Posted: 12/02/2025
St Valentine is thought to have been a clergyman in the Roman Empire. According to legend, he signed a letter ‘from your Valentine’ to his jailer’s daughter, whom he had befriended and healed from blindness. Eventually, St Valentine would lose his head for his faith.
Fast forward a thousand years, few would be aware of his brutal end – and although Valentine’s Day is synonymous with love, there can still be a sting in its tail, especially in the form of online scams that begin to appear around this period.
Watch out for e-cards that appear to be from loved ones or admirers (but are not); be cautious about shopping deals that seem too good to be true (clue: they usually are); and handle with care those unexpected online admirers who have never been encountered in real life (they are likely to be as fake as a life-sized unicorn).
What are all these fake approaches for? Aside from trying to scam you out of money (known as authorised push payments), they are often seeking to drop malware onto a device, one way or another.
Malware, short for malicious software, infects computers to alter their functions, destroy data, or spy on users. At a certain point in the malware’s supply chain, a victim is tricked into downloading its payload. Examples of tricks to get individuals to execute malware include ‘phishing’, which uses deceptive emails from seemingly trusted sources often directing the victim to a fake website, where they are infected with malware.
Another approach is for the hacker to get a victim to reveal private data, known as credentials harvesting, which later they use to trick them into (you guessed it) downloading a malware payload. Phishing attacks, if they do not directly drop a malware payload, can simply be used to steal sensitive information from victims, often by directing them to a fake website where the information is collected.
Malware payloads can take many forms, for example, ransomware, where malicious software encrypts a victim's system, demanding a ransom for its release. British companies have been urged to be on high alert as the ransomware threat escalates from groups linked to Russian criminal gangs. Hackers posing as remote tech-support workers on Microsoft Teams infiltrate networks by bombarding employees with spam emails and then contacting them to offer help. Once given remote access, they install ransomware to freeze networks and extract data. Ransomware threats are considered to be the main cybersecurity issue facing the UK and the government recently proposed a ban on public bodies paying ransoms.
Other forms include distributed denial of service (DDOS) attacks (which disrupt services by using multiple malware-infected machines to overwhelm a target), SQL injection attacks (which target websites by inserting harmful SQL queries, which can result in data breaches and unauthorised command execution) and Trojan horse attacks (where downloaded malware is disguised as a legitimate program, allowing hackers to access the system once executed).
Forewarned is forearmed. What can be done, as a company, to manage, mitigate and even transfer the risk of malware entering a system? IT and legal teams should work collaboratively to reinforce an organisation’s cyber defence strategy. Think about the following three Rs:
Risk management
Compliance and best practice sit at the heart of trust in digital systems. That involves a strong data model and careful mapping of the data ecosystem. Data may not necessarily move, but it may still be ‘accessed’ by suppliers, and, where it is not accessed by a supplier, they may still direct the nature and manner of another supplier’s access. These roles, rights and responsibilities need to be clearly understood by all involved. A full data risk assessment helps you step back, establish the who, what, how, where, when and why of the thing. This brings gaps and risks into sharp relief and enables effective risk mitigation.
Risk mitigation
Take out appropriate, tailored insurance with a reputable provider to mitigate losses from operational downtime, financial loss, regulatory investigations and legal action. Ensure critical suppliers are ISO 27001 certified and follow NCSC guidelines as best practice. Monitor these in a supply chain through regular audit, ensuring that cyber and operational resilience is embedded by design at all levels of the supply chain. Implement the risk mitigations identified in the data risk assessment to ensure roles and responsibilities are allocated appropriately and suitable policies, procedures and training are in place.
Risk transfer
A supply chain is only as strong as the weakest element in it. Use supplier and customer contracts to embed risk mitigation priorities. For example, ensure that a supplier does not cut corners and has in place appropriate risk controls around its data and systems. Do not be afraid to spell out in contracts the minimum risk controls required, together with appropriate audit provisions and business continuity (pay careful attention to service levels), as well as carefully crafted confidentiality, data protection, and liability provisions. If nothing else, it will engender discussion.
Do not let your data and systems be decapitated like St Valentine. We can help you articulate your risk assessments, identify priorities and embed them in your contracts. For more information, contact Sarah Kenshall.