If you got an email from the World Health Organization relating to the coronavirus outbreak, would you open it? Would you download attachments and click through links for more information and maybe provide some personal details that you believed would protect you and your family? Cybercriminals believe that some, if not most of us will.
Cyber Attacks Capitalizing on Coronavirus (COVID-19)
Since the start of this year we’ve seen increased coverage of the coronavirus (officially known as COVID-19). However, public health is not the only threat; criminals are looking to capitalize on the fear and uncertainty caused by the outbreak to fuel fraudulent activity designed to steal personal information and money, and infect computers with malware.
Over the years, fraudsters have become more sophisticated, using social psychology and topical ploys to trick consumers who have likewise become more sophisticated and better at avoiding more common scams. Recent examples of phishing emails demonstrate this in practice.
At first glance, this could easily be mistaken for a legitimate email from the WHO. The subject line is intentionally alarming and designed to encourage the recipient to open it. The logo and domain used also add credibility. The numerous scams have prompted the WHO to release an advisory notice urging people to be vigilant.
There have also been reports of phishing attempts aimed directly at businesses. The emails have directed recipients to download a Microsoft Word document for more information. Once downloaded the Word file activated malware, allowing the attackers to access sensitive data. “The malware actors doing this……. clearly understand the economic concerns surrounding the Coronavirus,” Sherrod DeGrippo, Proofpoint’s Senior Director for Threat Research and Detection, wrote in a blog post.
Financial Regulators Respond
This rise in these scams has also caught the attention of regulators. In China, the China Banking and Insurance Regulatory Commission (CBIRC) announced that domestic banks have received multiple complaints about the “false information on the disease situation to defraud or harm the interests of consumers.” There have been a variety of cases including emails to victims telling them of transport and hotel cancellations. Victims are encouraged to click on links or phone numbers to receive refunds, which are then used by fraudsters to obtain sensitive information.
The Monetary Authority of Singapore (MAS) has also issued a statement that its officers would never ask for personal banking information or security login credentials from members of the public. This statement was made following reports of fraudulent calls, impersonating MAS staff, requesting personal or bank details. The phone calls often involve notifying the receiver that their bank account has been locked or suspended. The victim is then asked to provide information such as their internet banking user ID and password.
It is likely that criminals will continue to use times of heightened sensitivity for their own fraudulent gains, however there are things that you can do to protect yourself and your organization:
- Never disclose personal details, including those relating to your bank account over the phone. Double check who is calling you and even ask to have a number to return the call to verify legitimacy.
- Email addresses can be easily spoofed and at first glance may look like they originate from legitimate looking domains. Do not be fooled by the sender’s name.
- Read the messages carefully, typos and spelling mistakes should be treated as red flags.
- Examine the URL before clicking on it, especially if you’ve received it through a random email sent directly to you. Try and navigate to the webpage yourself from the organization’s homepage, or via Google.
- Never enter your personal credentials when an email re-directs you to a web page or document for downloading.
- Be wary of any communication that tries to make you act on impulse, by rousing strong emotions of alert or fear.
- If you believe your password has been compromised, change it immediately, and be sure not to use the same password on more than one site. Where possible, use 2FA as an added layer of protection.
As an ISO27001 certified company across all systems and locations, we wanted to end on some practical tips of what we do here at ComplyAdvantage to protect ourselves and our customers.
- Security awareness. All staff have met training requirements to a high standard and have been effectively communicated to on a regular basis on practical ways they can help to look out for these security breaches. We use training that is both engaging and current so they actually learn (no boring death by PowerPoint sessions!)
- Reminding our employees and clients that any of our team will not ask for any sensitive account details over email. It’s an essential bit of information and practice but that’s where the easiest mistakes are made.
- In-house simulated phishing attacks. Our Information Security Team conducts monthly simulated phishing attacks on all of our staff including the C level and extra positively-driven training is given to those that need it.
- Senior Leadership Team commitment. Our SLT are fully engaged and proactive in our Information Security program and meet on a regular basis to discuss and mitigate the risks facing our company, our clients and our supply chain.
- Phishing alerting functionality is built into our browsers to enable our employees to report phishing to the Information Security team immediately and effectively.
Read more on how ComplyAdvantage approaches security here.