Category: Uncategorized

by Lim Seng Siew, Director OTP Law Corporation

In the first and second parts, we talked about what is a phishing attack and what to do if you are a victim. In this third part, we will talk about simple steps that you can take to reduce the chances of being a victim of such an attack.

Cyber-hygiene – Prevention (or Reduction) is Better Than Cure

It is impossible to prevent a cybersecurity incident from happening. You can only do so if you have infinite resources, infinite time, and infinite talent. And that is an impossibility. Instead, efforts should be focused on, firstly, making it difficult for a hacker to hack into your system, such that the hacker will move onto other targets, and, secondly, if there is a successful hack to reduce the opportunity for harm.

I have divided the precautions that an organisation can take into 3 baskets:

1. The first basket contains simple steps that an organisation can take on its own with minimal or no assistance from IT providers (Simple Steps Basket).
2. The second basket is for those steps that an organisation can take with assistance from IT providers if the organisation does not have the in-house know-how to do so (Steps With Assistance Basket).
3. And the third basket contains those steps that will require the organisation to work with IT providers as these steps often involve consultation with various stakeholders (Steps With Consultation Basket).

I will deal with the simple steps in this article and leave the other 2 for a later one.

It must be borne in mind that cyber-hygiene is not an IT issue, only for the IT staff to implement. It is an ‘all-of-organisation’ issue.  The hacker, using social engineering methods, will not be sending phishing emails to the IT staff of an organisation but to the general staff who are likely to be less aware of cybersecurity issues. Social engineering methods are methods used by hackers to manipulate our emotions such that we stop thinking rationally and start acting on impulse without proper regard to what it is that we are actually doing.

Simple Steps Basket

Have Anti-Virus / Anti-Malware

Anti-virus and anti-malware software are almost similar, and the terms are often used interchangeably. However, there are important differences. Anti-malware generally has a broader coverage then anti-virus with advanced features such as sandboxing and removal of potential malware applications, behaviour monitoring to identify threats based on suspicious behaviour rather than relying on the ‘signatures’ of pre-existing and known threats and is designed to be used in a business environment across the entire organisation. As a result, anti-malware is generally more expensive than a plain vanilla anti-virus software.

It is also important to have the software installed on all potential attack surfaces. An attack surface is all possible points of attack, whether physical or digital, where an unauthorised user can gain access to a system. The digital attack surface encompasses all the hardware and software that is connected to an organisation’s network. These include applications, codes, ports, servers, and websites. The physical attack surface comprises all endpoint devices that an attacker can gain physical access to, such as desktop computers, hard drives, laptops, mobile phones, tablets, Smart TVs and USB drives. Even passwords written on paper and physical break-ins to premises are potential physical attack surfaces.

Update Your Software

All software, even those from well-regarded software companies, have bugs. Some of these bugs can result in serious vulnerabilities to systems where the software is used. Hackers routinely scan for such vulnerabilities and once a vulnerability is found, will attempt to exploit it before the software developer discovers and patches the vulnerability. Updating all your software regularly will reduce the hacker’s opportunity to exploit vulnerabilities in your systems.

Many modern commercial off-the-shelf software have automatic updates, some even have this enabled by default while others require you to manually enable this feature. The general rule is to enable automatic updates with one key exception, if your system uses customised software. Occasionally customised software relies on third-party software libraries. If these third-party libraries are updated and routines relied on by your customised software are depreciated (ie made obsolete), your customised software may suddenly stop working. Responsible developers of customised software will have their own updates to avoid this situation, but it is always prudent to check with them.

Practice Password Hygiene

Passwords enable a user to access important accounts and data, making them an attractive target for hackers. Further, just about everything about passwords is inconvenient, from creating them, remembering them, and using them. On one hand they cannot be too simple otherwise they can be easily cracked. On the other hand, they cannot be too complicated otherwise they will be forgotten. So, some password hygiene tips.

