This advice has been collated by EMSOU and is intended for wider distribution within the East Midlands Region to raise awareness among businesses and the public.

Advice and information is changing daily as we navigate our way through the COVID- 19 pandemic, so please ensure you only take information from reputable sources. If you require any further information, assistance or guidance please contact the EMSOU Protect Team or your local Force protect team. It is no longer enough that your own security practices are kept to high standards, you have to be confident that any third-party businesses who you deal with also incorporate good security standards. Compromising the supply chain has become a favoured approach by cyber criminals, as it allows them to not only bypass strong security measures, but potentially target higher volumes of victims.

It is worth having an understanding of your security risks involved in your supply chain, have an understanding of who your third-party suppliers are and how their security infrastructure is set up. This may give you an understanding of what you may need to do or what protection mechanisms need to be put in place. NotPetya, the most devastating cyberattack in history, crippled Ports, paralyzed corporations and froze government agencies all from one small server in the Ukrainian capital of Kiev, belonging to a small software business.

This server pushes out routine updates for accounting software called M.E.Doc. It’s used by nearly anyone who files taxes or does business in the Ukraine and a finance executive for Maersk’s Ukraine operation had asked IT administrators to install the accounting software. That gave NotPetya the only foothold it needed in their supply chain.

This maritime giant, responsible for 76 ports around the world and nearly 800 vessels, including container ships carrying tens of millions of tons of cargo (almost 20% of the entire world’s shipping capacity) was dead in the water.

Supply chain attacks can be used for a number of purposes, delivering ransomware, breaching confidential data, introducing vulnerabilities for further attacks.

Organisations need to manage security risks to network and critical information systems that link to external suppliers, ensuring appropriate measures are used by third parties.

Conduct due diligence when researching suppliers. Cyber Essentials is a government backed scheme which includes a set of security controls that organisations can implement to protect themselves against common threats. Check whether your suppliers are Cyber Essentials certified and make sure that close working relations with suppliers are maintained; contact them over suspicious activity and include them in your incident response plans. In short, treat them as an extension of your business and always seek continuous improvement within your supply chain.

For more information please refer to NCSC’s guidance on Supply Chain Security here.

Hot topics

Vehicle for sale scams: Seller posts online but says it can’t be viewed in person, due to coronavirus and arranges for the vehicle to be delivered using a delivery company. The victim pays for the vehicle (or a deposit), but the vehicle is never delivered.

HMRC fake text messages: There’s been a large number of reports from people receiving a fake text message from HMRC offering a ‘rebate’ and requesting card/bank details. News reports suggest these contain a link to a convincing copy of the HMRC website.

Amazon gift card: New Amazon phishing campaign offering recipients the chance to win a

£1,000 Amazon gift card. Subject reads: “On the occasion of overcoming the coronavirus, Amazon gives you the gift of victory.” Sender name displays as ‘’.

Phishing emails: The most common type still relate to the sale of protective masks.


Please report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.