Mike Wills 18 May 2022

Hoax calls: How local authorities can protect themselves

Hoax calls: How local authorities can protect themselves image

Recently, video clips have been released of calls with senior cabinet ministers and an imposter posing as Ukrainian Prime Minister Denys Shmyhal. The British government has blamed the Kremlin for the stunts, stating they were part of a Russian disinformation campaign.

These are classic information operations tactics, which are as old as time. In these cases, they have sought to undermine and embarrass the British government, while distracting from the major issues of the day and diverting attention away from what’s happening in Ukraine.

It’s important to remember that the fraudsters who carried out these pranks are well-resourced. They’re the Hollywood blockbuster actor-standard of scammers and a lot of time and effort will have been put into preparing for and conducting these attacks. They’ll have done their background research, knowing they have a single chance to be utterly convincing from the first point of contact.

War isn’t just about bombs and bullets – it’s about every facet of human endeavour. It includes the physical combat sphere and the ethereal information sphere. The Russians are past masters at this; within their state apparatus, they’ll have infantry fighters, combat fighter pilots and tank gunners, as well as the best in terms of intelligence and influence operations.

While this time, the fraudsters have been cunning and managed to get into the top level of government, this can – and does – happen to any local authority at any time.

Councils should always make themselves as hard to hack as possible, but more so than ever given that Russia will be seeking to create instability within western countries – which is easier to achieve virtually. The international Five Eyes community has also issued warnings of further cyber and misinformation attacks in response to the heavy sanctions placed on Russia.

So, how has this been allowed to happen? In theory, the government will have verified the other participants in the meeting were who they said they were. This isn’t always easy, but there are simple tactics you can use to identify potential fraudsters.

If conducted by means of a phone call, you’d want to take control of that call so you know who you are dialling. This can be done by asking the caller for their full name and the organisation they’re working for. Then, tell them you’re going to call them back via the front desk phone number of the organisation – which you can get from a credible source online – and ask to be put through to them internally. Here, you’re taking control of the situation by going to a known phone number.

However, in these cases, communication appears to have taken place via an online virtual meeting, which means it’d probably been set-up by an email from a credible source – suggesting the email address has either been intercepted or cloned.

With this in mind, local authorities should consider resetting passwords in case they’ve been breached and are enabling access to web portals and email accounts, as well as remind employees to think twice before opening or clicking links on any suspicious emails.

Multi-factor authentication – which requires users to provide two or more verification factors to gain access to a resource – should be implemented wherever possible, and software upgrades and patches should be up to date.

Once you’re on the call – whether voice or video – people should confirm who is on the other end of the line before revealing information. If taking place over the phone, try and work out if you recognise their voice. This is difficult, but there may be someone within the department who has regular communication with the caller. If so, bring them into the room and ask if they can confidently verify their identity. This can be done by a brief discussion based on previous conversations and historic pleasantries.

For video calls, insist the other party turns on their camera and Google their name to see if you can identify them. With cyber and misinformation attacks being so common and pervasive, it’s important people develop the confidence and feel comfortable in verifying someone’s identity for their own protection and resilience.

Local authorities should also dust off, review and rehearse incident response plans so they know how to react swiftly to any incident and are able to minimise its potential scope, scale and associated impact.

Finally, it’s vital to ensure employees understand the importance and necessity of information security, which can be carried out through data and cyber security awareness training. This will help to ensure confident, compliant and resilient staff, which, in turn, creates a well-protected council.

Mike Wills is director of strategy and policy at cyber and data security firm CSS Assure

SIGN UP
For your free daily news bulletin
Highways jobs

Solicitor/ Barrister / Chartered Legal Executive Commercial & Contracts (x2)

Warwickshire County Council
£50,856 to £57,083 per annum
Warwickshire Legal Services (WLS) are looking for two qualified lawyers to join their award-winning, motivated, and nationally recognised legal team. Warwick
Recuriter: Warwickshire County Council

Head of Finance and Deputy s151 Officer

Conwy County Borough Council
£77,153 - £88,545
We are looking for an experienced and strategic financial leader who can operate confidently in a complex, political and fast-changing environment. Colwyn Bay, Conwy
Recuriter: Conwy County Borough Council

ICT Engineer Digital Squad

Durham County Council
£35,412 to £39,152 p.a. (Pay Award Pending)
An exciting opportunity has arisen within the Microsoft 365 Team for an ICT Engineer (Microsoft 365). This role will support Durham County Council's B Durham
Recuriter: Durham County Council

Storekeeper Driver

Durham County Council
£26,403 - £28,598
An opportunity has come up in Highways Services for a Storekeeper/Driver.  They will assist the Stores Supervisor in delivering a customer focussed St Durham
Recuriter: Durham County Council

Care Support

Durham County Council
Grade 4 £25,583 - £26,824 (pay award pending)
We're recruiting to a permanent role within our Pathways Service, which delivers day services to adults with complex needs, Monday to Friday. There i Durham
Recuriter: Durham County Council
Linkedin Banner