Avoiding IT Specific Scams in the UK: A Guide for Professionals

Credential Harvesting & Phishing

HOW IT WORKS: Attackers send fake login pages for systems like Office 365, AWS, GitHub, etc.

TACTICS:

– Lookalike domains (micr0soft.com, aws-support.co.uk)

– MFA fatigue attacks: constant login prompts to trick you into approving

DEFENCE:

– Use hardware-based 2FA (e.g., YubiKey)

– Inspect URLs closely before logging in

– Implement conditional access policies if you’re an admin

Fake IT Support & Internal Impersonation

HOW IT WORKS: Scammers pose as internal IT support via email or Teams/Slack messages.

GOAL: Get access to internal systems or convince staff to install remote access tools.

RED FLAGS:

– Urgent password reset requests

– Unusual grammar or tone

– New email domains mimicking internal ones

DEFENCE:

– Use internal communication platforms with verified profiles

– Enforce least privilege and require change approvals

Supply Chain & Vendor Scams

HOW IT WORKS: Attackers compromise or spoof trusted vendors (SaaS providers, hosting companies).

EXAMPLES:

– You get a “critical update” request from a compromised supplier account

– Fake software patch emails from trusted vendors

DEFENCE:

– Set up vendor domain allowlists & DKIM/SPF verification

– Only download software from verified portals

BEC (Business Email Compromise) for IT Admins

HOW IT WORKS: Attackers compromise an email account and then target IT admins to reset passwords or change permissions.

HIGH RISK: Admins with AD, Azure, or domain panel access.

DEFENCE:

– Audit privileged accounts regularly

– Use just-in-time admin access where possible e.g., Azure PIM

– Monitor for anomalous login behaviour

Fake Penetration Testing / Red Team Offers

HOW IT WORKS: “Security companies” offer free pen testing or vulnerability reports, containing malware or trojans.

TACTICS: Impressive credentials, LinkedIn messages, or “findings” sent as PDFs or ZIPs.

DEFENCE:

– Never run unsolicited security tools or scripts

– Validate companies via Cyber Essentials or CREST

– Use a sandbox to inspect unknown files

Open Source Project Scams

HOW IT WORKS: Attackers publish malicious clones of popular packages (e.g., npm, PyPI, NuGet) with slightly different names.

IMPACT: Can lead to CI/CD pipeline infections or exfiltrated secrets.

DEFENCE:

– Use lockfiles (package-lock.json, requirements.txt) to pin versions

– Enable package signing/verification

– Scan dependencies using tools like Snyk, Dependabot, or npm audit

Fake Job Listings & GitHub Profile Scraping

HOW IT WORKS: Recruiters or companies scrape GitHub/LinkedIn for IT pros and send malware via test files or “coding challenges.”

RED FLAGS:

– Direct download links to EXEs or ZIPs

– Urging you to disable antivirus

DEFENCE:

– Only use known platforms for code tests (e.g., HackerRank, Codility)

– Avoid running binaries from unknown sources

SaaS Admin Panel Exploits

HOW IT WORKS: Attackers phish or exploit lesser-known SaaS tools where IT staff might be admins (e.g., Trello, Jira, Notion).

DEFENCE:

– Rotate API tokens regularly

– Enable SSO/MFA for all SaaS tools

– Regularly audit access levels

Ransomware via Remote Monitoring Tools

HOW IT WORKS: Attackers target remote access/monitoring platforms like AnyDesk, ConnectWise, or RMM agents used by IT.

DEFENCE:

– Whitelist RMM agents only from verified IPs

– Segment access using firewalls/VPNs

– Review RMM audit logs regularly

Insider Impersonation & Social Engineering

HOW IT WORKS: An attacker joins your Slack/Teams or emails pretending to be a colleague asking for technical help.

TACTICS:

– “Hey, can you quickly add me to the VPN group?”

– “Can you reset my DevOps account? I’m locked out.”

DEFENCE:

– Establish identity verification steps internally

– Avoid acting on requests without confirmation via a separate channel

By John Ellis FIAP, MBCS, FRSA – Senior Partner and CTO of Wellis Technology. Contact John if you would you like this article to be turned into a downloadable PDF guide, slide presentation, or included in a cybersecurity awareness toolkit for your team or organisation.