Why Anti-Virus is Not Enough to Stop the Scammers

When the first anti-virus software was released decades ago, there was a thought amongst many that it wasn't necessary. At the time, we didn't have interconnected PCs, the Internet was something only large organisations and universities used, and moving data from one PC to another meant floppy disks and walking.

This was the 'sneakernet', and it was easy to police. Much like viruses in humans, their effect was limited simply because they didn't move about much.

But then magazines began to put disks on the front as a way of selling them, and suddenly they became more mobile. Programmers saw this as a good way of getting their malicious code spread around, and suddenly, anti-virus was a thing. We needed it, and we needed it quickly.

When companies began to connect to the outside world, the need for anti-virus became ever more pressing, and vendors began to beef up their offerings with solutions for the enterprise that protected not only PCs, but also servers and other network devices.


IT support departments would make sure all anti-virus software is up to date. The more paranoid would have multiple versions of different anti-virus packages and would test any media entering the company before letting it loose. But anti-virus soon became much better. You're now pretty safe from most viruses, and the Internet - the cause of so many scares - is now the reason software stays up to date.

As soon as a new exploit is discovered, vendors will push out new versions of their software. It's a game of cat and mouse, and it would seem that due to the impressive technology now packed into PC operating systems and the work the anti-virus vendors have done, we can sleep safely.

However, that would be a wrong assumption.

Complacency and a belief that your IT infrastructure is safe can be dangerous, because the bad guys out there don't stop, and they always look for the weakest link. And that link is very often the person sat in front of the computer.

It's a Human Problem

Years ago I heard the story of a business person who had his bank account wiped out by what was thought at the time to be a hack. It even had all the elements of a hack.

He had lost his card, and it had been used to take money from his account, so obviously the hacker had broken the encryption to discover his PIN.

But that's not how it happened at all.

When the perpetrator was caught (using the card, he was careless), it turned out he'd used a very simple trick.

He'd pick-pocketed the target's card. That happens all the time, no real skill involved and it was in New York which is busy, so the victim didn't notice.

He then followed the victim to his office. Again, easy to do in a busy city.

He noted the name of the company and went to a call box.

He called the company, asked for the victim by name (it was on his card) and explained that the card had been reported stolen and "could he confirm his PIN?"

This was over 15 years ago, but attacks are far more sophisticated now.


You may have heard of 'phishing' where an email comes from an apparently legitimate site but it's not, and it's sole purpose is to extract your password details.

They rely on a number of psychological tricks.

Firstly, they use the branding and wording of a bank or other well-known brand. It might look like it comes from HSBC or Barclays or, more recently HMRC.

They'll have words such as "Act now to protect your credit rating" or even "your account may have been compromised, please log in now to verify your details."

These sound like legitimate requests, and many people fall for them.

When they click on the link, the site you go to isn't the bank, it's the attacker's site that's been made to look like the bank's.

You type in your details, they ask for confirmation and before you know it; they've got all of your password information.

It's extremely easy, and although email providers and software developers are always looking at ways of stopping it, the only way to make sure you or your staff aren't affected by it is through education.

How to avoid being scammed

Hackers can attempt to get all kinds of information from you. It could be bank details, or it could be your company CRM login details so they can steal business information. But staff need to be on the guard.

Here are a few ways to help keep your information secure, and your private details safe:

• Never send passwords over email - nobody should ever ask for sensitive passwords via email, and banks or any other organisations should never ask for it. The whole idea of a password is that it's secret.

• If you receive an important looking email from a large organisation, and it asks you to click a link - check with that organisation first. Check their website, find their customer enquiries number and call them.

• If you receive an email asking for company information, check with the sender first. Simply phone them up and make sure that they asked for it and that it's OK to send.

Above all, be suspicious.


If an email doesn't look right, don't click on the links. Check with your IT support team first. You may be the first person to discover a scam, and if you are, you can make it easier for your support to make sure nobody else gets caught by it.