“SMiShing” – Mobile Phone Scams supported by EE?

SMiShing (SMS phishing) is a type of phishing attack where mobile phone users receive text messages containing a Web site hyperlink, which, if clicked would download a Trojan horse to the mobile phone.



I have been receiving regular text messages for some time now, saying “You subscribed to Clicnscore for £4.50 per week from ClicNScores until you text STOP” – bad English I know. I had another message from “Loaded Mobi”- “You can access the games portal here” followed by a link.

Thinking both were merely “SMiShing, I clicked on neither STOP nor the link. Unfortunately our phone bills go straight to our Accountant, but I had cause lately to query a bill I thought was high. It turns out both of these companies have been regularly paid through my EE account.

EE informed me it was not there responsibility & gave me text links to cancel subscriptions & phone numbers to complain & ask for a refund. Both numbers are automated, ClicnScore gives you a message “there are no charges to your phone” – then cuts you off, Loaded Mobi puts you in a call queue then cuts you off.

I have since searched these 2 companies on the internet, they have been investigated on Watchdog, reported on BBC, The Express & Mail Newspapers. The Sun Newspaper first reported this back in the 19th of May 2016.

EE say while they are aware, had so many complaints & have investigated, they still have no responsibility as you have the option to block all payments from your account. Shouldn’t EE be at least protecting our accounts against such well publicised Common Scams? It would be so simple for EE to set up authentication, so why not take responsibility for Customer Data & Accounts – have they a vested interest?

Perhaps merits an ICO investigation? I’ll certainly report!

“SEXTORTION” – I Have Been Hacked!

Imagine my surprise when I received an email in my Inbox containing my password in the Subject line – “ Your Password is xxxxxxxxx”!

The email goes on to say that you have been watching Porn, they have filmed you, have all your contacts & will distribute if you don’t pay a Bitcoin Ransom. Luckily I don’t have a penchant for pornography & never visit dodgy sites on any of my devices, so immediately recognised the Scam & reported to Action Fraud.



I was still left with a sick feeling in my stomach at the intrusion, the nature of the email & more importantly that somebody had stolen one of my passwords. On consideration the email & password combination had only existed on a Google Account that I had since changed many times.

A few weeks ago I made a Linkedin Post on the importance of password selection – number & type of characters etc. This however has led me to focus on something that lacked from that post – the number of your Passwords, variance & the frequency you change your passwords? My password was stolen some time ago but has only just been used, so you may have to assume that all of your passwords have been stolen unless you really know otherwise?? To mitigate this I would suggest –

• Have multiple but varying Passwords

• Change your Passwords frequently

• Use 2 Step or Multi-Factor Authentication

Remember if you only have a one Password fits all policy – they will steal from the weakest account & use it to access all of your accounts!

Controversial but……If you have so many complex passwords & feel you have to write them on a piece of paper & store safely, what is the chance someone will break into your house or office looking for Passwords, or steal your purse/wallet in order to obtain passwords rather than Cash or Credit Cards – just don’t keep the 2 together ????. Besides Passwords can be changed quicker than you can cancel Credit Cards & we wouldn’t be without them. I am a systems rather than an IT Tech person, so seek out good advise….

Stay Safe People

Full Article on This Scam

QM.UK Delivering ISO Standards Since 2001

QMUK 17yrs Today – Growing Business by Growing Businesses! & thanks to all the businesses we have worked & grown with over the last 17 years –

Orion (Computer Consumables Distributor) who we guided through ISO 9001 & 14001 in 2004, bought in 2005 by Westcoast

Wstore (IT Reseller) who we guided through ISO 9001 & 14001 in 2009 – bought by Misco/Symantex in 2009 who we also helped through ISO 14001 in the same year

Optevia (Microsoft Cloud based CRM Systems) who we guided through ISO 9001 & 27001 in 2014 – bought by IBM Global Business Services Division 2016

Blue Chip (Managed IT Services & Cloud Hosting) who we guided through ISO 9001 & 27001 in 2014 – bought out by GCI in 2017 who we also helped through ISO 9001, 27001 & 14001 in 2013

EPS Research (Clinical Data Analysis) who we guided through ISO 9001 & 27001 in 2014 also – bought out by IQVIA in 2017

Current Clients: MLL Telecom Grown from 55 to 130 staff in just over 2 years, CTS (Combined Tech Serv) Grown 30% in 2 years, Wilkinson Eyre Grown 50%, secured Battersea Power St Project and with the challenges of GDPR The Telecom Marketing Company continue to grow & prosper….

Find out how we can work with you & help YOUR business Grow

Don’t Pay The Cost of Data Loss….

Key to Carphone Warehouse being fined £400,000 for placing customer and employee data at risk was the inability to demonstrate Due Diligence –

“The law says it is the company’s responsibility to protect customer and employee personal information. “There will always be attempts to breach organization’s systems and cyber-attacks are becoming more frequent as adversaries become more determined. “But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees.” – Information Commissioner’s Office

Use the guidance of ISO 27001 to appraise your company & use subsequent Certification to demonstrate your Due Diligence

The European Union’s General Data Protection Regulation (GDPR) is a new law which will apply in the UK from 25 May 2018 & outlines further responsibilities & liabilities for handling information.

Don’t leave yourself vulnerable – HELP & GUIDANCE

Charities, Data Breaches, Financial Losses & ISO 27001

Many often miss the major advantage of being certified to a standard & are unaware how they can prevent financial loss:

BBC Report –

Two charities have been fined over data protection breaches after secretly screening donors so they could be targeted for more money. The Information Commissioner imposed penalties of £25,000 on the RSPCA and £18,000 on the British Heart Foundation over the so-called “wealth screening”. The charities also traded personal details with other charities, the commissioner’s office found. The RSPCA questioned the ICO findings while the BHF said it might appeal. As well as “wealth screening”, the charities traced and targeted new or lapsed donors by piecing together personal information obtained from other sources, and traded personal details with other charities “creating a massive pool of donor data for sale”, the ICO said. Information Commissioner Elizabeth Denham said donors had not been informed of the charity’s practices, and were therefore unable to consent or object to them. She also suggested other charities could also be engaged in similar activities. “The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough,” Ms Denham added.

The above could have been prevented if the organizations were ISO 27001 registered. Organisations’ registered to the standard are re-audited at least annually – If your Certification Body discovers a breach of security or legislation they will raise a Non Conformance against you. This is merely a piece of paper you will have to address within a given timescale to maintain your Certification – there is no financial impact.

If the ICO discover a breach of security or legislation the tale is different. While the above fines don’t appear excessive, the financial impact of this publicity could be enormous & far reaching.

Similarly a breach in your ISO 14001 Environmental Certification leads to a piece of paper that guides you back to compliance & possibly avoids an environmental incident. A run-in with the Environmental Agency could cost you tens of thousands.

A breach in your OHSAS 18001 Health & Safety Certification leads to a similar piece of paper that guides you back to compliance & possibly avoids an accident or damage to Human Health. A run-in with the Department of Health & Safety could land you in prison.

We do not like to sell standards into businesses based on a fear factor, but apart from improving your organization & giving access to new work, you should also consider the assurance factor that Certification can deliver.

grant@qmuk.co.uk

“I know a company who has ISO 9001, and they are totally useless”

So just how much of a Benchmark is it – How Credible is ISO Certification?

ISO 9001

ISO 9001 is the Quality Standard but as such the most open to controversy. This is because there is often confusion as to what “Quality” actually is. If one company produced a Ford Focus & another a Ferrari, most would regard the later as having produced the highest Quality Product. However “Quality” is defined as the ability to deliver to pre-defined requirements. Therefore if the requirements were a roomy car that did 40 mpg & could be retailed at less than £20k, the production of a Ferrari would be a very poor Quality Output.

It should also be noted that ISO 9001 is certification of your Management System, not your product or service. Certification to the standard confirms your Management System has achieved a standard that can ensure consistency of product or service. What level a company sets itself to deliver is up to them and in fact Ford and Ferrari could operate to the very same Quality Management System – they just produce to different specifications. So before you right off an ISO 9001 company you have to ask, are they consistently delivering to their (or your) specification – not everybody can afford a Ferrari.

ISO 27001

The Information Security Standard. This is the most current & in demand as Cyber Attacks become more frequent & companies become more aware of their vulnerabilities and the need to secure services from companies that can safeguard their information. This standard is the most reliable measure of a company’s credentials, as Information Security is more measurable and less subjective than Quality.

There are 2 main parts to ISO 27001. A company has to identify all of its Information Assets, Risk Assess & Control. The other main part of ISO 27001 is a detailed list of “Control Objectives” (requirements) for which, if applicable – you must put a control in place. This makes 27001 the most measurable & auditable of standards, therefore Certification does ensure a high level of Information Security.

ISO 14001

The Environmental Standard. This is a reliable measure that a company has systematic control over any possible environmental impact and has plans in place for continual improvement. A large part of this is similar to 27001 in that a company has to identify all of its Environmental Aspects rather than Information Assets, but still Risk Assesses & Controls. Environmental Objectives must also be established to where possible, continually improve environmental performance.

If you feel a company claiming to be holding one of these standards is poorly performing, don’t take it on face value. Check it is a credible Certification, or that it is a certification at all. If it is a UKAS Approved Certification Body ask for their name or take it off a displayed logo and contact them asking if the company is actually ISO Registered with them. If it is in the UK and not a UKAS Certification, it’s best not taking it as verification of anything……

grant@qmuk.co.uk

So What Is ISO 9001, ISO 27001, 14001 etc?

The International Organization for Standardization (ISO) is an international standard-setting body composed of representatives from various national standards organizations.

Founded on 23 February 1947, the organization promotes worldwide proprietary, industrial and commercial standards. It is headquartered in Geneva, Switzerland and as of 2013 worked in 164 countries.

There is only one National Standards Body recognised from each country and they in turn must be recognised by their Government. UKAS is the only ISO recognised Body in the UK.

The United Kingdom Accreditation Service (UKAS) is the national accreditation body for the United Kingdom, appointed by government, to assess organizations that provide certification, testing, inspection and calibration services. There are many UKAS Approved ISO Certification Bodies, the most commonly recognized being BSI & Lloyds, but there is a full list on their website

Gaining UKAS Certification to an ISO Standard demonstrates a company or organization has achieved and operates to a certain standard, been verified by an independent & recognized body. Ongoing audits by the Certification Body evidences they consistently meet these standards.

ISO 9001 is the internationally recognized Quality Standard. It defines the elements of organization required by a company to systematically deliver quality products, services or advice.

ISO 9001 Certification is verification that you systematically deliver quality services or products. It is a benchmark for potential customers & helps you review and fine tune your own operations ongoing.

ISO 27001 is the internationally recognized Information Security Management Standard. It defines the elements of control required by a company to protect all information it holds.

In an ever increasing age of security awareness & media exposure of careless information handling, the protection of data is critical. Sectors such as finance, health, public and IT have become particularly sensitive. Hence, certification to the standard is increasingly winning both confidence & new contracts.

ISO 14001 is the internationally recognized Environmental Standard. It defines the elements of organization required by a company to control the impact of their activities, products or services on the environment.

14001 Certification demonstrates to an increasingly aware public & business community – a commitment to minimize your impact on their environment. It gives confidence that customer’s environmental credentials & good names won’t be tarnished by their suppliers operations

In general companies & organisations that can demonstrate their operational standards are UKAS certified, gain more confidence in the Market Place.

ISO 9001, ISO 14001 & ISO 27001 – UKAS ISO Assessors or ISO Consultants?

ISO 9001, ISO 14001 & ISO 27001 – UKAS ISO Assessors or ISO Consultants?

There still seems to be general confusion between the Roles of the “Consultant” & the Assessor”.

It is like sitting a GCSE. Teachers give you the tools and prepare you for the exam, independent & impartial examiners mark your papers. Achieve the correct mark you pass. The independent marking is key to assuring standards.

