Countering COVID-19-related Fraud and Scams
This article was previously published on Fraud Intelligence.
The current global pandemic has led to an increase in cybercrime and fraud, with ever more sophisticated tactics being deployed by those looking to take advantage of the vulnerable and profit from illegal activities.
Organizations like the World Health Organization (WHO), the Financial Conduct Authority (FCA) in the UK, the US’s Financial Crimes Enforcement Network (FinCEN), Securities and Exchange Commission (SEC), Federal Trade Commission (FTC), as well as the Food and Drug Administration (FDA) are sounding alarms and warning the public about the different types of fraud risk.
As of 15 April 2020, the FTC had received 18,235 reports related to COVID-19 scams, and United States citizens reported losing $13.44 million dollars to fraud. Some experts project that one to three per cent of the $2.2 trillion coronavirus US government relief package will be lost or wasted due to fraudulent activities. And in the United Kingdom, there have been examples of phishing attacks on the government furlough scheme, with imposters trying to take advantage of the measures put in place to support people and businesses affected by the pandemic. The UK's National Cyber Security Centre (NCSC) said it took down more than 2,000 online coronavirus scams in April.
WHO put out an alert warning the public of imposters who have been impersonating WHO members in phishing attempts, with new reports arriving daily. And the UK’s NCSC and the US Cybersecurity and Infrastructure Security Agency (CISA) have joined forces to issue warnings about groups seeking to exploit the crisis, launching attack campaigns on healthcare, pharmaceutical and research organizations, as well as various arms of governing bodies.
It’s clear that malicious cyber players are at large, exploiting the current pandemic to target individuals, systems and businesses of all sizes. Awareness of the risks and vigilance against social engineering efforts that use COVID-19 as a pretext is highly recommended, both on corporate and individual levels.
Cyber and Payment Fraud as a Result of BEC
Payment fraud is often the result of a tactic known as Business Email Compromise (BEC) in which hackers and other bad actors attempt phishing schemes by sending fraudulent emails to trick people into giving up login credentials or sensitive data, normally by clicking malicious links or opening harmful attachments. Social engineering schemes such as phishing (fake emails to induce provision of credentials or access), vishing (telephone-based phishing) and the like have been on the rise using phony COVID-19 messaging as a pretext. Payment fraud scams are often run by sophisticated and well-financed multinational criminal groups that leverage public sources like LinkedIn and Facebook to gather personal and professional data, as well as buy marketing lists.
The hackers also breach email platforms like Microsoft Outlook or purchase ‘look-alike’ domains and, once inside the victim’s network, may monitor email traffic for weeks or even months. A business email breach today may result in payment or other cyber fraud weeks or even months from now. The end goal of BEC is often to implement a fraudulent wire payment or to steal sensitive data to sell on the dark web.
Payment fraud is already a major concern for organizations globally, with more than 80 per cent of finance professionals reporting incidents of attempted fraud. The Federal Bureau of Investigation reports losses that exceeded $3.5 billion in 2019, up from $2.7bn in 2018 and $1.4bn in 2017 (FBI 2019 Internet Crime Report). Attacks using BEC tactics accounted for $1.7bn of 2019 losses, from 23,775 complaints. UK Finance reported £456 million lost to wire fraud attacks in 2019.
As we adapt to the current environment and reshape our business models by supporting a larger workforce population to work remotely, we need to be even more vigilant against the ever-increasing risk of cyber attacks and payment fraud threats. Changes in our behaviors, processes, technology and work surroundings open a greater opportunity for threat actors to disrupt business flows by targeting key personnel. The possibility of fraud increases in the working-from-home environment most of us find ourselves in right now. Businesses and individuals must further fortify their controls, systems and practices, to detect and prevent financial crime.
Tips for Avoiding Fraud During COVID-19
Given the greater risks to data security created by mass disruption to the conduct of business, companies with employees working from home (WFH) can take the following steps to enhance overall cybersecurity and protect themselves from fraud:
Avoid being a victim of social engineering schemes. Protect your company from fraud as a result of phishing and vishing by implementing the following practices:
- Hover over sender addresses and hyperlinks to verify identity.
