awareness

A primary reason why people use weak passwords is, simply a lack of awareness of the risks involved. Many people are not aware of the potential consequences of using weak passwords or believe that they are not at risk of being hacked. This misconception can be dangerous, as anyone can fall victim to cybercrime, and it only takes one breach to crack a company’s data wide open.

The convenience factor

One of the most common reasons why people choose weak passwords is convenience. It is easier to remember a simple password than a complex one, and people often use the same password for multiple accounts to avoid having to memorise different ones. This practice is dangerous because if a hacker gains access to one of your accounts, they will have access to all of them.

Resistance to change

Many people are resistant to change, and this includes changing their passwords. People often become attached to their passwords and may feel that changing them is unnecessary or inconvenient. Additionally, some people may not know how to create a strong password, or how to change it.

How to create a strong password

Creating a strong password is relatively easy and is one of the most effective ways to protect your personal information and digital assets. Here are some tips for creating a strong password:

  • Length is key: The longer your password, the more difficult it is for hackers to guess. Aim for a password that’s at least 12 characters long.
  • Use a mix of characters: Use a combination of uppercase and lowercase letters, numbers, and symbols. This makes it harder for hackers to crack your password.
  • Avoid common words: Don’t use words that are easily guessed, such as “password” or “admin.” Instead, try using a random combination of letters, numbers, and symbols.
  • Don’t reuse passwords: Avoid using the same password for multiple accounts. If a hacker gains access to one account, they can use that password to access your other accounts.

Should you use a password manager?

Password managers are tools that store and encrypt your passwords, making it easier to use strong, unique passwords for each account.

Many password managers also generate random passwords for you, so you don’t have to come up with them yourself.

However, just because you use a password manager, it doesn’t automatically mean all of your data is safe, if the password manager is compromised, all passwords will be at risk. Just look at the recent LastPass data breach, for an example there.

That’s why it remains best practice to choose memorable yet secure passwords and keep them in your own mind.

Is employee password training useful?

While we’ve established that secure passwords are essential, the truth is that while virtually everyone agrees on that point, many fail to update their passwords.

For organisations, that poses a real issue. With a single breached password potentially giving a cybercriminal unfettered access to your data and systems, something has to be done.

Sharing this blog is a great start, but the real key is in consistent, regular training that reminds your team on the importance of strong passwords, the steps required to create strong passwords and how to follow good password practices.

This is especially important since human-error accounts for 90% of all breaches.

How Bob’s Business can help to protect your organisation

At Bob’s Business, we build cybersecurity awareness training that your teams actually want to take, designed from the ground up to protect your organisation.

That’s why we offer tailored and engaging online training courses that empower all team members to recognise and respond to cyber threats, ultimately reducing the risk of breaches caused by human error.

Our training is designed to be interactive, easily integrated into your busy schedule, and delivered in bite-sized modules to ensure your team stays motivated and focused throughout the training process.

Take action now and protect your organisation and customers from cyber threats by exploring our range of comprehensive cybersecurity awareness training products.

Ten cybersecurity myths that could leave you (and your organisation!) vulnerable

With technology advancing at breakneck speed, it’s no secret that cybersecurity is more important than ever. Unfortunately, cybercriminals aren’t standing still, either. Instead, they’re getting more innovative in exploiting vulnerabilities to gain access to sensitive information.

Although there is growing awareness of the need for cybersecurity in our everyday lives, many of us still cling to false beliefs that can leave us and our organisations vulnerable to cyber attacks.

In this blog post, we’ll tackle 10 common cybersecurity myths head-on, explaining why they’re untrue and why it’s crucial not to fall for them. So buckle up and get ready to separate fact from fiction in the world of cybersecurity!

Myth #1: “I have nothing worth stealing.”

Many people believe that they are not a target for cybercriminals because they don’t have the assets or finances to be worth the effort.

However, this is a dangerous myth.

Cybercriminals can use your personal information, such as your name and address, to create fake identities and commit fraud. They can also use your computer or device to launch attacks on other targets, which make virtually anyone a handy target to acquire.

Everyone is a potential target for cybercriminals, regardless of how valuable they think their information is!

Myth #2: “I have antivirus software, so I’m protected.”

Antivirus software is certainly helpful to your cybersecurity, but more is needed.

Antivirus software can only detect known threats, so it may not be able to protect you from new or advanced attacks. Nor can it intercept people and stop them from sharing their personal information on a dodgy website.

