At last – a use for all those phishing emails you’ve been getting!

Hats off to the UK’s National Cyber Security Centre, or NCSC for short.

They’ve just announced a simple-to-follow set of instructions on what you can do with the apparently ever-growing number of scammy, spammy and phishy emails that coronavirus stay-home rules seem to have unleashed on us.

With an admirably broad vision, the NCSC is pitching its new campaign in two complementary articles, headlined:

We approve.

Because the last thing we want to see is that we all end up so focused on coronavirus-themed scams that we inadvertently create a loophole for those crooks who are carefully sending non-coronavirus scams in the hope of attracting less scrutiny – hiding in plain sight, as it were.

We’ve seen this problem before in the history of cybersecurity.

An early example is what many people used to call “Nigerian scams”, which was always a divisive and dangerous term to use.

Firstly, we know many Nigerians who aren’t scammers and at least some non-Nigerians who are, so it’s misleading and xenophobic to apply a criminal epithet to an entire country. (Especially a country as populous as Nigeria and with such a large diaspora.)

Secondly, and ironically, the phrase “Nigerian scammers” ended up playing into the hands of actual Nigerian scammers, who found that by openly claiming to come from one of several other countries in West Africa, they automatically became more believable, without needing to change their scams in any significant way.

In other words, the adjective “Nigerian”, when associated with the sender or the content of an email, became a proxy for “scam”, and therefore by a specious and invalid leap of logic, “non-Nigerian” came to be a proxy for “non-scam”.

A more recent example is the issue of ransomware, which tends to dominate any modern discussion of malware, to the point that some people think it’s enough to protect specifically against ransomware and to worry much less, or even hardly at all, about all the other malware threats out there.

The problem with that approach is that many, perhaps even most, ransomware attacks actually start with an infection by some other sort of malware such as a keylogger or data-stealing Trojan…

…and in many of those cases, the keylogger or data-stealer originally rode in on the back of a malware infection that arrived before that, for example malware such as the remote-control bot known as Emotet.

In other words, if you focus too narrowly on ransomware alone, then even if you block all the ransomware attacks that come your way, you may end up in very serious trouble from multiple malware infections that preceded them.

Think big!

Cybersecurity responses don’t need to be quite this targeted – because the extra cost of protecting against malware in general is negligible compared to the cost of protecting effectively against ransomware in particular.

Similarly, if you simply redefine “Nigerian scams” as “Advance fee fraud scams” – in other words, you focus on how they work instead of who may or may not be perpetrating them – you learn how to recognise fraudulent money-up-front schemes in general and protect yourself much better.

So we’re happy that the NCSC has identified that their new Suspicious Email Reporting Service (SERS) helps you deal specifically with coronavirus-themed scams.

It’s right to recognise that coronavirus scams have an importance all of their own, and to acknowledge the understandably huge community disgust they attract.

To paraphrase George Orwell, all scams are equal, but some scams are more equal than others.

But it’s also vital to remind people that phishing of all sorts is still a clear and present danger with a very broad reach, and the NCSC has done just that, too.

As the NCSC says:

Cybercriminals love phishing. Unfortunately, this is not a harmless riverbank pursuit. When criminals go phishing, you are the fish and the bait is usually contained in a scam email or text message.

The criminal’s goal is to convince you to click on the links within their scam email or text message, or to give away sensitive information (such as bank details).

So if you see something bogus and want to report it to someone, whether it’s the latest sextortion porn scam, a bogus home delivery or counterfeit face masks for sale…

…you can submit it to the easily remembered email address:

As the NCSC points out, it won’t reply to your submission – but every sample helps, because the long arm of the law says that it’s ready to act on our behalf:

If we discover activity that we believe is malicious, we may:

  • seek to block the address the email came from, so it can no longer send emails
  • work with hosting companies to remove links to malicious websites
  • raise awareness of commonly reported suspicious emails and methods used (via partners)

Whilst the NCSC is unable to inform you of the outcome of its review, we can confirm that we do act upon every message received.

Remember that if ever a bunch of phishing scammers get their day in court, submissions of actual scam emails from real recipients around the world are powerful evidence of the global impact of their crimes.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.