- Never click or download unfamiliar material.
- Do not accept document macros.
- Do not provide credit card or PIN numbers over the phone, etc.
- Refresh company training regarding protection against phishing and other social engineering schemes .
- Refresh, review and maintain strict cyber security policies for all team members working from home.
- As much as possible, secure communications with co-workers, vendors, third parties and investors.
- Follow online conferencing best practices.
Expect and accommodate additional verification. Take extra steps during the payment lifecycle, such as:
- Be extra vigilant regarding change requests to beneficiary bank account details, urgent payment requests and payment-related spear-phishing emails.
- Do not solely rely on email as a payment approval channel.
- Restrict business-related communication to and from personal email accounts.
- Document and share alternative phone numbers for payment approval staff.
- Update your bank portal profile to include mobile or home phone numbers.
- Verbally inform your bank, key third parties and vendors of alternative contact numbers.
- Telephonically confirm and document current contact details for your bank relationship manager, key third parties and vendors.
- Document and distribute the process for validating payments in the current environment.
- Monitor and reconcile bank accounts daily; Reset default PINs for accessing call forwarding apps and enable two-factor authentication if available.
- When workers are not physically present in the corporate office, it is essential to verify it is indeed them at their home office.
- Use multi-factor authentication and other identification methods such as identity confirmation questions, call-backs to known phone numbers, along with other enhanced verification practices.
- Institute a password safety policy and use a password manager if possible.
Protect computers and devices from viruses. Take extra precautions for WFH employees, including:
- Frequent security patching is the best way to protect a computer from infection. Be sure to enable operating system and anti-malware updates.
- Maintain a company-wide patching program that extends to WFH devices.
- Reboot your computer frequently, at least weekly, so the updates can take effect.
Use the cloud safely. Protect your data:
- When storing data in the cloud, ensure correct access control. Be careful of permissions and who is granted access.
- Don’t rush to share – think it through.
- Always use secure mechanisms (eg, encryption and secure portal transfer) for the online transfer of data.
Final Thoughts on Mitigating Fraud During the Pandemic
Cyber threat exposure for firms is currently very high. The pandemic has revealed new exposure points that firms need to protect. Firms should ensure that employees do not fall prey to social engineering and cyber scams, and also take extra steps to ensure that all payments flow to the correct and verified recipient. ACA Aponix also recommends firms undertake a payment and fraud risk assessment to review your firm’s cash movements to identify potential fraud risk throughout the payment lifecycle.
ACA Guidance
The examples provided above are likely to recur as more COVID-19 relief funds are distributed. Financial institutions must fortify their controls, systems, and practices to detect and prevent financial crime.
How ACA Can Help
ACA Compliance Group can assist financial institutions as well as portfolio companies to identify, assess, mitigate, and monitor for fraud risk. ACA is committed to helping financial institutions protect their clients’ assets.
Set your firm up for success with our complimentary cybersecurity awareness training or connect with us directly to discuss how to combat fraud and ensure relief funds make it into the hands of those who need it the most.
ACA’s COVID-19 Resources
ACA is working to produce resources to help your firm navigate through the COVID-19 pandemic. Below are a few of our resources that can help you combat the fraudulent activities listed above:
- New Malware Attack Detected with Fake Pandemic Info from Johns Hopkins
- New "Coronavirus" Malware Targets Windows Users
- Mitigating Employee Risks Related to the COVID-19 Pandemic
- Protecting Against Cyber Crimes Related to Coronavirus (COVID-19)
Visit our COVID-19 Resources page to access our full library of resources that may help your firm navigate through the restrictions in place to curb the pandemic.
About the Author
James Tedman is a partner at ACA Aponix, managing the cybersecurity, privacy and IT risk division of ACA Compliance Group for Europe. For more information about how ACA can help protect against fraud contact info@acaaponix.com or your ACA consultant or call +44 (0)20 7042 0560.