It’s important to use other security measures, such as educating your employees to protect your organisation against cyber attacks.

Myth #3: “I only visit safe websites, so I can’t get infected.”

Even seemingly safe websites can be compromised by cybercriminals. They can inject malware into legitimate websites or create fake websites that look identical to real ones!

Users can unknowingly download malware by clicking on links or downloading attachments from these websites. It’s important to be cautious and always verify the authenticity of a website before entering any sensitive information.

Myth #4: “I use strong passwords, so I’m safe.”

Using strong passwords is an essential part of good cybersecurity hygiene. However, it’s not a cure-all when it comes to cybersecurity.

Cybercriminals can use various techniques, such as brute force attacks or phishing, to gain access to your accounts even with a strong password.

Multi-factor authentication, which requires a second factor such as a code sent to your phone, is a more effective way to protect your accounts, and should be deployed on every service that supports it.

Myth #5: “I can put off updating my software.”

We hate to be the bearer of bad news, but your outdated software opens you to vulnerabilities that cybercriminals can easily exploit. So it’s time to update your systems!

Keeping your software updated with the latest security patches and updates is essential. This includes your operating system, applications, and browser plugins.

Myth #6: “I can spot a phishing email.”

While some phishing emails beg to be ignored (“a wealthy relative recently passed away”, anyone?), many phishing emails can be very convincing and can trick even the most vigilant users. They often use social engineering techniques, such as creating a sense of urgency or posing as a legitimate organisation, to convince users to click on a malicious link or download an attachment.

It’s important to be cautious and always verify the authenticity of an email before clicking on any links or downloading any attachments.

Myth #7: “I don’t need to back up my data.”

Backing up your data is essential in case of a cyber attack or other disaster. It’s important to have multiple backups, both on-site and off-site, to ensure that your data can be recovered in the event of a data loss or ransomware attack.

One common mistake organisations often make is they store their backups in the same place as their original files. However, this means if you suffer from a cyber attack or other incident your backups will be just as vulnerable. Store your backups in different locations, even keeping copies of your most precious files offline altogether.

Myth #8: “I’m safe on public Wi-Fi if I just avoid sensitive activities.”

Public Wi-Fi is generally insecure and cybercriminals can easily intercept your internet traffic, even if you’re not doing anything sensitive.

The best way to protect yourself is to use a reputable VPN service that encrypts your internet traffic by creating a secure tunnel between your device and the VPN server.

Don’t fall for this myth – invest in a quality VPN and stay safe on public Wi-Fi.

Myth #9: “I don’t need to worry about cyber attacks because I have a Mac.”

Macs are no longer immune to cyber attacks, as cybercriminals are increasingly targeting Apple devices due to their growing popularity, false sense of security, and integration into enterprise environments.

Mac users should use antivirus software to protect themselves, keep their software up-to-date, and be cautious when downloading from unknown sources.

Myth #10: “I’m not tech-savvy, so I can’t protect myself”

Everyone can take basic steps to protect themselves online, regardless of their technical knowledge. These steps include using strong passwords, enabling two-factor authentication, keeping software up to date, avoiding suspicious links and downloads, backing up data, and using a VPN on public Wi-Fi.

These simple steps can significantly reduce your risk of falling victim to a cyber attack.

How Bob’s Business can help protect your organisation

In today’s digital world, protecting ourselves against cyber attacks is crucial, and Bob’s Business is here to help.

We understand that cybersecurity can be daunting, so we provide distinctive and interactive online training to equip every team member with the ability to detect and respond to phishing attacks.

With a workforce that feels comfortable with cybersecurity and understands their role in protecting themselves and each other, you can protect your business from the 90% of breaches caused by human error.

To learn more about our product range and start lowering your risk today, click here.

The future of passwords

Passwords – we love to hate them.

Although they’re part and parcel with virtually every device and service we interact with, they’ve never evolved beyond their status as a nuisance.

The good news? The future of passwords is likely to be passwordless! Sounds like a dream come true, doesn’t it? It’s closer than you might think

Needless to say, the passwordless future is not a new concept. Tech giants like Google and Microsoft have been working on password alternatives for years, and now the fruits of their labour are starting to be realised.

But what does a passwordless future actually look like? And how soon can we expect it to become a reality? In this blog, we’ll sketch out the passwordless future. But first, why are companies looking to kill the password?

Why are companies pushing to end the era of the password?

