NCSC have published new advice for businesses on creating trustworthy customer messages following a rise in text and call-based scams such as those involving fake parcel deliveries.
The guidance published today by the National Cyber Security Centre (NCSC), a part of GCHQ, sets out how businesses can contact customers via telephone and SMS in a way that is more secure and distinguishable from increasingly convincing scams. It includes nine tips for organisations to follow to create messages their customers can trust.
Fraudsters commonly impersonate well known and trusted brands to trick people with scams that capitalise on current trends.
The NCSC is now urging businesses to do their bit in the fight against scammers by issuing communications that are more easily distinguishable to the public from scams.
The guidance, to be published at 0001, urges organisations to make nine critical considerations when communicating with customers;
- Keep messages simple and consistent
- Use minimal phone numbers, SenderIDs and email addresses
- Publicise your contact details – the numbers and email addresses, websites and SenderIDs you use
- Do not ask for personal details
- Use links sparingly and make them human readable
- Apply this guidance to your supply chain due-diligence
- Provide a way for your customers to independently check your communications
- Provide a means for your customers to contact you independently
- Provide guidance on how customers can report scams
“Most of us will have received a suspected dodgy text or call during the pandemic and we know these scams are getting more convincing,” said NCSC TEcxhnical Director Dr Ian Levy. “To counter this, we need legitimate customer text and telephone messages to be secure with clear signposts of authenticity that give confidence to customers.
“I’d urge any organisations that contact their customers via SMS or telephone to consult our new guidance and ensure they’re doing all they can to protect their customers from cyber crime and fraud.”
“Scammers are getting creative: copying messages and calls from major companies, faking parcel delivery texts or pretending to be our bank,” said the Chancellor of the Duchy of Lancaster, Steve Barclay. “It’s very easy to fall prey to these criminals. The Government is determined to make the UK the safest place to live and work online and, through our National Cyber Strategy are strengthening laws and working across society to fight malicious online activity.
“But businesses must also play their part to stop these criminals from destroying their reputations and stealing customers’ money. I urge them to work with the National Cyber Security Centre to ensure the public can trust when they are being contacted.”
The new NCSC guidance covers various aspects of secure customer communications including issuing consistent and trustworthy SMS and telephone messages, measures to make it harder for criminals to exploit telecoms channels, providing a route for customers to independently verify communications and more.
Opportunistic scammers have tried to entice people over the past year by spoofing popular brands intrinsically linked to the pandemic, from Amazon to Netflix to the NHS. The boom in online shopping has resulted in many scammers impersonating legitimate texts from delivery companies to entice the public while illegally abusing established brands. People who receive what they suspect is a scam text should forward them to 7726
UK Finance has published data showing that delivery scams are the most prevalent type of ‘smishing’ text messages in 2021, and the NCSC has published guidance on avoiding scams sent via ‘missed parcel’ texts. The NCSC is supportive of businesses own efforts to prevent their brand being abused by scammers and the measures telecoms operators take to reduce the amount of smishing on their networks.
“Royal Mail is committed to preventing and detecting fraud and we welcome this new guidance from the NCSC,” added Jenny Hall, Director of Corporate Affairs at Royal Mail. “We work with UK law enforcement agencies, Trading Standards and other organisations to share information and support robust proactive action against scams to protect our customers.
“We have strengthened our ability to detect, monitor and takedown any malicious sites that claim to be from Royal Mail and report any offending sites and suspicious numbers to the appropriate authorities as soon as we are made aware of them. If customers are concerned about a message, they’ve received from us and want to make sure it’s genuine, they can check for status updates on their item by using the Royal Mail app or visiting royalmail.com.”
“We’ve seen a massive increase in scam activity as cyber criminals looked to exploit people’s needs and anxieties over the last couple of years,” said BT Security Managing Director, Kevin Brown. “These scams continue to have a huge impact on individuals and businesses, and organisations across the telecoms and security industries are constantly working to make it more difficult for them to happen.
“However, one of the most simple and effective steps all businesses can take to tackle scams is to ensure that we follow these best practices, so that our customers can more easily identify and verify genuine communications.”
The NCSC is taking unprecedented action to remove malicious scams from the internet as part of its Active Cyber Defence programme. 700,595 phishing campaigns were taken down in 2020: a fifteen-fold year-on-year increase.