Insurance manager Naomi Di-Scala shares her advice on dealing with scam emails
In our personal lives, it is highly likely that we will all have received an email which is an attempted scam and, unfortunately, some of us may have fallen for it. The Guardian reported that in 2017, out of the 978 million global victims of cybercrime, 17 million of those were Britons who were targeted by phishing, ransomware, online fraud and hacking.1 Scam emails can take numerous forms and not only occur in our personal lives, but can take place in the workplace too. In this article, we will explore the most common emails that aesthetic practitioners may come up against and what to do if they receive one, or worse, fall for one.
According to Action Fraud, the national fraud and cybercrime reporting centre for the UK, phishing emails play on the word ‘fishing' in that fraudsters ‘fish’ for potential victims by sending emails, social media messages, texts or phone calls with urgent requests to hand over personal details or money.2 These are often presented to look as if they have come from a website that you already use, such as PayPal for example, and will be sent to your inbox asking for you to check and update your security information with them. You will then be encouraged to click on a link that will appear to look as if it is going through to an authentic email address or website and ask you to complete your personal details and input your information. However, the link that you have clicked on will not be authentic and will go through to the scammer’s site, where they will record and take all your personal information, which can then be used for other fraudulent purposes such as online purchases.3,4
One of the most common forms of phishing scams is hackers impersonating your bank. You may receive an email from your alleged bank asking for your personal details to be confirmed. When setting up a new bank account most of us will be told that the bank will never send emails of this nature, so do not respond. It is extremely important to note that real banks will never email you for passwords or any other sensitive information.2,3 Yet, millions of people do respond and become victims of this fraudulent activity.1 Historically, these emails were quite poorly put together so they were easier to identify, but over time they have become more and more realistic as the technology has developed and hackers have honed their techniques.
These emails will contain either a programme or spy application that will monitor what you click on or the details you input into websites, such as bank websites, and then record this information. This is known as spyware and can be in the form of Internet URL trackers and screen recorders which track what websites are visited or take snapshots of your screen each time it changes.5 Other forms can be chat and email recorders that copy inbound and outbound emails or even password recorders that track typed passwords, for example for your online banking.
Spyware may be hidden within the attachment section of an email and may therefore not be that noticeable to most users.3,4,5 It could also be in the shape of an entertaining, funny picture or video that the initial receiver may forward onto many other people. These recipients then in turn forward it to all their friends or clients, and so on. This method can often be a very successful means of obtaining thousands of people’s personal information.3,4,5
In aesthetics, it is likely that you will come up against phishing scams or virus emails that have embedded links within them that, once clicked, may cause a virus to enter your computer system or network. This virus may then access all the personal information that you store and reuse it to commit fraud, or worse, the virus may shut down your system and demand a ransom to rectify the problem.3,4 Scammers may also obtain patient information from the clinic’s database and send a fake marketing email, asking for the patients to provide personal information, which then in turn gets sent back to the criminals, not the actual clinic. The criminals can then use this information to imitate patients and carry out transactions in their name. Although not all patient’s may complete this information or may ignore the email, if it is found that there has been a data breach, this could have financial implications if the clinic is fined and also have a negative impact on a clinic’s reputation.7
In October 2017, a well- known plastic surgery clinic in London had its system compromised and it was reported that hackers stole terabytes worth of names, medical files and photographs from the clinic’s database.6 In this scenario, you have a major breach of General Data Protection Regulation (GDPR) and will be liable for the associated penalty of up to 4% of your annual global turnover when it comes into force on May 25.7 It is important to ensure that you have security on your system that will protect you from an attack. If you are not sure what security you have or whether it is sufficient, then it would be advised to contact your IT or website developer who will be able to guide you. However, even with security in place, it is not always possible to stop the emails coming through to you or your staff. It is therefore vital that all staff are aware of everything you should look out for that could put you at risk of a breach or a hacking attempt.
If you are in any doubt about an email you have received, then firstly check the source address. You can usually tell whether the email has come from a random personal email address, such as Hotmail or Yahoo for example. As scammers become more sophisticated, they can tailor these email addresses more e ectively to look authentic. However, there may still be some elements that do not look quite right, such as fonts or spacing. If you have any suspicions, then it is best to double check by calling the alleged original source before you open it. You should retrieve the original source’s contact details from their official website in a separate browser or by other communications, for example, letters that they have sent that you know are definitely from them.
If the greeting within the email is impersonal then it could be an indication that it is not from an authentic source. Scammers are getting better at this but some emails may just say ‘Hi’ or ‘Dear Valued Customer’, for example, and leave out the intended recipient’s name.1
Sometimes, contained within emails from companies there will be a link to ‘contact us’. On a scammer’s email this link may not actually work when you click on it. In addition, scammers may embed links to websites which are not authentic and therefore it would be advisable not to click on any links within an email unless you are absolutely sure it is from the real company.
