COVID-19 Scams: Phishing in a Pandemic
The sad fact of the matter is that when there is a crisis, cybercriminals will follow to exploit those that are in a panic. We saw this locally with the bushfires at the start of 2020 and we’re now seeing it on a global scale as a result of the COVID-19 pandemic. For the Australian public, Scamwatch has reported a loss of over $700,000 so far from COVID-19 related email scams since the start of the pandemic.
These types of events breed fear and anxiety amongst the general public and businesses, which is what attackers will prey on the most. Fear and anxiety can negatively impact rational decision making in a big way. During these crises, these scams against vulnerable targets can increase by up to 96%.(1) In this blog I wanted to share with you some of the types of COVID-19 related email attacks we’ve seen across the industry, from a business and consumer perspective and some of the steps you can take to protect your organisation from falling victim.
Business Email Compromise (BEC)
For many businesses at this time, good cash-flow is key, and criminals will leverage human’s inherent good nature to help out their suppliers and third parties by paying promptly when they can. There has been a significant uptake in cybercriminals spoofing third parties, providing fraudulent bank details and citing cash flow as a reason for urgent requests.(2)
It isn’t new for attackers to spoof enterprise brands such as Microsoft or Google, but during this time cybercriminals have pivoted the messaging and social engineering used in these attacks. Spinning up fraudulent Microsoft sites and requesting end-users provide their credentials as part of “remote working enrolment” or a mandatory COVID-19 policy update they are required to access and read via their One Drive.(3)
On an individual level, cybercriminals have been spoofing senior executives within organisations, making fraudulent requests to team members in departments such as Accounts or HR. Exploiting the fact that the vast majority of end-users aren’t in the office and therefore unable to corroborate a request. Additionally, preying on employees that may be feeling insecure within their job during this time and so are trying to ensure they are doing everything that is asked of them in a timely manner.(4)
Government Scams
There has been an influx of phishing and smishing campaigns, spoofing Australian government services. The most reported including; fake text messages purporting to be the Department of Human Services and pretending to provide links to Government advice on the pandemic – leading the user to a fraudulent site to steal credentials. Also increased impersonation of the Australian Taxation Office, sending phishing campaigns with fake subsidy or tax refund notifications.(2)
There have also been various campaigns where cybercriminals have purported to be the World Health Organisation (WHO). In these cases, the attackers are claiming to provide updates on restrictions or testing, via malicious attachments or links that will then install malware and steal sensitive information.(5)
Superannuations & Banks
As many individuals who have suffered a loss of income attempt to take advantage of the early access the Government has provided to superannuations, cybercriminals have begun targeting individuals for this. Sending fake emails informing people that they are able to assist them in accessing their superannuations, either charging them a fee for this service or requesting their personal information and then stealing the superannuation funds for themselves.(2)
Similarly, many banks across Australia are advising their customers to be vigilant during this time. With phone, email and text messages all being used to execute brand spoofing. These fraudulent sites are requesting individuals to “confirm your credentials” which are then being used by the fraudsters for their gain.
Fake Online Stores & Puppy Scams
With the panic buying of toilet paper, hand sanitiser and face masks, cybercriminals moved to cash in on unsuspecting individuals. Creating fake online stores that offer these supplies, and sometimes even a vaccine to the virus, which unfortunately individuals have fallen for.
And a stranger one I know, but the ACCC has also reported a number of puppy purchasing scams as a result of the pandemic. As more people have moved to work from home, there’s been an increase in individuals wanting to purchase canine companions, which cybercriminals have exploited by creating fake sites or running fraudulent adverts. So far, the Australian public has lost almost $300,000 as a result of these scams.(2)
Security Recommendations
The range of these scams shows that every industry is a target and the reason they are so rife is because they work. Here are some of our recommendations from an organisation perspective, as to how you can mitigate these threats for end-users.
1. Security awareness training – if you are familiar with InfoTrust you will know this is a point we stress regularly; people are your last line of defence. I would strongly advise some kind of security awareness training or education to your end-users on the kinds of fraudulent emails they should be looking out for. And, the steps that should be taken if they believe an email to be malicious.
2. Enable Multi-Factor Authentication (MFA) – for all your services and applications that hold business-sensitive data, we would strongly advise that you enable MFA for your end-users. This is a quick way to stop an attacker in their tracks, and significantly decrease the chance of them successfully completing an Account Takeover attack.
3. Configure your impersonation controls – any secure email gateway solution worth its salt will have impersonation controls available for your business to utilise. Stringent security policies should be put in place to protect your employees who are most likely to be impersonated e.g. CEOs, CFOs and other senior executives.
If you believe you or someone you know has fallen victim personally to a scam check out Scamwatch’s help page which provides support and advice here.
References
1. Channel 7
2. Scamwatch
3. Mimecast – 100 days of COVID-19
4. Security Brief
5. ACSC Threat Update
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help