“Criminals will take advantage of any situation and use that situation to meet their ends,” sais Brian Honan, CEO of BH Consulting. This sad reality is becoming increasingly apparent in regard to the COVID-19 pandemic currently engulfing the world.
On top of the public health and economic challenges people, businesses and governments are facing, cyber-criminals are finding new ways of using the turbulence and uncertainty to access and steal private information. Phishing scams are, of course, already a common tactic used by cyber-criminals but, in the context of COVID-19, pose an especially major threat to businesses and individuals alike. It is critical that everyone is extra vigilant during this period.
Targeting of Individuals
That is easier said than done. Clearly, people are fearful, first and foremost, for their health; this fear means individuals are more vulnerable to cyber-attacks than usual. Hagay Katz, vice-president, strategic accounts, cybersecurity at Allot, noted: “Cyber-criminals will take advantage of any event that allows them to get profit from their malicious actions. However, unlike other events that bring a lot of public attention (sports, concerts, etc.), in this case, the cyber-criminals use fear to create a sensation of urgency in the victim to reduce their security awareness.”
The sheer number of individuals affected by COVID-19 makes this a rare opportunity for cyber-villains to use phishing scams. Ed Tucker, co-founder of Human Firewall, said: “The beauty here is that COVID-19 is truly global and in the face of almost every human upon the planet. It is the perfect hook for criminals to use, and that is what they want. A hook that is likely to get the most bites; certainly, when we look at volumetric threats of this nature.”
Messages purporting to be from official bodies such as governments, healthcare services and the World Health Organization (WHO), have emerged in the last few weeks through emails, texts and other mediums. These include supposedly official updates and advice, with people encouraged to click on links and download attachments. Cyber-criminals have also been playing on people’s sense of decency, including impersonating charities associated with the WHO to request donations in bitcoin currency to help frontline efforts.
“Cyber-criminals use fear to create a sensation of urgency in the victim to reduce their security awareness”
“Cyber-criminals disguise themselves as reliable sources such as ministries of health, centers for public health or important figures in a relevant country. The email states that the attached file contains critical information about coronavirus to create the feeling of urgency in the victim. This lowers the receiver’s guard against potential cyber-threats,” outlined Katz.
Phishing emails selling fake treatments for COVID-19 as well as other medical equipment, such as surgical masks, are also an emerging threat. Sophos has observed that there “are limitless quantities of spams pitching expensive guaranteed corona-proof masks, videos on how to construct your bunker and other ‘guides’ to keeping your business or family safe.”
As well as tapping into people’s concerns over their health, criminals are devising phishing scams that play on the real economic hardships being faced due to businesses shutting as a result of strict new social distancing measures. Emergency packages put together by governments to help individuals navigate this period is another angle ripe for exploitation. Honan commented: “We’ve seen issues in the UK and elsewhere where emails are sent pretending to be from the revenue service asking people for their details so they can get unemployment benefit or any other relief that the government is offering regarding COVID-19.”
“Cyber-criminals disguise themselves as reliable sources such as ministries of health, centers for public health or important figures in a relevant country”
Targeting of Businesses
Thankfully, many businesses have so far been able to continue to operate remotely. Nevertheless, whilst working from home is a phenomenon that has grown in recent years, having an entire company workforce do so at the same time presents further chances for phishing emails to be sent. It is fair to say that employees working from home are especially vulnerable at the current time, as they are often less on their guard than normal.
“In normal circumstances when you’re working from home you may have a dedicated office space, the children may be at school and your partner may be working elsewhere,” explained Honan. “During a pandemic, people are a lot more distracted, stressed out, worried and anxious for information, so it’s not really working from home: it’s working through a pandemic. Criminals will be leveraging off that.”
Additionally, most inter-company communication must now take place electronically, which pours extra fuel on the fire in regard to phishing opportunities. “From a business point of view criminals will know that and could send out emails pretending to be from HR departments, looking for staff to log in,” added Honan.
Cybersecurity Practices
Another major problem is that current security systems and practices are extremely difficult for businesses to maintain during this period. Many simply do not have the infrastructure in place to cater for most, if not all their workforce to be working from home. People using their own computers to work and a lack of physical access to employee’s devices only exacerbate this issue. Adapting approaches is therefore critical to prevent phishing emails from causing damage. In Tucker’s view, in the short-term, it’s about adequate communication and encouraging employees to remain vigilant about possible threats.
“Realistically we are in the midst of major change, in terms of workforce and business operations, so the likelihood of making any serious step change in security approaches is zero. It needs to be small, incremental-improvement focused,” he advised. “Raise awareness through as many means and mediums as possible. However, cognizance of the current upheaval most organizations are in the midst of must also be in mind. It is very easy to overload people but getting short sharp messages out regularly to staff about the potential threat from such phishing emails will help. You can also promote a ‘near-miss’ approach, where employees advise you of any such themed emails landing in their inbox (or calls and SMS).”
The health, social and economic implications of the COVID-19 pandemic are creating a unique opportunity for phishing scams to attack individuals and businesses. The ability to follow basic advice and common sense in regard to phishing scams is more difficult than usual due to the panic and uncertainty being felt. It is therefore vital that governmental organizations and businesses strongly communicate the need for extra vigilance at this time, reinforcing standard practices like double-checking the source of messages and suspicious looking addresses, as well as checking legitimate sources first. This should form part of the overall approach to protecting individuals and businesses during this difficult time.