Crisis fuels crime: in this case, cybercrime. The coronavirus (COVID-19) global pandemic has created a virtual environment ripe for cyber fraud. Social distancing means an exponential rise in the use of technology for work, education, and leisure. Further, decreased human contact reduces the effectiveness of normal mechanisms of confirming that electronic requests are legitimate. In response, U.S. and international agencies have issued a slew of warnings about governmental impersonators using the pandemic to steal money and personal information or to distribute malware. As of the date of this article, current guidance on the most prevalent cyber threats and mitigation strategies is summarized below.
Note: As the COVID-19 cyber environment is constantly evolving, please be advised that this alert does not cover every instance of cyber vulnerability. Businesses should regularly consult agency guidance on the latest COVID-19 cyber threats. Further, internet-based fraud and crimes can be reported to the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center.
The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert on April 8 citing an increase in phishing campaigns utilizing COVID-19 themes to lure in victims. Phishing is a type of cyber fraud where a malicious cyber actor poses as a trusted source to gain access to sensitive information, such as usernames, passwords, and credit card numbers. See the U.S. Federal Trade Commission’s (FTC) guidance on How to Recognize and Avoid Phishing Scams.
Most phishing attempts are by email. The CISA and NCSC have observed recent attempts using email subjects like “2020 Coronavirus Updates,” “Coronavirus Updates,” “2019-nCov: New confirmed cases in your City,” and “2019-nCov: Coronavirus outbreak in your city (Emergency).” These emails often contain a “call to action” and encourage victims to visit a website that is used to steal user data.
According to the FBI, phishing emails may be related to:
However, the CISA and NCSC have also observed recent phishing attempts by robocalls, text messages (SMS), and messaging applications (e.g. WhatsApp). The U.S. Federal Communications Commission (FCC) and the Better Business Bureau (BBB) have identified text messages and robocalls about free COVID-19 home testing kits, mandatory quarantines and testing, health insurance, and other efforts to “prey on virus-related fears.”
COVID-19 related financial relief also increases the risk of malicious cyber actors posing as government agencies asking to verify financial information related to receiving an economic stimulus check. The FBI reminds consumers that government agencies are not sending unsolicited emails or texts asking for private information in order to send stimulus checks. The U.S. Internal Revenue Service (IRS) will distribute payments to most Americans via direct-deposit information that the agency has on file from previous tax filings.
Further, the FBI and the FCC provide the following general “cyber hygiene” and security measure tips:
Specifically, those seeking to donate to charity are cautioned to thoroughly research organizations and pay close attention to organizations with names that are very similar to reputable charities. In general, legitimate charities do not solicit donations through money transfer services.
Interpol’s Cybercrime Threat Response team has detected a significant increase in ransomware attacks against key organizations and infrastructure responding to the COVID-19 pandemic. Interpol has issued a Purple Notice to police in its 194 member countries alerting them to the heightened ransomware threat.
Ransomware is a type of malware—or malicious software—that denies access to a computer system or data until a ransom is paid. According the CISA, ransomware is typically spread through phishing emails or visiting infected websites. As discussed above, Interpol notes that typical phishing emails fraudulently claim to be from government agencies and contain false information or advice regarding COVID-19.
To protect against ransomware, the CISA recommends the following precautions:
On April 13, the U.S. Securities and Exchange Commission (SEC) updated its February investor alert that warns investors of internet and social media promotions claiming “the products or services of publicly traded companies can prevent, detect, or cure coronavirus, and that the stock of these companies will dramatically increase in value as a result.” Such promotions are often presented as “research reports” and predict a specific “target price.” The SEC also identifies microcap stocks—low-priced stocks issued by small companies—as particularly vulnerable due to a lack of publicly available information.
The SEC cautions investors to carefully research investments, especially those in companies that claim to focus on COVID-19 related products and services. See recent SEC trading suspensions here.
The FTC and the U.S. Food and Drug Administration (FDA) issued joint warning letters to companies selling products claiming to treat or prevent COVID-19. The FDA reminds consumers that “there are no approved vaccines, drugs or investigational products currently available to treat or prevent the virus.” Consumers can sign-up for consumer alerts from the FTC here.
The FBI warns consumers about counterfeit products such as sanitizing products and personal protective equipment (PPE) including N95 respirator masks, goggles, full face shields, protective gowns and gloves. More information from the CDC on unapproved or counterfeit PPE can be found here.
Telework Software Vulnerabilities
To maintain productivity while working from home, businesses are heavily relying on software to enable remote access to business applications, resources and shared files during the COVID-19 pandemic. However, an exponential increase in use of such software has also revealed significant gaps in privacy and security measures. Sharing sensitive business information over the internet may allow malicious cyber actors to gain access to confidential files or eavesdrop on virtual conference calls and meetings. According to the FBI, businesses should avoid or limit:
The FBI also provides the following “teleworking tips.”
Specifically responding to the risks associated with a surge in video conferencing, Senator Edward J. Markey has urged the FTC to issue “comprehensive guidelines for companies that provide online conferencing services, as well as best practices for users.”
New software technologies present promise for new challenges but need to be tested, and users must be trained to use new technologies safely.
Business Email Compromise (BEC)
Business Email Compromise (BEC) occurs when a malicious cyber actor sends a fraudulent email requesting money to be transferred to a new account or to change standard payment practices. BEC typically targets individuals and businesses with the ability to send wire transfers, checks and automated clearing house (ACH) transfers. Malicious cyber actors may use the COVID-19 pandemic to impersonate vendors and request payment outside the normal course of business.
In response, the FBI urges particular caution around the following situations:
The FBI provides the following tips to avoid BEC:
Report Suspicious Financial Activity
The Financial Crimes Enforcement Network (FinCEN) reminds financial institutions to “remain alert about malicious and fraudulent transactions similar to those that occur in the wake of natural disasters.” FinCEN points to its previously issued Advisory to Financial Institutions Regarding Disaster-Related Fraud that outlines potential areas of fraud following natural disasters, such as benefits fraud. Many malicious cyber actors will use the current challenge to attempt to swindle people out of money through imposter frauds, product scams, insider trading or investment scams of the types described above.
Financial institutions must monitor for these types of suspicious activities, and the financial institution should file a Suspicious Activity Report (SAR). Financial institutions are encouraged to review their typologies to ensure that the current circumstances and current fraud scams are being monitored for and investigated.
For suspected suspicious transactions linked to COVID-19, FinCEN is encouraging financial institutions to enter “COVID19” in Field 2 of the SAR-template
Best Practices for Businesses
After several weeks of remote work has tested the strength of IT systems and cybersecurity, businesses should continually review and update their business continuity plans and consider the following possible best practices: