Social engineering campaigns have been preying on fear over the virus and it continues to spread as quickly as the disease. Malicious actors typically pose as a trusted organisation (banks, merchants) or individual (co-worker, manager, IT administrator).
What are the cybercriminals after? Business email compromise (BEC) scams are designed to trick victims into transferring sensitive data or funds — personal or corporate — to threat actors’ accounts. They also aim to steal credentials so they can infiltrate organizations and compromise information systems, especially corporate payment systems, as well as the quality of services. If successful, the attacks can open the doors to more fraud.
Scammers impersonating the Ministry of Health via phone calls and phishing emails have come out in force. Globally too, fraudulent emails have included logos and other imagery associated with the Centers for Disease Control (CDC) and the World Health Organisation (WHO). Emails include links to items of interest, such as "updated cases of the coronavirus near you." Landing pages for these false links may look legitimate, but the sites are often malicious and may be designed to steal email credentials.
The spread of COVID-19 is disrupting temporary operations in some industries. In Singapore, a home-based learning tool was hacked due to encryption vulnerability. The hackers breached the e-learning modules to post inappropriate imagery. Singapore’s Ministry of Education of Singapore temporarily banned the tool for further investigations and security measures.
We have seen a rise in malicious emails directing recipients to educational and health-related websites riddled with malware. Recently, users have been enticed to click on maps providing updates on local COVID-19 cases, loaded from legitimate sources but running malware in the background. In Singapore, scammers have taken advantage of the remote work situations to typically impersonate staff from telecom providers, persuading victims to install software applications that will resolve Internet issues. These cyber-attackers claim to be from "Cyber Crime Department of Singapore" or "Cyber Police of Singapore" - agencies that do not exist, directing them to install applications to help with investigations. Once installed, scammers then ask them to login to their online bank accounts and money is then transferred out of their accounts without the knowledge of the victims.
Emails purporting to hail from regional medical providers, were among the first COVID-19 related phishing attacks. Some phishing emails invite recipients to download attachments containing “secret cures” for the virus. The attachments instead contain malware designed to steal the personal and financial information of the victim.
During crises and economic downturns, many other types of frauds increase, and they can be harder to detect and may require adjustment to controls to mitigate the risk. For example, customer account security controls, such as risk scoring models, will need to be recalibrated to discern fraudulent transactions from legitimate transactions. Fraudsters may target different products than they did prior to the crisis, as customers may change behaviors and preferences amid the crisis and the economic downturn.
Encourage your employees to take these ten precautions:
Join our webinar series where we explore topics on managing business continuity, data optimisation and transformation risks, to help organisations build resilience and prepare for a post COVID-19 operating environment