COVID-19 Scams: Phishing in a Pandemic
The sad fact of the matter is that when there is a crisis, cybercriminals will follow to exploit those that are in a panic. We saw this locally with the bushfires at the start of 2020 and we’re now seeing it on a global scale as a result of the COVID-19 pandemic. For the Australian public, Scamwatch has reported a loss of over $700,000 so far from COVID-19 related email scams since the start of the pandemic.
These types of events breed fear and anxiety amongst the general public and businesses, which is what attackers will prey on the most. Fear and anxiety can negatively impact rational decision making in a big way. During these crises, these scams against vulnerable targets can increase by up to 96%.(1) In this blog I wanted to share with you some of the types of COVID-19 related email attacks we’ve seen across the industry, from a business and consumer perspective and some of the steps you can take to protect your organisation from falling victim.
Business Email Compromise (BEC)
For many businesses at this time, good cash-flow is key, and criminals will leverage human’s inherent good nature to help out their suppliers and third parties by paying promptly when they can. There has been a significant uptake in cybercriminals spoofing third parties, providing fraudulent bank details and citing cash flow as a reason for urgent requests.(2)
It isn’t new for attackers to spoof enterprise brands such as Microsoft or Google, but during this time cybercriminals have pivoted the messaging and social engineering used in these attacks. Spinning up fraudulent Microsoft sites and requesting end-users provide their credentials as part of “remote working enrolment” or a mandatory COVID-19 policy update they are required to access and read via their One Drive.(3)
On an individual level, cybercriminals have been spoofing senior executives within organisations, making fraudulent requests to team members in departments such as Accounts or HR. Exploiting the fact that the vast majority of end-users aren’t in the office and therefore unable to corroborate a request. Additionally, preying on employees that may be feeling insecure within their job during this time and so are trying to ensure they are doing everything that is asked of them in a timely manner.(4)
Government Scams
There has been an influx of phishing and smishing campaigns, spoofing Australian government services. The most reported including; fake text messages purporting to be the Department of Human Services and pretending to provide links to Government advice on the pandemic – leading the user to a fraudulent site to steal credentials. Also increased impersonation of the Australian Taxation Office, sending phishing campaigns with fake subsidy or tax refund notifications.(2)
There have also been various campaigns where cybercriminals have purported to be the World Health Organisation (WHO). In these cases, the attackers are claiming to provide updates on restrictions or testing, via malicious attachments or links that will then install malware and steal sensitive information.(5)
Superannuations & Banks
As many individuals who have suffered a loss of income attempt to take advantage of the early access the Government has provided to superannuations, cybercriminals have begun targeting individuals for this. Sending fake emails informing people that they are able to assist them in accessing their superannuations, either charging them a fee for this service or requesting their personal information and then stealing the superannuation funds for themselves.(2)
Similarly, many banks across Australia are advising their customers to be vigilant during this time. With phone, email and text messages all being used to execute brand spoofing. These fraudulent sites are requesting individuals to “confirm your credentials” which are then being used by the fraudsters for their gain.
Fake Online Stores & Puppy Scams
With the panic buying of toilet paper, hand sanitiser and face masks, cybercriminals moved to cash in on unsuspecting individuals. Creating fake online stores that offer these supplies, and sometimes even a vaccine to the virus, which unfortunately individuals have fallen for.
And a stranger one I know, but the ACCC has also reported a number of puppy purchasing scams as a result of the pandemic. As more people have moved to work from home, there’s been an increase in individuals wanting to purchase canine companions, which cybercriminals have exploited by creating fake sites or running fraudulent adverts. So far, the Australian public has lost almost $300,000 as a result of these scams.(2)
Security Recommendations
The range of these scams shows that every industry is a target and the reason they are so rife is because they work. Here are some of our recommendations from an organisation perspective, as to how you can mitigate these threats for end-users.
1. Security awareness training – if you are familiar with InfoTrust you will know this is a point we stress regularly; people are your last line of defence. I would strongly advise some kind of security awareness training or education to your end-users on the kinds of fraudulent emails they should be looking out for. And, the steps that should be taken if they believe an email to be malicious.
2. Enable Multi-Factor Authentication (MFA) – for all your services and applications that hold business-sensitive data, we would strongly advise that you enable MFA for your end-users. This is a quick way to stop an attacker in their tracks, and significantly decrease the chance of them successfully completing an Account Takeover attack.
3. Configure your impersonation controls – any secure email gateway solution worth its salt will have impersonation controls available for your business to utilise. Stringent security policies should be put in place to protect your employees who are most likely to be impersonated e.g. CEOs, CFOs and other senior executives.
If you believe you or someone you know has fallen victim personally to a scam check out Scamwatch’s help page which provides support and advice here.
References
1. Channel 7
2. Scamwatch
3. Mimecast – 100 days of COVID-19
4. Security Brief
5. ACSC Threat Update
see our
Related resources
Cybersecurity should be front of mind for every organisation, especially in the wake of the current global pandemic. Our ways of working have changed immensely, with a surge in the volume of remote workers using different networks, devices, and platforms. Meanwhile, our businesses are using cloud computing and IoT technologies to facilitate new ways of working, reduce costs, and improve performance. The result is that the attack surface has increased, and with that comes an increase in the volume of cyber threats.
There are images of extensive, verbose documents, complex definitions, and eye-watering Excel sheets when the term GRC is mentioned. For the past two decades, GRC has been central to core business processes across many organisations at both ends of the enterprise spectrum, as well as in the small-to-medium business space in recent times.
But the world has moved on; organisations are forced to embrace digital disruption and agility if they haven’t done so whole-heartedly. And this very disruption is positioning GRC to become less-than-ideal to solve the challenges that said disruption brings with it.
Phishing attacks have increased dramatically over the last few years, with the global pandemic escalating the situation further. Cybercriminals take advantage of insecurities and fear and play on human nature to trick and deceive. In fact, according to the OAIC, phishing attacks that involved compromised credentials accounted for 30% of all cyber incidents in the first half of 2021. And human error formed a major source of these breaches. Unfortunately, due to the clever social engineering tactics used by cybercriminals, technical filters alone aren’t sufficient to protect against phishing.
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Secure Access Service Edge, better known as SASE (pronounced sassy – yes that is right) was one of the new security terms on the block in 2019. But it’s actually been around for some time, just without its official moniker. It is expected that by 2024, at least 40% of enterprises will have strategies in place to adopt SASE, according to Gartner.
In this post, Cloud Security Engineer, Will Michail takes a look at why its popularity is increasing now, what the term means and how vendors and organisations are utilising it to enable digital transformation.
We're Here To Help