With new data breaches and cyberattacks always in the headlines, small business owners have become more aware of the security of their mobile or web applications. From setting strong passwords to using two-factor authentication, staying safe online is more important than ever.
But, as much as phishing attacks, and email scams are often in the news, there’s another scam that needs to be looked at – fake security researchers.
What is a fake security researcher scam?
A fake security research scam is when scammers pose as experts saying they’ve spotted an issue in the security of your applications – like your business website, for example – and if you pay them, they’ll tell you what the issue is. With small businesses becoming more security conscious, scammers are using that to their benefit to scare and manipulate people.
The malicious actors often reach out via email, social media or in-app customer support, claiming to have discovered vulnerabilities. They use fear and urgency to try and get you to pay to solve these security ‘issues’ they have found.
Risks to your small business
Cyber attacks, like phishing, email scams or security researcher scams, are becoming more common as we rely more and more on technology. It’s easy to fall prey to one of these, which could cause some serious setbacks for your business.
The impact these scams can have on your business could include:
Financial loss: Paying scammers who pose as security researchers can drain resources, which could have been better invested in genuine security measures.
Application compromise: Bad actors can couple fake vulnerabilities with phishing attempts where business owners are convinced to give away sensitive information about their applications.
Scammers usually argue the information needed is to validate their findings. However, this information could later be used by the scammers to compromise the application, which could result in a data breach or other cyber attacks.
Reputation damage: These scams could harm the reputation of your business, if you’re taken offline or can’t operate for some time, which in turn will reduce customer trust in your business services / brand.
How to protect your business
Now that we understand the threat, let's explore strategies to protect your business from fake security researchers:
Verify their credentials: When approached by a security researcher, ask for their credentials and proof of their previous work. Legitimate researchers are usually affiliated with reputable organisations or can provide evidence of their expertise, as well as other vulnerabilities they have discovered in the past.
Don't rush: Be cautious of researchers who pressurise you into acting quickly. Scammers usually create a sense of urgency to manipulate victims. Take your time to verify their claims. If no information is provided, ask for clarifications first.
Never pay upfront: Legitimate security researchers do not demand payment before disclosing vulnerabilities. If someone asks for money in advance, it's a red flag.
Use a bug bounty program: Consider implementing a bug bounty program where ethical hackers are incentivised to find and report vulnerabilities in your systems.
Engage a trusted cybersecurity vendor: Collaborate with a cybersecurity firm that can assess your application for any potential vulnerabilities and help you address them. Avoid trusting unsolicited offers of assistance.
Educate your team: Train your employees to recognise phishing attempts, scams and suspicious emails. Awareness and education are vital in defending against these kinds of attacks.
Report suspicious activity: If you encounter a fake security researcher, report the incident to the relevant cybersecurity organisations (see below). Sharing information about scams helps protect others who might find themselves in the same situation.
How to report an attack
Ask for help if you think that you might have been a victim of phishing, a security research scam or any online fraud, especially if you've not raised it before. It’s important to take steps to scan for malware and change passwords as soon as possible if you suspect a successful attack has occurred.
If you believe that your business has been the victim of online fraud, scams or extortion, you should report this through the Action Fraud website. Action Fraud is the UK’s national fraud and cybercrime reporting centre. If you are in Scotland contact Police Scotland on 101.
Small business owners, especially those with limited resources, must remain vigilant against the evolving landscape of cyber threats. If you’re unsure how to spot or report a cyber attack, we have a guide that has some tips and information.
Fake security researchers are just one example of the risks you may encounter. Remember, cybersecurity is an ongoing process and staying informed and prepared is your best defence against emerging threats.