First, use strong passwords. The recommendation is to have at least 12 characters mixing uppercase and lowercase letters with numbers and symbols. Popular these days is to use a passphrase comprising a few words strung together. As such phrases are easier to remember, users are less likely to write them down. An example is a passphrase like “2minutE1@QquiZ”, ie “Two minute Ten Question Quiz”. The Cyber Security Agency (CSA) of Singapore has a webpage (at https://www.csa.gov.sg/gosafeonline/Resources/Password-Checker where you can check the strength of your password. Use it.

Second, use different passwords for different accounts. A big No! No! is using the same password for your personal and corporate accounts. While this may make remembering the passwords difficult, there are tricks that can be used to make this easier. As an example, use a passphrase like “2minutE1gma@QquiZ” for your gmail account and “2minutE1yah@QquiZ” for your yahoo account.

Third, enable and use 2-factor authentication (2FA) wherever possible. Modern 2FAs is as simple as receiving a one-time passcode on your mobile device. Most organisations, including Google and Microsoft, offer 2FA free of charge.

Fourth, do not share your passwords with anyone and do not write them down. If you need to grant temporary access to anyone, change your password to a ‘throw-away’ password. Once the need for that temporary access is over change the password back to a more lasting one. Remember that some systems do not allow you to recycle old passwords. So, you may have to change your password from “2minutE1@QquiZ” to “3minutE1@QquiZ”.

Fifth, do not login to online services over an unsecured wi-fi network. If you are unsure about the ‘free’ wi-fi network, make use of the hotspot feature on your mobile-phone. You can then tether your laptop or tablet to your mobile-phone hotspot.

Sixth, change your passwords regularly. The recommendation is to change them every 90 days. However, many users will find this too troublesome.

Seventh, consider using a password manager. Having a unique password for every account or service that must be changed every 90 days will mean a lot of passwords to manage. Unless you have perfect memory, you will need something to help you remember these complex passwords. The temptation to writing them on a sticky note attached to the back of the monitor should be resisted. Instead consider using a password manager. These secure applications store all your unique passwords and can generate new strong passwords as needed. Many password managers can sync the information across multiple devices so you will never be without the correct password when they are needed. Another great feature many password managers have is website verification. If you click on a phishing link instead of the real one, the password manager will not auto-fill your password.

Learn how to Spot Phishing Scams

Here are some of the signs to look out for to determine if there is a possible phishing scam.

(a) The message has mismatched or misleading information.

One of clearest indicators of a phishing scam is when the information in the message is wrong. As a simple example, the message asks you to confirm your payment instructions to Bank A. However, you do not have any account with Bank A or that you had not issued any payment instructions in the past few days. That message is very likely a phishing scam.

The more sophisticated hackers are more subtle. They will attempt to mislead you into believing that the information you see is genuine. Therefore, you need to examine the information closely.

If the message asks you to click on a link to a website, check the website address carefully. Better yet, re-type the website address into your web browser from a source that you know is correct. Hackers often create phishing websites with web addresses (or URLs) that are visually similar to the genuine websites. This technique is called a homograph attack or script spoofing. A simple example is when the web address substitutes a “0” (ie zero) for an “O” or a “1” for an “l”.

More sophisticated methods substitute either Cyrillic or Greek characters for our usual Latin ones. An example of this is the word “bank” compared with “bаnk”, the first using the Cyrillic character for “a” while the latter is the usual “a” of our Latin character. The Cyrillic letters – а, с, е, о, р, х and у  – are those that you should look out for because of their visual similarity to those that we are used to. The latest versions of popular browsers have built-in protection against most homograph attacks.

Sometimes, the link ‘as shown’ in the body of the message appears to be a legitimate one. However, if you click on the link, you will be brought to another website. If you move (or hover) your mouse over the link before clicking, a small window will pop-up showing you the true destination. If the two links (the ‘as shown’ link and the link shown when you hover the mouse) are different, it is a strong indicator of a phishing message.