For ISO 9001, ISO 27001 & ISO 14001 the consultant prepares you for a Certification Audit. This can involve documenting your compliant system, training, completing Internal Audits & general prep – The Assessor then independently & impartially performs the final audit to assess if you meet the particular standard. If so, you are certified.

So Why The Confusion?

Sometimes people like to maintain a Black Art in order to force you down a particular path. There are other clear reasons, these being just a few:

• Non UKAS accredited Certification Bodies offer both the system & the certificate, so as a 1 Stop Shop there is no difference between Consultant & Assessor. This means there is no independent assessment & it certainly isn’t impartial – hence not recognised by the informed

• Some UKAS Approved Certification Bodies offer training courses so will be unlikely to push you towards consultants as that could take away your need for a training course

• Some UKAS Approved Certification Bodies advise they are “Friendly” or “Approachable” and do not advocate the use of a consultant – often because they fear a consultant would refer you to a cheaper UKAS Approved Certification Body & they would lose the work

We would advise whatever route you chose get a few quotes & ensure they are quoting like for like. The 3 routes we would advise:

• You already have the internal expertise to fully prepare for the UKAS Assessment – get at least 3 quotes from independent UKAS Approved Certification Bodies, listed on UKAS website

• You think you are almost there but not 100% – either get a consultant to do a one-of Gap Analysis Audit, or select a training course (preferably from a UKAS Approved Cert Body, as it will give some comfort to the standard of the course).

• You feel you need solid guidance as you are not familiar with the standards or have no experience in implementing them (or perhaps just don’t have the time) – select a consultant & be sure to take references. Get more than 1 quote but ensure they are quoting like for like (& don’t forget the cost of the UKAS fees or your consultants attendance on those days).

If the final option is for you, you know where we are – enquiries@qmuk.co.uk

ISO 9001 & ISO 27001 in 60 Days – UKAS!

Our first 2 clients operating in the Banking & Software Sectors engaging our fast track – UKAS ISO 9001 & ISO 27001 Certification in 60 Days, completed this week –

Redline Application Services:

Provides software and services to lenders to support the full end to end credit lifecycle from origination, through scoring, decision making, document production or e-signing, into account management and on to debt collection.

http://www.redlineapplicationservices.com

Reference for our Fast-Track Process can be obtained from Steve Toms (Managing Director) @ stevetoms@redlineapplicationservices.com

Bonafidee:

Specialises in real time, anti-fraud technology solutions which can be accessed instantly via the web or provided as an integrated solution.

http://www.bonafidee.com

Reference for our Fast-Track Process can be obtained from Francis Lang (Head of Development) @ francislang@redlineapplicationservices.com

Part of a small group, both companies proceeded simultaneously, which enabled us to fully utilise consultancy days & minimise costs. The full process from initial visit on 29th October, until conclusion of successful Assessment by a UKAS Approved Certification Body on 15th December took 49 days.

Proceeding at such pace took full commitment & dedication by Senior Personnel & wouldn’t have had the positive outcome otherwise. Without that commitment we wouldn’t advise such pace….

grant@qmuk.co.uk

What’s Trending in ISO

ISO 9001, ISO 27001 & ISO 14001

(Based solely on the communications we receive)

Currently ISO 27001 is still growing & by far the most popular of the standards. With the ever increasing publicity & awareness surrounding Cyber Attacks & now the potential of Terrorist Cyber Attacks it is no wonder. Add to this the much publicised information losses from Big Names such as Morissons, Home Depot, eBay, T Mobile, Experian etc & the trend looks to continue.

ISO 9001 & ISO 14001 seem to be a little on hold as people hesitate over whether to go for the old or the newly released standards. As most UKAS Approved Cert Bodies will not be able to certify against the new standards until mid 2016 this is set to continue a little longer.

For ISO 14001 it has been quiet for a while. Have our environmental consciences dampened as we concentrate on Information Security concerns? Or is the current 27001 more commercially attractive?

Companies currently trending towards certification are from the IT, NHS, Banking & Insurance Sectors….

www.qmuk.co.uk