Winston Churchill once said “never let a good crisis go to waste,” and this appears to be the mantra of fraudsters in relation to the ongoing COVID-19 pandemic. The introduction of unprecedented social distancing restrictions around the world has forced people to increasingly rely on the internet for a whole swathe of services and entertainment, ranging from shopping to dating. This is not to mention the dramatic shift to home working across many organizations that has taken place. These trends have significantly widened the attack landscape for cyber-villains, and they are taking full advantage.
“Whether its common or non-technical fraud activity or highly sophisticated threat actors perpetrating large campaigns, fraud is always on the rise. With people working more from home and everybody being forced to connect remotely, the dependence on products and services that support this model have gone through the roof,” noted Brandon Hoffmann, CISO at Netenrich.
For example, recent studies have found that financial fraud attempts rose by 33% in the UK in April, the country’s first full month of lockdown, buy online, pick-up in store rose by 55% during the first half of 2020 and romance scams increased by 26% in June, July and August.
As well as the growth in online users, COVID-19 has provided a highly effective lure for scams like phishing to be launched. With people at a heightened state of anxiety due to the health and economic impact of the virus, many are far more vulnerable to tricks such as the purchasing of fake PPE equipment and those purporting to be linked to government programs that offer financial support to businesses and workers. In August, for instance, it was revealed that the UK’s HMRC was investigating more than 10,000 email, SMS, social media and phone scams exploiting the COVID-19 pandemic.
Raef Meeuwisse, CISM, CISA, author of Cybersecurity for Beginners, said: “The coronavirus can be considered a social vulnerability. A social vulnerability means that people are more open to being exploited. For example, a person desperate for a particular item or piece of information will be far more prone to take risks or leaps of faith in items that they would not trust under normal circumstances.”
Malcolm Murphy, director, solution architects at Infoblox, added: “This year has been full of unprecedented changes in all areas of life, and cyber-fraud is increasing, as well as cyber-criminals looking to take advantage of people when they’re most vulnerable. Our recent cyber-report shows that over the last few months, the pandemic has been one of the key themes used by fraudsters to exploit victims, with COVID-19 themed email campaigns and socially engineered attacks going through the roof.”
This year’s International Fraud Awareness Week, a global effort to minimize the impact of fraud by promoting anti-fraud awareness and education, has therefore taken on extra importance. Even as hopes rise that we could be at the beginning of the end of the crisis following positive recent news in vaccine development, many of the shifts observed in areas such as e-commerce and remote working look set to sustain over the long term.
Additionally, with the run up to this year’s critical Christmas period fast approaching while many parts of the globe remain in partial shutdown, it is to be expected that fraud attempts will rise even further over the coming weeks.
“The second wave of the pandemic, combined with the run up to Christmas, will almost certainly fuel a surge in activity on the internet once again”
“The second wave of the pandemic, combined with the run up to Christmas, will almost certainly fuel a surge in activity on the internet once again,” highlighted Petter Nylander, CEO at Besedo. “This year’s International Fraud Awareness Week acts as a reminder of the ever-changing fraud landscape and the importance of taking action now, as scammers’ methods grow more sophisticated by the day. Many marketplaces see an increase in fraudulent activity at this time of year, and our recent research revealed that 15% of ads related to some of the bestselling goods, across six popular UK online marketplaces, were in fact scams.”
Evolving Tactics of Fraudsters
Although in many ways there has been little change in the core tactics being employed by online fraudsters, with common methods such as phishing remaining paramount, some subtle differences have been observed.
With the tremendous lures the COVID-19 crisis provides, the methods employed have generally been uncomplicated and based around sheer numbers. “The majority of fraudsters are not creating the scams and ploys they use, most of what they do or use is off-the-peg. That means the fraudster will take a proven format and apply it against as many potential targets as possible. These off-the-peg methods of fraud are also very much like fashion items – and some of them are designed specifically to take advantage of the social vulnerabilities created by coronavirus,” explained Meeuwisse.
There has also been a growing utilization of automation to launch attacks. One example is the insertion of “psychological convincers” in malicious messages to help avoid detection. Meeuwisse explained: “For example, instead of providing a generic spam message such as ‘There is a parcel waiting for you, click here’ – using a database of hacked information, the spam message can be equipped with your location, name, even perhaps part of a credit card number to become more convincing – for example ‘Hey (your name), we are due to deliver to you in (your location) today for your order against credit card containing numbers (four digits from your actual card). Click here to confirm delivery is okay for today.’” He added: “You might not think that the information for a scam is easy for a fraudster to obtain – but it really is. Hardly any of us do not have that level of information available to a motivated scammer.”
