Mike Wills 18 May 2022

Hoax calls: How local authorities can protect themselves

Hoax calls: How local authorities can protect themselves image

Recently, video clips have been released of calls with senior cabinet ministers and an imposter posing as Ukrainian Prime Minister Denys Shmyhal. The British government has blamed the Kremlin for the stunts, stating they were part of a Russian disinformation campaign.

These are classic information operations tactics, which are as old as time. In these cases, they have sought to undermine and embarrass the British government, while distracting from the major issues of the day and diverting attention away from what’s happening in Ukraine.

It’s important to remember that the fraudsters who carried out these pranks are well-resourced. They’re the Hollywood blockbuster actor-standard of scammers and a lot of time and effort will have been put into preparing for and conducting these attacks. They’ll have done their background research, knowing they have a single chance to be utterly convincing from the first point of contact.

War isn’t just about bombs and bullets – it’s about every facet of human endeavour. It includes the physical combat sphere and the ethereal information sphere. The Russians are past masters at this; within their state apparatus, they’ll have infantry fighters, combat fighter pilots and tank gunners, as well as the best in terms of intelligence and influence operations.

While this time, the fraudsters have been cunning and managed to get into the top level of government, this can – and does – happen to any local authority at any time.

Councils should always make themselves as hard to hack as possible, but more so than ever given that Russia will be seeking to create instability within western countries – which is easier to achieve virtually. The international Five Eyes community has also issued warnings of further cyber and misinformation attacks in response to the heavy sanctions placed on Russia.

So, how has this been allowed to happen? In theory, the government will have verified the other participants in the meeting were who they said they were. This isn’t always easy, but there are simple tactics you can use to identify potential fraudsters.

If conducted by means of a phone call, you’d want to take control of that call so you know who you are dialling. This can be done by asking the caller for their full name and the organisation they’re working for. Then, tell them you’re going to call them back via the front desk phone number of the organisation – which you can get from a credible source online – and ask to be put through to them internally. Here, you’re taking control of the situation by going to a known phone number.

However, in these cases, communication appears to have taken place via an online virtual meeting, which means it’d probably been set-up by an email from a credible source – suggesting the email address has either been intercepted or cloned.

With this in mind, local authorities should consider resetting passwords in case they’ve been breached and are enabling access to web portals and email accounts, as well as remind employees to think twice before opening or clicking links on any suspicious emails.

Multi-factor authentication – which requires users to provide two or more verification factors to gain access to a resource – should be implemented wherever possible, and software upgrades and patches should be up to date.

Once you’re on the call – whether voice or video – people should confirm who is on the other end of the line before revealing information. If taking place over the phone, try and work out if you recognise their voice. This is difficult, but there may be someone within the department who has regular communication with the caller. If so, bring them into the room and ask if they can confidently verify their identity. This can be done by a brief discussion based on previous conversations and historic pleasantries.

For video calls, insist the other party turns on their camera and Google their name to see if you can identify them. With cyber and misinformation attacks being so common and pervasive, it’s important people develop the confidence and feel comfortable in verifying someone’s identity for their own protection and resilience.

Local authorities should also dust off, review and rehearse incident response plans so they know how to react swiftly to any incident and are able to minimise its potential scope, scale and associated impact.

Finally, it’s vital to ensure employees understand the importance and necessity of information security, which can be carried out through data and cyber security awareness training. This will help to ensure confident, compliant and resilient staff, which, in turn, creates a well-protected council.

Mike Wills is director of strategy and policy at cyber and data security firm CSS Assure

SIGN UP
For your free daily news bulletin
Highways jobs

Blue Badge Officer

Essex County Council
Up to £23344.0000 per annum
Blue Badge OfficerFixed Term, Full Time£23,344 per annumLocation
Recuriter: Essex County Council

Senior Traffic Engineer

Brighton & Hove City Council
Salary
Brighton & Hove City Council
Recuriter: Brighton & Hove City Council

Building Control Team Manager

London Borough of Richmond upon Thames and London Borough of Wandsworth
Up to £68,241 plus 20% market supplement
Building Control Team Manager<... Twickenham, Middlesex
Recuriter: London Borough of Richmond upon Thames and London Borough of Wandsworth

SEND Engagement Facilitator

Essex County Council
£24970.0000 - £29377.0000 per annum
SEND Engagement FacilitatorPermanent, Part Time£24,970 to £29,377 per annumLocation
Recuriter: Essex County Council

School Crossing Patrol Officer - Ingrave Primary School

Essex County Council
Up to £23344.0000 per hour
School Crossing Patrol Officer - Ingrave Johnstone CE Primary SchoolPermanent, Part Time£12.10 per hourLocation
Recuriter: Essex County Council
Linkedin Banner

Partner Content

Circular highways is a necessity not an aspiration – and it’s within our grasp

Shell is helping power the journey towards a circular paving industry with Shell Bitumen LT R, a new product for roads that uses plastics destined for landfill as part of the additives to make the bitumen.

Support from Effective Energy Group for Local Authorities to Deliver £430m Sustainable Warmth Funded Energy Efficiency Projects

Effective Energy Group is now offering its support to the 40 Local Authorities who have received a share of the £430m to deliver their projects on the ground by surveying properties and installing measures.

Pay.UK – the next step in Bacs’ evolution

Dougie Belmore explains how one of the main interfaces between you and Bacs is about to change.