Protecting your organisation from rising cyber attacks and fraud amid the COVID-19 outbreak

Issues arising from COVID-19

Social engineering campaigns have been preying on fear over the virus and it continues to spread as quickly as the disease. Malicious actors typically pose as a trusted organisation (banks, merchants) or individual (co-worker, manager, IT administrator).

What are the cybercriminals after? Business email compromise (BEC) scams are designed to trick victims into transferring sensitive data or funds —  personal or corporate — to threat actors’ accounts. They also aim to steal credentials so they can infiltrate organizations and compromise information systems, especially corporate payment systems, as well as the quality of services. If successful, the attacks can open the doors to more fraud.

Beware of the following cyber attack-techniques

Emails masquerading as government announcements

Scammers impersonating the Ministry of Health via phone calls and phishing emails have come out in force. Globally too, fraudulent emails have included logos and other imagery associated with the Centers for Disease Control (CDC) and the World Health Organisation (WHO). Emails include links to items of interest, such as "updated cases of the coronavirus near you." Landing pages for these false links may look legitimate, but the sites are often malicious and may be designed to steal email credentials.

Operational Disruption of Home-Based Learning (HBL)

The spread of COVID-19 is disrupting temporary operations in some industries. In Singapore, a home-based learning tool was hacked due to encryption vulnerability. The hackers breached the e-learning modules to post inappropriate imagery. Singapore’s Ministry of Education of Singapore temporarily banned the tool for further investigations and security measures.

Hidden Malware

We have seen a rise in malicious emails directing recipients to educational and health-related websites riddled with malware. Recently, users have been enticed to click on maps providing updates on local COVID-19 cases, loaded from legitimate sources but running malware in the background. In Singapore, scammers have taken advantage of the remote work situations to typically impersonate staff from telecom providers, persuading victims to install software applications that will resolve Internet issues. These cyber-attackers claim to be from "Cyber Crime Department of Singapore" or "Cyber Police of Singapore" - agencies that do not exist, directing them to install applications to help with investigations. Once installed, scammers then ask them to login to their online bank accounts and money is then transferred out of their accounts without the knowledge of the victims.

False advice and cures

Emails purporting to hail from regional medical providers, were among the first COVID-19 related phishing attacks. Some phishing emails invite recipients to download attachments containing “secret cures” for the virus. The attachments instead contain malware designed to steal the personal and financial information of the victim.

Fraud that go beyond business email compromise

During crises and economic downturns, many other types of frauds increase, and they can be harder to detect and may require adjustment to controls to mitigate the risk. For example, customer account security controls, such as risk scoring models, will need to be recalibrated to discern fraudulent transactions from legitimate transactions. Fraudsters may target different products than they did prior to the crisis, as customers may change behaviors and preferences amid the crisis and the economic downturn.

What threats do these new risks pose for your employees? Heightened awareness can be a powerful antidote. 

Encourage your employees to take these ten precautions:

Secure wifi credentials, regularly reset default home router password, disable remote access and disable Universal Plug and Play.
When sending attachments over email, ensure to password-protect and encrypt these.
Don't forward suspicious emails to co-workers.
Examine the sender's email address to ensure it's from a true account. Hover over the link to expose the associated web addresses in the “to” and “from” fields; look for slight character changes that make email addresses appear visually accurate — a .com domain where it should be .gov, for example.
Note grammatical errors in the text of the email; they’re usually a sure sign of fraud.
Report suspicious emails to the IT or security department.
Install the corporate-approved anti-phishing filter on browsers and email clients.
In the cases of ‘BYOD: Bring Your Own Device’ in remote working, please strengthen the complexity of your password, change the password regularly and use the corporate-approved anti-virus software to scan attachments.
Choose a trusted teleconferencing tool and understand the best encryption standards to maximise the security.
Use work laptops for work-related activities, using the same devices for entertainment sites and internet surfing makes them a prime candidate for cyber-attacks.

Consider the crisis as an ongoing test of resilience: emerge stronger. In addition to raising security awareness for your employees, develop a multifaceted defense strategy for your organisation.

  • Plan your response to a phishing attack. Incorporate lessons learned from your previous simulations to close gaps in your response plan. Assign responsibility for communicating with stakeholders, including customers and the media.
  • Strengthen your perimeter. Use security solutions to identify and deflect threats before attackers can penetrate your systems. Incorporate tested and proven detection and monitoring controls. Minimise your exposure to attack and limit access to your data as much as possible.
  • Strengthen your remote access management policy and procedures. Implement multi factor authentication for VPN access, IP address whitelisting, limits on remote desktop protocol (RDP) access and added scrutiny of remote network connections.
  • Fortify your endpoint protection. Protect your devices against standard and advanced malware. Test your security software to make sure it works as it should, and use it in your broader detection-and-monitoring program. Harden and patch your devices. 
  • Secure supplier portals and other externally facing applications using multifactor authentication and risk-based authentication, especially for applications that would allow a supplier (or a cybercriminal posing as a supplier) to change bank account information, divert payments or make other changes that could impact financial payments.  
  • Strengthen financial and treasury controls to require call-backs or confirmations of emailed payment and change requests.
  • Team up with other functions — including Financial Controls, Treasury and Fraud teams — to sharpen fraud prevention and detection. Broaden your view of threats and risks during the crisis. Work with risk management and fraud management teams to improve detection and monitoring, and accelerate responses. 

Webinar Series: Navigate Risk and Build Resilience for the Future

Join our webinar series where we explore topics on managing business continuity, data optimisation and transformation risks, to help organisations build resilience and prepare for a post COVID-19 operating environment

Find out more

Contact us

Tan Shong Ye

Tan Shong Ye

Digital Trust Leader, PwC Singapore

Tel: +65 9679 6920

Follow us