Passwords are something of a necessary evil: our accounts need to be secured in order to protect our data, but the process of creating secure passwords and then memorising them is frustrating, to say the least. Especially when the average person has 100 of them to remember!

The issues go further than the volume of passwords, however. The fact is most common passwords in use are shockingly simple, easy to guess and unsecured. And, of course, once a password is acquired by a criminal through guesswork, phishing or otherwise, it can be freely shared.

In theory, by replacing passwords with alternative solutions, you can mitigate these problems, ensuring secure accounts for everyone and an end to the memory games we’re currently playing. So, what are some of these solutions? Let’s take a look.

Passwordless solutions

Biometric authentication

There’s a good chance you’re already familiar with biometric authentication. Biometrics use unique physical characteristics, such as fingerprints or facial recognition, to identify users.

This method is becoming increasingly common in smartphones and laptops, and it’s considered secure enough for online accounts and even bank transactions.

Biometric authentication is convenient and secure, as it is difficult (though not impossible) to replicate someone’s physical characteristics.

However, there are concerns about privacy and the storage of biometric data. In addition to issues around ease of use when in poor conditions, where you might be wearing gloves or covering your face.

Single sign-on

Single Sign-on (SSO) is a popular solution for managing passwords and authentication across multiple accounts. SSO allows users to log in once using one set of credentials and then access multiple accounts and applications without entering their login information again.

You’ve probably encountered Single Sign-on before, as it’s now a common option when logging in or signing up for new accounts and services. These will generally let you log in with your Google, Microsoft, Facebook or other major accounts.

This not only saves time and reduces the hassle of managing multiple passwords, but it can also improve security by reducing the risk of weak or easily guessable passwords. With SSO, you only need one secure and distinct password.

Universal keys

Universal keys are a less common, abeit promising, solution for managing authentication across multiple accounts. A universal key is a single device or piece of software that can be used to access multiple accounts and applications.

Similar to SSO, universal keys eliminate the need for multiple passwords, but they take it a step further by providing an additional layer of security. Universal keys use public-key cryptography, meaning each key has a unique identifier that a server verifies.

This makes them highly secure and difficult to hack. However, if you lose or have your physical key stolen, you’re at risk of losing access to all of your accounts.

When will passwordless authentication become the norm?

The truth is that it’s already happening. Many companies are already using passwordless solutions, and it’s likely that more will follow suit in the coming years. Microsoft, for example, is aiming to make Windows passwordless by 2025, and Google has been pushing passwordless authentication through its Advanced Protection Program.

But despite these advances, passwords are still widely used and will be for the foreseeable future.

This is partly because not everyone has access to the latest technology, and partly because some people simply prefer the familiarity of passwords.

It’s also important to note that passwordless solutions are not foolproof and can still be vulnerable to certain types of attacks.

So, what can we do to improve password security in the meantime?

Here are a few tips:

  1. Use a unique password for each account: This reduces the risk of multiple accounts being compromised if one password is stolen.
  2. Use a password manager to generate and store strong passwords: This makes managing multiple passwords easier and ensures they are secure.
  3. Enable two-factor authentication wherever possible: This provides an extra layer of security and makes it more difficult for hackers to access your accounts.
  4. Beware of phishing attacks: Phishing scams are a common way for hackers to steal passwords. They involve sending emails or messages that appear to be from a legitimate source but are actually fake. These messages often ask for sensitive information, such as passwords or credit card numbers. Always be cautious when clicking on links or downloading attachments, and never give out personal information unless you are sure it is safe to do so.
  5. Keep your software up to date: This includes your operating system, web browser, and any apps or programs you use. Updates often include security patches that address vulnerabilities and help keep your devices and accounts secure.
  6. Consider using a virtual private network (VPN) when connecting to public Wi-Fi networks: This helps to protect your internet traffic from prying eyes and can prevent hackers from intercepting your passwords and other sensitive information.

The future of passwords is passwordless, but we’re not there yet. Biometric authentication, universal keys, and SSO are just a few of the solutions that are already available, but it will take time for these solutions to reach total adoption – and to surmount concerns around privacy and security.

In the meantime, it’s on each and every one of us to take steps to improve password security by using strong and unique passwords, enabling two-factor authentication, and being vigilant against phishing scams.

By doing so, we can help protect ourselves and our sensitive information in the digital age.

Ready to start training your team to protect your business against the threats of today and tomorrow? Discover cybersecurity awareness training that engages, entertains and informs your staff.