[CyberSecurity Blog Series] Create strong password – DOs and DON’Ts

[CyberSecurity Blog Series] Create strong password – DOs and DON’Ts

A strong password is your first defence against hackers and cyber criminals. This month is Cyber Security Awareness Month, we will share simple tips on how to create secure password to protect yourself online.




Create unique passwords that use a combination of words, numbers, symbols, and both upper and lower case letters.


Avoid using the same password for multiple accounts; one hack exposes many accounts.


Passwords need to be changed on a regular basis: every 60 days is OK, but every 30 is better.


Include your personal information (name, birthday) or username in your password


Password complexity is good, but the length is key. Increasing password length to 12 characters can increase password security significantly. Tips: turn a sentence into a password, also called a ‘pass phrase’. For example the sentence ‘This is my password & it’s for my eyes only!’ is easier to remember than ‘Syz8#K3!’ and far more secure.


Use easily guessed passwords ie. ‘password’, keyboard patterns such as ‘123456’, ‘qwerty’ or words in the dictionary.

Using stronger passwords won’t keep you secure from all the threats out there, but it’s a good first step. Be safe, not sorry and enjoy all the great technology out there with awareness.

password strength demo

[CyberSecurity Blog Series] How to spot fake email

[CyberSecurity Blog Series] How to spot fake email

There are numerous ways to spot a fake email. The list below is not exhaustive but covers most common types of phishing attempts.

The message contains poor spelling and grammar

Whenever a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality, among other things. So if a message is filled with poor grammar or spelling mistakes, it probably didn’t come from a major corporation’s legal department.

You didn’t initiate the action

If you received an email message informing that you have won a contest you did not enter or won the lottery but you never bought a lottery ticket, you can bet that the message is a scam.

The message asks for personal information

No matter how official an email message might look, it’s always a bad sign if the message asks for personal information. Your bank doesn’t need you to send it your account number. It already knows what that is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.

The message contains a mismatched URL

Check the integrity of any embedded URLs. Often the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address (at least in Outlook). If the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.

Paypal Phish Email Example Spot a fake email

The offer seems too good to be true

There is an old saying that if something seems too good to be true, it probably is. That holds especially true for email messages. If you receive a message from someone unknown to you who is making big promises, the message is probably a scam.


The message appears to be from a government agency

Phishing artists who want to use intimidation don’t always pose as a bank. Sometimes they’ll send messages claiming to have come from a law enforcement agency, HMRC or just about any other entity that might scare the average law-abiding citizen.

You’re asked to send money to cover expenses

One telltale sign of a phishing email is that you will eventually be asked for money. You might not get asked for cash in the initial message. But sooner or later, phishing artists will likely ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it’s a scam.

URLs contain a misleading domain name

People who launch phishing scams often depend on their victims not knowing how the DNS naming structure for domains works. The last part of a domain name is the most telling. For example, the domain name info.urbannetwork.co.uk would be a child domain of urbannetwork.co.uk because urbannetwork.co.uk appears at the end of the full domain name (on the right-hand side). Conversely, urbannetwork.co.uk.maliciousdomain.com would clearly not have originated from urbannetwork.co.uk because the reference to urbannetwork.co.uk is on the left side of the domain name.

We have seen this trick used countless times by phishing artists as a way of trying to convince victims that a message came from a company like Microsoft or Apple. The phishing artist simply creates a domain bearing the name Microsoft, Apple, or whatever. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.

Alternatively, the scam email may also use a domain name that is very similar to the authentic domain name such as “urbannetwork.co”

The message makes unrealistic threats

Although most of the phishing scams try to trick people into giving up cash or sensitive information by promising instant riches, some phishing artists use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it’s probably a scam.

[CyberSecurity Blog Series] What is Malvertising? Know the security tips

[CyberSecurity Blog Series] What is Malvertising? Know the security tips

What is Malvertising?

Malvertising, short for malicious online advertising, is a combination that describes the cybercrime of using advertising on websites to proliferate malware. This is now one of the most successful ways that cybercriminals have of spreading bad code, or malware and infecting machines.

How it works?

Malvertising is when a cybercrime ring using legitimate sites, use the adverts that automatically populate when you visit a page. A user could be simply checking the news on a well-known, and reputable site and when you ‘land’ the page automatically begins to load a myriad of additional pages in the form of adverts in thumbnails. These are provided by ad networks, and the legitimate owners are not aware of the locations they go to, as they are not hosted by the owners. Instead, the pages are hosted by the networks and are quickly swapped out with new ads all the time. As this is the case, cybercriminals are purchasing ad space, usually anonymously by using stealth methods to hide their identity, and get their malware appearing all over the web.