Updated Security in Organizations
Protecting against this changing threat landscape is therefore more challenging, and improving security strategies is essential for both organizations and individuals alike. For organizations, introducing more stringent methods of authentication for people logging into accounts on their site is a good first port of call. Epsen Knutsen, CISO at Puzzel, commented: “During the COVID-19 crisis, fraud cases have been soaring, with bad actors targeting organizations and their customers’ key credentials and information. It is critical that those managing customer services remotely – whether on phone lines or through digital channels – offer robust safeguarding measures, such as two-factor authentication, to ensure customer data security.”
In this new environment, it may be advisable to use methods that go beyond passwords and multi-factorial authentication (MFA), with names and passwords or PINs “even more susceptible to social engineering in today’s climate,” according to Brett Beranek, VP & general manager, security and biometrics at Nuance Communications. He added: “Biometric technologies could provide an answer for organizations looking to keep malicious actors at bay and ensure the security of both their customers and employees. For example, voice biometrics are able to leverage more than 1000 unique speech characteristics, from pronunciation to size and shape of your nasal passage.”
Other technology solutions could also prove crucial in tackling rising fraud attempts, helping organizations stay ahead of cyber-criminals. In the same way that automation is being increasingly utilized by malicious actors, businesses should also be looking to implement effective automation solutions to protect users while on their site. One example of this is automated content moderation filters. “A content moderation solution built around platforms’ specific requirements which uses both of these methods will ensure that harmful content that does not adhere to the rules is removed so that users can have a better, safer, user experience,” explained Nylander.
The need for automatic tools such as AI to continuously monitor for suspicious behaviors on websites is also becoming more apparent due to the rising volume of fraud attacks. Beranek added: “Behavioral biometrics measure minute details , such as how a person holds their phone or even how they pause once they finish a task. Security systems that incorporate these authentication tools are considerably less susceptible to hacking.”
“Organizations should combine such technology deployments with employee awareness training”
Whilst security technology solutions are improving all the time, and are an invaluable part of how organizations can protect themselves and their users from fraud, the role of humans remains as pivotal in an effective security strategy. As such, even for larger businesses that can afford sophisticated security software, there needs to be a focus on staff awareness training, ensuring they understand the new threat environment. Knutsen said: “Organizations should combine such technology deployments with employee awareness training, to ensure staff know about the threats that exist and are fully equipped to identify and mitigate them. This will help agents spot the triggers of fraudulent attempts and enable them to put the right follow-up safeguards in place to protect the integrity of customer information.”
Individual Responsibility
As well as organizations, there is also now a much greater emphasis on individuals to both be more aware of, and understand how to mitigate, the risk of fraud. Consumers must have a heightened sense of awareness and a much more cynical attitude when it comes to offers and other types of communication they receive. There are signs that this is happening: a recent survey from GBG found that 31% of consumers are now more worried about fraud as a result of COVID-19.
Hoffmann said: “During this period it might seem common to get a call or a text or email from a service provider confirming genuine activity and such like. These contact points are huge opportunities for fraudsters and cyber-criminals to take advantage of people. The best advice is to perform frequent checks on the communication you have with your service providers, like banks and e-commerce sites, to ensure you are transacting with official employees and technology.”
“The best advice is still borne out of the old adage, Caveat Emptor: buyer beware”
In the view of David Britton, vice-president of industry solutions at Experian, customers should be going further than ever before in conducting due diligence of any organizations they come into contact with digitally. “The best advice is still borne out of the old adage, Caveat Emptor: buyer beware. Remember that the digital world was never designed with security in mind,” he explained. “If a deal seems too good to be true, it usually is. Work with businesses that you trust and that have a sterling reputation, avoid businesses that are not transparent in their policies or how they will use your data. Check reviews! When on social media, be very wary of those asking for personal information, and remember not everything is as it seems.”
The COVID-19 pandemic and resultant greater reliance on online services has opened up new opportunities for fraud, and this is being borne out. However, this environment should be seen as much as an opportunity as it is a challenge; both for organizations to improve their fraud defense strategies, and for individuals to become more aware of how to protect themselves from cyber-villains, which together may help reduce the risk of fraud in the future.
Gus Tomlinson, GM of identity fraud, Europe at GBG, summed up: “International Fraud Awareness Week is an important reminder: for consumers to adjust to our digital-first new normal, and for businesses to truly prosper online, we must keep pushing on with the technology and education required to make those online interactions fraud-free and frictionless.”