With the COVID-19 crisis sweeping the globe, cyber criminals are aiming to exploit people’s fear and uncertainty, preying on the current weaknesses most businesses/individuals are facing, including temporary closings.
Scammers and fraudsters are taking advantage of rapidly changing data and facts associated with COVID-19, both in the workplace and in our homes. Government agencies, corporations, and news outlets continue to warn individuals to be mindful of increased fraudulent activities during these uncertain times.
These scams, which can be sent via email, text message, and social media claim to provide COVID-19 updates, sell products, ask for charitable donations, or reference government aid packages. These messages appear to be legitimate in nature but seek to fraudulently obtain personal information, financial gain, and create panic. Use the following tips to identify cyber criminals and avoid scams:
- Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts claiming to have inside information on the virus. There are currently no vaccines, potions, lozenges, or other prescriptions available online or in-store to treat or cure COVID-19.
- Do your homework prior to donating to charities or crowdfunding sites. Confirm the validity of the organization as cyber criminals are now advertising fake charities. Do not let anyone rush you into a donation, particularly those who ask for cash, gift cards, or wiring of funds.
- Do not click on links or open attachments from sources you do not know. Cyber criminals are using the COVID-19 headline as a tactic to spread viruses and steal information. Do not provide personal information, payment information or sensitive workplace information via suspicious email addresses.
- Be suspicious of urgent demands and emergency requests. The health and safety of you and your family is the top priority. Do not fall for scammers threatening fees or fines, cancelled deliveries, and health concerns in exchange for financial gain.
- If it sounds too good to be true, it likely is. Many individuals have begun to receive robocalls and social media requests for social security numbers, banking information, and gift cards. Scammers promise high paying work from home opportunities, free sanitation and cleaning, as well as COVID-19 protection in exchange for payment and sensitive information.
- Be mindful of scammers using government aid packages for criminal gain. Lawmakers have announced plans to send Americans checks to assist with the financial burden of the virus, with details still in discussion. The government will not request payment, nor will anyone reach out requesting personally sensitive health or financial information in exchange for financial support.
- Obtain your news from a trusted source. Be mindful of text message scams, social media polls and fraudulent email accounts sharing false information to create panic. Before acting on information, review its source and check a trusted news outlet to confirm its validity.
When in doubt, ask a coworker, family member, or friend for their opinion. Two sets of eyes are better than one. If you believe you have fallen victim of a scam, call your local police at their non-emergency number and consider reporting to the FBI’s IC3 Internet Crime Database.
Now more than ever, as operations are moving towards additional digital platforms, their exposures to enhanced cyber risk and vulnerability are increased as well.
While dealing and recovering with the aftermath of the pandemic, more businesses are at a higher risk of becoming the victims of cyber attacks. In one prevalent fraud tactic known as social engineering, cyber criminals first gather information, then form relationships with key people, and finally execute their plan, often via email. Gone are the days where malicious actors send poorly worded emails, sophisticated methods are deployed and can fool even the most trained employee into releasing sensitive data.
There are several methods of social engineering that are seen frequently, including the following:
• Business Email Compromise (BEC)/Email Phishing: The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A request for a wire transfer, W-2 forms or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time sensitive manner.
- Spear Phishing: Spear phishing is an email aimed at a particular individual or organization, desiring unauthorized access to crucial information. These hacks are not executed by random attackers but are most likely done by individuals out for trade secrets, financial gain, or military intelligence. Spear phishing emails appear to originate from an individual within the recipient’s own organization or someone the target knows personally.
- Whale Phishing: A whale phishing attack is a type of phishing that centers on high profile, senior level employees such as the President/CEO. It is aimed at stealing vital information since those holding higher positions in a company have unlimited access to sensitive information. The term whaling signifies the size of the attack, and whales are targeted depending on their position within the organization. Since they are highly targeted, whaling attacks are more difficult to notice compared to the standard phishing attacks.
• Interactive Voice Response/Phone phishing (aka vishing): Using automation to replicate a legitimate sounding message that appears to come from a bank or other financial institution and directs the recipient to respond in order to “verify” confidential information.
• Bogus Invoice: A business that has a long standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to a legitimate account and would take very close scrutiny to determine if it was fraudulent.
According to the FBI’s 2019 Internet Crime Report, BEC scams were, by a considerable margin, the most damaging and effective type of cyber crime in 2019.
Accounting for half of last year’s cyber crime losses, BEC attacks amounted to $1.77 billion in losses for victims, which is on average $75,000 per complaint. Given the rising incidence of social engineering fraud, especially in these challenging times, all companies should implement basic risk avoidance measures:
- Educate and train your employees so they can be vigilant and recognize fraudulent behavior.
- Establish a procedure requiring any verbal or emailed request for funds or information transfer to be confirmed in person, or via phone, by the individual making the request.
- Consider two-factor authorization for high level IT and financial security functions and dual signatures on wire transfers greater than a certain threshold.
- Avoid free web-based email and establish a private company domain and use it to create valid email accounts in lieu of free, web-based accounts.
- Be careful of what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
- Do not open spam or unsolicited email from unknown parties, and do not click on links in the email. These often contain malware that will give subjects access to your computer system.
- Do not use the “Reply” option to respond to any financial emails. Instead, use the “Forward” option and use the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
- Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.
Despite these efforts, organizations can still fall victim to a social engineering scheme. These incidents can be reported it to the joint FBI/National White Collar Crime Center – Internet Crime Complaint Center.
The initial concern after such an event often focuses on the amount of stolen funds. However, there could be an even greater threat since these incidents often involve the compromise of personally identifiable information, which can be later used for identity theft of multiple people. This will often trigger legal obligations to investigate the matter and to communicate to affected individuals and regulators. This often leads to litigation and significant financial and reputational harm to businesses. Costs to comply with privacy law can include fines, legal fees, IT forensics costs, credit monitoring services for affected individuals, mailing and call center fees and public relations costs.
Fortunately, the insurance industry has developed policies that can transfer these risks. Crime insurance policies can cover fraudulent funds transfers while cyber insurance policies may cover costs related to unauthorized access of protected or sensitive information. However, the insurance buyer needs to be wary of various policy terms and coverage limitations. For example, some crime policies can contain exclusionary language for cases involving voluntary transfer of funds, even though they were unknowingly transferred to a criminal. Other insurers might add policy language to crime or cyber policies to cover this situation.
Having a knowledgeable specialist walk you through the exposures and properly address them with the right insurance product will ensure your balance sheet is protected and assist in mitigating the event when it occurs. The most effective risk management plans aim to prevent social engineering fraud incidents from happening and mitigate the damages if they do.
Working with a specialty insurance broker, who understands the coverage issues and negotiates coverage that is customized towards your business’ risks, is key in guaranteeing balance sheet protection and preventing additional disruption to your business from cyber criminals. Most importantly, stay safe and vigilant and we will get through these times together.