A similar technique is also used for email addresses, they may look similar to, but are in fact different from an organisation’s official email. Hover your mouse over the email to see the true address. Also check the cc or bcc lists to see if there are any unusual addresses. Unusual emails in such lists is a sign of a ‘man-in-the-middle’ attack. A ‘man-in-the-middle’ attack is when the attacker secretly relays and alters the messages between 2 legitimate parties who believe that they are directly communicating with each other when in fact they are referring to the ‘man-in-the-middle’.

(b) The message uses urgent or threatening language.

Hackers also use urgent or threatening language in their messages. It’s a social engineering trick. Urgency can mean you act before you think. Hackers often use words like “Urgent action required”, “Your account will be terminated”, “This is your boss. Transfer money to me urgently.” The fact that the message is unexpected helps create that sense of urgency. Take your time. There is in fact very few situations when you need to respond to any message immediately.

Other tricks used by hackers to create a sense of urgency include saying that they’ve noticed suspicious activity or login attempts, claiming that there is a problem with your account or payment, saying that you need to confirm some personal or financial information, claiming to be from some government authority who requires you to respond immediately, or issuing some ultimatum.

(c) Promise of attractive rewards

If it is too good to be true, it probably is. Phishing messages often offer amazing deals or rewards, again to encourage you to act before you can think. A recent technique used is to ask you to complete a survey (which will have questions about your personal and financial information) for a chance to win attractive, but not so ‘amazing’ that it would be suspicious, prizes.

(d) Request for confidential information

Nowadays, most organisations do not ask for your confidential information to be sent via unsolicited email or unsolicited calls. If the caller or sender claims to be from your bank and asks for your NRIC number or bank account number, be careful. Inquire further. Most scammers will not be able to respond properly to such inquiries.

On the other hand, it is possible to be over cautious. Banks, as part of their security protocols, often ask you for certain information to verify your identity. So, if the caller asks for such information, is the caller legitimately from the bank or is the caller a scammer? When in doubt, contact the bank directly using the contact information from a legitimate source. Don’t rely on the contact information in the suspicious email.

(e) Unexpected emails & suspicious attachments

Hackers send out millions of emails in the hope that someone responds. Don’t be that one. If you receive an unexpected email and have identified it as a phishing email, do not click on any link or attachment. Instead delete it to prevent any accidental clicking. Also notify your IT provider so that the email address can be added to the organisation’s spam or blocked list.

Training & Keeping up to Date

The final suggestion in this basket is training, not just of the IT staff but also the general staff and senior management. Do the training regularly since people need reminding and hackers keep updating their techniques. Learning how to counter these new techniques is important.

In addition, you should also keep up to date with the latest happenings in the cybersecurity world by checking or subscribing to resources provided by the PDPC, SingCert, and many of the major software or cybersecurity companies. These resources provide information about the latest vulnerabilities or hacks and their solutions or patches.

You will also need to reassess your processes on a regular basis to deal with the newer techniques used by hackers or newly discovered vulnerabilities that have yet to be patched.

In the fourth and final part of this series, we will discuss about the other steps that can be taken to reduce the chances of you being a cybersecurity victim.

If you have a need to seek legal advice on your cybersecurity situation or just require legal assistance in any way, please reach out to us at enquiries@otp.sg or +65 64383922.

Article by Lim Seng Siew.

Businesses do get married. There are a number of terms used to describe the various forms of business ‘marriages’: acquisitions or takeovers, mergers, joint ventures are among the common terms. Dealing with each in turn.

Acquisitions or Takeovers

An acquisition or takeover happens when one company (the acquirer) acquires most or all of the shares of another company (the target) to gain control of the target company. Most of the time, the acquirer pays cash for the target’s shares. Sometimes, the acquirer swaps its shares for the shares of the target company, termed ‘shares-for-shares’ swap.

‘Shares-for-shares’ swaps that result in the acquirer becoming a subsidiary of the target company are known as ‘reverse takeovers’. This often happens when a privately held company (technically, the target but in actual terms, the acquirer) with strong prospects ‘reverse’ acquires a listed shell company (technically the acquirer but in actual terms, the target) which has no legitimate business operations and limited assets.

While in theory all the acquirer needs is to acquire 1 share plus 50% of the target company’s issued shares (ie 50% + 1) to gain control of the target, in practice this rarely happens. This is especially so when the target company is privately held, ie not listed on any stock exchange. Why would you, as a seller, give up control of your business to another without realising a substantial immediate financial gain? After all, there is always the possibility of the business failing because the acquirer doesn’t understand your business.

Most acquisitions of privately held companies are friendly and happen with the mutual agreement of both the acquirer and the shareholders of the target. This does not mean that the negotiations for the deal will therefore be easy. Each party will still negotiate hard to extract the maximum gain from the deal. However the hard bargaining should be tampered by the bigger picture of the mutual benefits that can arise if the deal is successful.

Some acquisitions can be hostile, commonly termed as ‘hostile takeovers’. The shareholders of the target company do not agree to the takeover. For listed companies, there are rules governing parties’ conduct during a takeover. The rules ensure transparency and fairness for all concerned in the deal. Takeovers of listed companies, especially hostile takeovers, are beyond the scope of this article.

Mergers

Closely related to an acquisition is a merger. In a merger, 2 separate business, usually of almost equal characteristics (in terms of size, market share, employees, scale of operations etc), join together to form a new legal entity. The 2 original businesses are usually dissolved after the merger is completed.

Joint Venture

A joint venture (or JV) is a business arrangement in which 2 or more parties agree to pool their resources for a specific project. The participants of a JV maintain their own businesses. The JV can be in the form of a separate company (JV Co) in which the participants are its shareholders. It can also be a partnership or a mere contractual arrangement commonly termed ‘consortium’.

Once the project ends, often the JV Co is liquidated, the partnership is dissolved or the consortium disbanded.

Other Forms of Business ‘Marriages’

Sometimes, instead of the acquirer acquiring the shares of the target company, only the assets, contracts and businesses of the target company are acquired, ie ‘asset acquisition deals’. This typically happens when the target company is facing bankruptcy proceedings.

There is also a management buyout, ‘MBO’ for short, where the company’s executives purchase a controlling stake in the company.

There is another form of a deal called “Acqui-hire’ where the acquirer is not really interested in the business of the target but in the talent (ie key personnel) in the target company.  It happens fairly often in the start-up world where talent is in short supply. Acqui-hires are also used as a ‘soft landing’ by the start-up’s founders and employees when the start-up fails to raise more money for its needed capital. The irony with ‘acqui-hires’ is that the team from the failed start-up enters the office of the acquirer in an elevated position, with lots of money and guaranteed employment contracts, all thanks to a business that went broke.

We have talked about what the various terms mean in a business ‘marriage’. In the next part, we will talk about the processes involved in an acquisition.

Wish we were there in person but it was nevertheless an informative and interesting session even as we watched it online. An event to be proud of, PracticeForte is honoured to have been a partner of International Dispute Resolution: The Way Forward, The Way to Peace, held on 29th March 2023 at the San Sebastian College Recoletos, Philippines. Thank you @ Rodel Taton and congratulations on hosting a successful event at your college.

“Displacement, Distress, Disputes: A Bag Perspective” 5 August, 2018

Article By: Pamela Lun & Cheryl Lim

 Stepping into the premises of the Foreign Domestic Worker Association for Social Support and Training (FAST) is like stepping into a never-ending party. Music boomed throughout the premises as a talent competition was being organized for the afternoon. Groups of foreign domestic workers (FDWs) formed dance groups and grooved to the latest beats, while 1 or 2 daring individuals showed off their vocals with Adele and Celine Dion classics.  Off the stage, FDWs were gathered in groups chit-chatting, gymming or going for the free enrichment classes held within FAST. It is not difficult to see why so many FDWs choose to spend their Sunday off-days there. In the time that they are there, they regain their dignity. They are no longer known as helpers or seen in a position of servitude; they are individuals in their own right engaging in their interests and passions.