In October 2017, a well-known plastic surgery clinic in London had its system compromised and it was reported that hackers stole terabytes worth of names, medical files and photographs from the clinic’s database
Most emails from businesses should have a copyright date on them or, if you are able to click through to a website, it will be shown on there. A lot of scammers will forget to update these to the current year so this can be an indication that it has not come from a true source. You should always check the company’s official website first, before clicking on any links within an email.
A scammer is likely to be trying to impersonate a genuine company or brand and, as such, will try and brand their fake emails to reflect this. If you have any feeling that the branding does not look quite right, for example the graphic design or image quality is poor, or the font used isn’t the one you’re used to seeing, you can open a separate tab and search for the company’s website to compare the branding on both. If there are any inconsistencies, then it is likely that the email you have received is fake.
A lot of fake emails will contain poor spelling or grammar and this can be an indication that the email may not be authentic. Businesses and brands will go through numerous compliance checks before sending out emails to their database, and spelling and grammar will always be checked to ensure that it is correct. Hackers do not necessarily go through this process so can be inconsistent with spelling, grammar, the format of the email and presentation in terms of fonts, styles and sizes used.
If a scammer is trying to convince you that their email is genuine, they sometimes use the word ‘official’, ‘urgent’ or ‘act now’ to try and persuade you to respond quickly. An email from a true source would not need to adopt this tactic. In addition, scammers may use account numbers or ID numbers to try and sway you, which a bank, for example, would never do. If your genuine customer or account number appears within an email, then it would be advisable to not take any action with the email but contact the company that it has allegedly come from to check whether or not it is something they have sent out. There may also be time-sensitive offers within a scammer’s email, which are designed to try and put pressure on you to sign up and click on the link embedded within the body of the email. You should always take your time and double check by logging into your account via another tab on your web browser to see if the time-limited offer is real.
If you receive a scam email, Action Fraud advises that you should not click on any of the links within it, not reply to the email and never contact the senders in any way. Instead, report this to Action Fraud directly via their website and attach a copy of the email to this.2 Action Fraud will not respond to you, but they will investigate the email. Once reported, you should delete the scam email and if you have the facility to block the email address via your system (there is no set way as all systems are different) then it would be advisable to do so. You should not click on any of the links within the email, which includes the unsubscribe link. Instead you should report it and delete immediately.6 If you have staff within your business, you should also make them aware of all this information so that they do not click on an email by accident. If they are unsure, then they should always check with you or another owner/manager to determine if an email is fraudulent or not.
Unfortunately, despite all of the awareness and media regarding hacking and online/email scams, people still click on links that they should ignore and end up compromising their systems and, potentially, the personal data held on these systems. In the event of a hacking attempt that bars you from accessing your system, you should contact your IT or systems service provider, who will be able to assist you with rectifying the situation and getting your system up and running again. There may be charges to do this, but if you have a cyber liability policy in place this would assist with any associated costs. If there are breaches to your patient’s personal data, you have a duty to notify the Information Commissioner’s Office and the patients themselves within 72 hours of becoming aware of the breach.7
Cyber and data liability policies are a common and in-demand form of insurance and can be found within all types of insurance policies, including your own home insurance. In the event that you were to experience a breach, either via email or another means, then a cyber and data liability policy would assist you in getting back up and running as soon as possible. They would do this by investigating where the breach came from in the first instance and would deal with the fallout from your patients.8
Scam emails are a common occurrence in today’s digital savvy society, so ensuring you know how to identify them, how to protect your online data and what action to take in response to a scam is an essential factor in running a safe business. It is vital for all aesthetic clinic staff to have the confidentiality of their patients at the forefront of their mind when using emails and digital systems.
1. The Guardian, Cybercrime: £130bn stolen from consumers in 2017, report says. <https://www. theguardian.com/technology/2018/jan/23/cybercrime-130bn-stolen-consumers-2017-report- victims-phishing-ransomware-online-hacking>
2. Scam Emails, Action Fraud 2018, <https://www.actionfraud.police.uk/scam-emails>
3. Phishing, vishing and smishing, Action Fraud, 2018, <https://actionfraud.police.uk/fraud-az- vishing>
4. National Cyber Security Centre. Threat intelligence case studies: cyber attack types. 2016. <http:// tinyurl.com/ya9nyhjx>
5. Brian VanNess and Joanne C. Weaver, What Types of Spyware are Out There? <http://www. toptenreviews.com/software/articles/types-of-spyware/>
6. BBC News, Hackers Breach Top Plastic Surgery Clinic, 2017, <http://www.bbc.co.uk/news/ technology-41735104>
7. GDPR FAQs EU GDPR, 2018, <https://www.eugdpr.org/gdpr-faqs.html>
8. Hiscox, Cyber and Data Risks Insurance, 2018. <https://www.hiscox.co.uk/business- insurance/cyber-and-data-insurance>
9. Hamilton Fraser, Cyber Essentials, 2018. <https:// hamiltonfraser.co.uk/about-us/hamilton-fraser/cyber_essentials/>