What is scare marketing?
‘Scare marketing is a tactic some businesses use to sell their products and services,’ says Dave. ‘Just like cold calling, it’s a way of convincing a customer that something has gone wrong and they need to purchase something from them to fix it.’
The emails from the security companies or IT companies in question include what the sender calls a report. This ‘report’ lists some employee credentials, with sensitive information retracted, which the sender claims have been ‘exposed’ on the dark web. It is implied throughout the document that this could lead to phishing or hacking attempts.
The solution, according to the ‘report’, is to pay for the IT company’s services, and to sign up to their ‘monitoring software’ to ensure that businesses know when their data ends up online.
Where has the data come from?
In the ‘report’, the security company lists email addresses and passwords that they’ve found ‘exposed’ online. But if this is just scare marketing, where did this information come from?
‘They claim to get the credentials through scanning the dark web,’ says Dave. ‘But typically, this information will be publicly available. When large data breaches happen, like the M&S hack, the information gets shared on a public forum. This will be like a data dump - a big excel spreadsheet or text file that has all the leaked information in it. Including the exposed credentials that the sender has discovered in their ‘report’.’
‘A company can pay someone to consolidate this data, and then group it by domain; for example, every email address that has @transcendit listed. From there you can create an ethically dubious report that makes it look like all of these details are available on the dark web.’
‘The important thing to be aware of is that a lot of the information is old,’ adds Dave. ‘In some of the reports I’ve seen, they’ve included the age of the information. Some of it is recent, but some of it is listed as being from 2012. The ‘exposed passwords’ that they list are clearly just the word, ‘password’; which is likely the password that employees are given to first access their accounts, before they change it themselves.’
‘It’s old information, and that means it’s likely to have already been acted on.’
What will happen if recipients contact the sender?
‘They’re likely to tell customers that they perform dark web scans, or something else that your current IT company doesn’t do,’ says Dave. ‘But these scans will just be an off the shelf product that they’re using, like an online service that you subscribe to. It’s the equivalent of putting your email address into https://haveibeenpwned.com/.’
‘If customers are scared, they might pay for the service; even though it's not something that they should be concerned about.’
How can customers tell if something is scare marketing?
‘The biggest indicator to me is the fact that this is an unsolicited report,’ says Dave. ‘This isn't a conversation, or an enquiry about your current IT services, or how your business is protecting itself from security threats. It’s a scare tactic to terrify you into talking to this organisation. The sender doesn’t know anything about your business, and hasn’t sought to establish a requirement; they’ve found some information, that’s it.’
Dave also recommends that you check the age of the information. ‘Be on the lookout for how old this information is; details from 2012, where the user has since resigned or the password has been changed are completely irrelevant. You might even recognise the passwords as default passwords that you give to new employees before they change them.’
Finally, Dave’s attention was drawn to the images that were used. ‘There’s an abundance of graphics with no real valuable content, and almost nothing that is specific to the business they’re contacting. There’s some clip art, there’s a lot of percentages, numbers and images, but this isn’t a report; it's no more than sales material.’
How does Transcendit do it differently?
‘We don’t prioritise monitoring something that has already happened. Transcendit likes to be proactive,’ says Dave. ‘We promote actively educating your employees, using software like U-Secure to increase awareness and knowledge of phishing and hacking. We also ensure that businesses are meeting the standards for company policies, user security, device security and software security.’
‘Finally, we know that even by meeting a strong security standard, you can’t ensure that you’ll never be compromised. That’s why we provide our customers with reliable back up solutions that work for their business, and disaster recovery; so that you’re prepared if the worst happens.’
‘The biggest difference is that Transcendit don’t try to scare their customers,’ says Dave. ‘We don’t create reports or sell solutions without speaking to you, and getting to know your business. We find out how you can improve your security, and talk to you about it. It’s that simple.’
Give us a call on 0191 482 0444 to find out how we can improve your IT security