2018, 1^st of July, our team at PracticeForte Pte Ltd headed down to FAST to conduct a painting session with 23 FDWs, alongside the kind help of local and foreign artists who volunteered their time to guide them. What seemed initially clumsy as FDWs of different nationalities attempted to communicate with each other soon became a heartening sight where barriers were broken through the sharing of paint, and the sharing of stories.

An afternoon of painting uncovered more than just the talents many of these FDWs had. More importantly, it uncovered the stories behind their art. Some ladies chose to draw things that might seem meaningless to the observer, but which hold deep meaning for them. One Filipino lady drew many ring taps forming a necklace. When asked, she revealed that it was a good luck charm her cousin had collected and made for her before she left for Singapore.

A Sri Lankan lady painted the lanterns of Chinatown. She mused that these lanterns were one of the first things she saw when she arrived in Singapore 20 years ago. She began tearing as she recounted her long and difficult journey in Singapore.

Another Filipino lady drew a picture of a saint which was in a small booklet given to her when she left the Philippines 22 years ago. She still carries the booklet with her till this day and took it out to show us.

Others chose to pen slogans that they wanted others to know about, such as “I only respect others who respect me when I’m not around” and “DREAMS… I’m almost there”.

Such was an afternoon that returned to our FDWs the voices that should’ve been heard long ago.

In January this year, PracticeForte Advisory (the professional network of lawyers, accountants, forensic professionals, business consultants, mediators, therapists and counsellors managed by PracticeForte Pte Ltd) set a twin pillar focus of “Building Peace, Building Expertise”. Advocating for mediation as a suitable dispute resolution mechanism between employers and FDWs is part of a series of our “Building Peace” initiatives. A special event, organised in conjunction with our third anniversary on 5th August 2018, will include an exhibition of these artwork. Painted on cotton canvas bags, they will be displayed at the Chinatown Heritage Centre in the month of August. A tour of the museum which illustrates the lives of migrants in Singapore both past and present will, we hope, help all who attend come to a greater awareness of the lives of the FDWs surrounding them.

Our Garden Revelry

The 5^th of August 2016 was the celebration of PracticeForte’s first birthday since its incorporation. We called it Our Garden Revelry.

We celebrated with guests and affiliates from PracticeForte Advisory this year. Future affiliates (who just joined us on 15th Nov 2016) like Ms June Lim, Mr Andrew Ho and Ms Low Seow Ling, lawyers of Eden Law Corporation, were also present.

From April to August 2016, in that span of 3 over months, our affiliates grew from two firms to five firms, three individual members to ten, when Mr Edward Ta said yes to us at our Garden Revelry and joined Mr Wan Yew Fai as a consultant in Strix Strategies Pte Ltd.

Now back to the party….

“Our Garden Revelry” was coined to complement the outdoor setting of our celebration, a private garden on Mount Emily. We did the place up in a bohemian theme with a rustic touch.

35 distinguished guests made it to celebrate our 1^st anniversary. Everybody appeared to be having a good time. We were complimented for the great company of people, not to mention the food and the drinks, music and ambience.

From the outset, food and drinks were our main focuses. We wanted epicurean if not gourmet. We had champagne (courtesy of Mr Peh Hong Yee of PHY Law Corporation), a bottle of a really fine red and Japanese craft beer from Ms Faith Ng of fsLaw, bottles and bottles of reds and whites, Moscato and dozens of craft beers. It was a night of as much as you can drink alcohol to pair with perfectly barbequed Wagyu and Angus beef, rosemary marinated lamb rack, premium sausages, succulent giant scallops and squids.

We were grateful for the good weather and most importantly the extraordinary company. I dare say Our Garden Revelry was a success, testament to that is the fact that our last guest left at 2 am.