Please send me SCA's fortnightly briefing:

< Back to '13th Dec 2023' briefing

December 12, 2023

Beware the cyber attack

Anyone who lives even remotely online must have experienced at some point an attempted scam or witnessed some fraudulent activity on their bank accounts. While the corporates can afford to wage a cyber war against the account hackers and cyber-attackers, as citizens it seems the only defence we can muster is vigilance and common sense. And the same probably applies to our sector for whom a cyber attack must rate as one of the highest risks. The  recent experience of one development trust in Orkney should serve to put the rest of the sector on high alert.

Keith Findlay, P & J

An Orkney charity had nearly £120,000 stolen by cybercriminals and could easily have lost a lot more.

Rousay, Egilsay & Wyre Development Trust (REWDT) twigged what was going on and acted as quckly as possible to stop the fraudsters diverting even more cash from its bank account.

But by then the online swindlers had already “made off” with a large sum that, fortunately, was later recouped from the bank.

Trust manager Stuart Williams said a member of staff took a phone call from someone purporting to be from the trust’s bank.

Scammers ‘very personable’

The initial caller and another person involved in the scam – both “very personable”, with southern English accents – queried a recent VAT payment to HM Revenue and Customs.

They quoted the right amount, suggesting “they were who they said they were”, Mr Williams said, adding: “They were very clever in how they handled it.

“They said there were security concerns, and needed to clarify some bits and bobs.”

From there, the con merchants persuaded the staff member to help them set up an online chat facility.

It was through this they gained enough information to plunder the trust’s savings and transfer cash elsewhere.

A series of late night transactions, each conveniently below the maximum that was allowed by the bank, left the community trust £119,000 worse off the next morning.

“It was not a pleasant feeling,” Mr Williams said, adding it took all of that day and most of the next to alert the bank, stop more cash leaving the trust’s account and get the ball rolling on reimbursement.

Rousay, Orkney. Image: Rousay Egilsay & Wyre Development Trust.

Mr Williams continued: “We managed to stopped other payments that had been set up and eventually got it all back.”

Locations linked to the fraudulent transactions suggest the perpetrators are based overseas, he said.

Caithness police “jumped into action immediately” and investigations  are ongoing, he added.

Mr Williams said it was no wonder there was a stigma attached to reporting such crimes. He and other staff at the trust were left feeling “foolish” despite having been “duped by professionals” who knew exactly what to say to gain their trust, he added.

He continued: “They get up every morning to defraud people and are very good at it. We’ve learned a lot.”

The cybercriminals went to work late at night. Image: Shutterstock

Police Scotland confirmed inquiries into the scam were “ongoing”.

REWDT was launched in March 2007 to take forward a projects on the islands of Rousay, Egilsay and Wyre, which are home to a community of about 260 people.

“Our aim, broadly, is to help our three beautiful islands to be both vibrant and sustainable,” the trust’s website says.

What does the community trust do?

The trust’s projects to date include new community gardens and WiFi centres, while it has also sought ways to make homes and community buildings warmer and cheaper to run.

Revenue and energy supply are boosted by a wholly-owned 900 kilowatt wind turbine.

REWDT also organises the annual Rousay Lap half marathon and Peedie Lap 5K fun run.

Rousay, Egilsay & Wyre Development Trust’s wind turbine. Image: Rousay, Egilsay & Wyre Development Trust

Mr Williams said: “Experiencing a cyberattack has a profound and long-lasting effect on people, and it’s important to receive the right support and guidance afterwards.

“Cyber criminals are skilled at deceiving their victims, and there needs to be a greater awareness of what they’re capable of.

“Our organisation was the victim of a targeted attack by criminals who knew exactly what to say to persuade us to part with important details.

They get up every morning to defraud people and are very good at it.”

Stuart Williams, Rousay, Egilsay & Wyre Development Trust

“Thankfully, our outcome was a positive one and we received a full refund through our bank. But the personal impact on the team has been immense.”

Police Scotland assistant chief constable Andy Freeburn said: “Cybercrime and frauds are more sophisticated and have huge repercussions for victims, as we’ve seen from cases like Stuart’s, which remains under investigation.

Police Scotland continues to develop the skills, training and equipment to respond effectively to cybercrime.”

Scammers will try to fool you into revealing key information. Image: Shutterstock

Cyber and Fraud Centre – Scotland (CFCS) is the organisation devoted to tackling cyber and fraud crime north of the border.

It says reported incidents of cybercrime in Scotland have doubled between 2019-2020 and 2022-2023.

Police Scotland receives 18,000 fraud calls a year.

Business email compromise, chief executive impersonations, and crypto and investment fraud make up the bulk of these crimes.

Cracking down on scammers

CFCS, which supported REWDT after its cyberattack, has called for a new collaborative approach to  cracking down on the scammers.

Organisations can find themselves vulnerable to cyberattack regardless of size, with smaller firms, public organisations and charities equally vulnerable, the group said.

It added: “The Orkney-based Rousay, Egilsay & Wyre Development Trust, for example, was targeted earlier this year.

“Its story emphasises the importance of victim support for those who’ve experienced cyber and fraud crime.

“This crime was reported to Police Scotland and continues to be investigated by specialist officers.”

Image: Shutterstock

A six-month trial of a cyber and fraud multi agency “triage hub” resulted in the recovery or interception of fraudulent transfers totalling more than £3 million.

Partners including Police Scotland, leading financial institutions like NatWest, Lloyds, Metro Bank, and CFCS teamed up to share intelligence, disrupt large criminal gang activity, deliver support to victims and recover stolen cash.

Funding is now being sought to develop and expand the model into a fully sustainable charitable organisation.

‘Increasingly sophisticated’

CFCS chief executive Jude McCorry admitted current efforts are only scratching the surface of huge demand for cybersecurity.

She added: “Cyber criminals are becoming increasingly sophisticated.

“We really can’t afford to underestimate the impact of cybercrime and fraud – both financially, as cybercrime is estimated to cost the Scottish economy billions each year.

Cyber and Fraud Centre – Scotland CEO Jude McCorry.

“Experiencing a cyberattack is a highly stressful event for business owners and their employees. With government organisations also at risk, cyberattacks pose a threat to our democracy and the integrity of governmental institutions.

“The startling results of our triage hub trial have demonstrated the need to dedicate
resources to tackling cybercrime, and stories like Stuart’s reflect the huge positive impact that our work has had so far.”