Fake IT audits: When cybercriminals play auditors

Cyber criminals are constantly finding new ways to obtain sensitive data, money and more. The latest danger: fraudsters disguise themselves as alleged employees of the “Federal Cybercrime Authority” – an institution that does not even exist. Using convincing arguments, they offer companies a free security check and appear legitimate. Instead of security, they bring malware.

The approach is simple but effective: the supposed auditors contact companies and offer to check the company network for security vulnerabilities. They bring their own hardware with them or ask unsuspecting victims to connect to remote maintenance software such as AnyDesk – thus creating a direct line into the company’s systems.

Ukraine has also reported similar cases of fraud: Attackers there posed as representatives of the Computer Emergency Response Team (CERT-UA) and asked companies to connect to their software; ostensibly for cyber security checks, but in reality for espionage or sabotage. The Belgian authorities are advising companies around the world to carefully examine and critically scrutinize such requests.

The biggest warning signs of fake audits

1. unprofessional design and grammatical errors

Offers from fake auditors often have a poor design and many grammatical or spelling errors. Look out for unprofessionally designed documents, blurred logos or strange fonts. A serious company or trustworthy organization should appear well-structured and error-free.

2. lack of certification

Make sure that the company you have been contacted by has been audited and certified and is authorized to carry out audits itself. Fake providers often do not contain any such certification or references to trustworthy certification bodies.

3. questionable identity of the contact person

As a first step, it is always advisable to check the identity of the person who contacted you using the official contact details of the relevant authority – not the number or email that the potential fraudster provides themselves. You can often quickly find the right answer on the official website of an authority or company.

4. unrealistic promises

Another sign of a fake audit is when “too perfect” results are promised – from terms like “100% secure” to “we’ll close all your security gaps”. If auditors make promises that are unrealistic in the real business world, you should be particularly careful.

5. a free audit is offered

Here you should be particularly wary – because behind an audit is a structured and precisely defined process that requires personnel, time and resources. People who offer such a comprehensive service free of charge can hardly be suspicious!

How does a real audit process with CIS work?

After the initial contact with a verified CIS employee, a consultation is held with one of our experts. Requirements and the exact process are discussed in advance and an offer is made. The entire project planning and all details of the process are defined in the next step.

Conclusion: A real IT auditor will not come to you unannounced and certainly won’t have any dodgy laptops or mysterious remote maintenance access with them. Anyone who is suddenly offered a “free” or “100% secure” audit should be skeptical – or contact the real responsible authority straight away.