This is particularly aided by adding intelligence from the ad networks, and allowing targeted attack profiling by examining the search criteria of the searching party from their browsers. For example, if a criminal was targeting a shopper who was using an old browser, they may look for searches with ‘shopping’ ‘buying’ etc. and then throw up a bad site if the browser is an old revision with known exploits

Earlier this year, a number of major news websites including the New York Times, BBC, AOL, MSN and Forbes have been targeted by a malicious campaign that attempts to spread malvertising and install ransomware on users computers.

As this method actually costs the attackers time and money, it is safe to assume that it is very lucrative for the cybercriminals. After all, they are efficient and productive, so this technique must be rewarding for them. Finding the criminals after the fact is difficult due to the nature of the ad networks dealing with so many adverts, and the relative ease of obscuring identity on the web.

Security tips

  • Make sure your browsers, plug-ins, and operating systems are kept up-to-date. Malvertising is simply a vehicle for finding security flaws hiding elsewhere in your system. The simplest way to minimise these problems is to tighten up vulnerabilities on your computer.

  • Uninstall browser plug-ins you don’t use and set the rest to click-to-play. Click-to-play plug-ins keep Flash or Java from running unless you specifically tell them to (by clicking on the ad). A good bulk of malvertising relies on exploiting these plug-ins, so enabling this feature in your browser settings will offer excellent protection.


[CyberSecurity Blog Series] Email from your friend can be a phishing scam

[CyberSecurity Blog Series] Email from your friend can be a phishing scam

In some cases, cybercriminals may have managed to gain access to systems belonging to somebody that you know and trust or potentially they have spoofed their address (sending with the correct email address, but not actually gaining control of the person’s accounts).

This could be email, but just as likely it could be their social media accounts or any online system really. Using genuine accounts, the cybercriminal masquerading as your ‘friend’ may send you a link, or attachment extolling that you ‘must see this amazing…’ or some other hook.

These attempts are very hard to spot, and it would be really difficult to tell on the face of it whether the contact is genuine

Security tips

  • Where you receive an email that appears to be from someone you know, consider if the communication sounds right. E.g. Does your brother usually send you dramatic emails or cat videos? If not it’s unlikely he just started so ask him or just delete it, it can always be resent.

  • Hover your mouse over a sender’s name in the ‘from’ field or touch it on a tablet, it will come up with the full reply address which should be correct. If it isn’t it is likely a spoofed email. Delete it

  • Does the general body of the message feel right, if anything doesn’t read OK to you, pick up the phone and ask the sender (as you know them in this case) if it’s genuine. Checking is safer than being caught out.


[CyberSecurity Blog Series] Protect yourself against Vishing scam

[CyberSecurity Blog Series] Protect yourself against Vishing scam

What is Phone Phishing, Voice Phising or Vishing?

Phone Phishing or Vishing (short for Voice Phishing) is a rising type of Social Engineering fraud. It is becoming popular as it adds a level of human manipulation into the attack.

The scam artist will initiate a call to randomly pre-selected numbers and then proceed to try to gain information or access to machines. Sometimes also known as pretexting, the scammer uses techniques to convince the called party that they are a genuine caller requiring some information or access to assist with an action. The caller will establish a rapport, and using known large organisations for cover (think Microsoft, Apple or BT) and with a little probing will trick called parties into confirming or correcting information over the phone.

In some recent cases presented to Urban Network, we have heard of callers requesting that members of the public divulge personal information to callers as part of a greater scam. In other cases, the caller suggests that they are working for a reputable software vendor like Microsoft and need assistance gaining access to the user’s PC to ‘verify a known threat’. Of course, no genuine caller would ask for personal information, or to get access to a machine that was not instigated in the first instance by the called party.

Phone Phishing Vishing examples

Security tips

If you receive a call asking you to give information or access, it is almost certainly a social engineering attempt to trick you. Hang up, if you feel the need call the organisation yourself using a known genuine number (e.g. a bank number on the back of your card) and ask if you have been contacted.

Be wary of any inbound call where the caller is asking for your personal information, this is simply not how it works, and even if on the rare off-chance it is, then calling them back is perfectly acceptable.