How to protect your companies from rising cyber attacks and fraud amid the COVID-19 outbreak

Start adding items to your reading lists:
or
Save this item to:
This item has been saved to your reading list.

Practical steps for responding to the coronavirus crisis

  • Cyber attacks have increased along with the rapid worldwide spread of the COVID-19 pandemic.
  • Employees are your organization’s first line of defense. Companies can protect themselves by encouraging personnel to be skeptical of email from unfamiliar sources.
  • Cybersecurity teams should work with fraud risk management teams to coordinate detection-and-response activities.

Issues arising from COVID-19

Social engineering campaigns that preyed upon fear over the virus began appearing in late January and have spread as quickly as the disease. Malicious actors typically pose as a trusted organization (banks, merchants) or individual (co-worker, manager, IT administrator). The volume of malicious emails has rocketed, according to Proofpoint, a cybersecurity company monitoring virus-related cybercrime. 

What are the cybercriminals after? Business email compromise (BEC) scams are designed to trick victims into transferring sensitive data or funds —  personal or corporate — to threat actors’ accounts. They also aim to steal credentials so they can infiltrate organizations and compromise information systems, especially corporate payment systems, as well as the quality of services. If successful, the attacks can open the doors to more fraud.

Beware of the following cyber attack-techniques

Social engineering scams proliferate in the wake of natural disasters, terror attacks, mass shootings and pandemics. Here are some COVID-19-related tactics that have emerged.

Emails masquerading as government announcements

Threat actors are sending phishing and BEC emails disguised as government announcements. Fraudulent emails have included logos and other imagery associated with the Centers for Disease Control (CDC) and the World Health Organization (WHO). Emails include links to items of interest, such as "updated cases of the coronavirus near you." Landing pages for these false links may look legitimate, but the sites are often malicious and may be designed to steal email credentials.

View more

Operational and industry disruption

The spread of COVID-19 is disrupting temporary supplies and revenue in some industries. Cybercriminals hope victims will mistake their malicious emails for legitimate ones. For example, emails with subject lines like “Coronavirus – Brief note for the shipping industry,” have been sent to employees of companies in industries being disrupted by the virus. Some campaigns have even been disguised to look like invoices, shipping receipts and job applications. BEC campaigns are targeting manufacturing, finance, pharmaceuticals, healthcare and transportation companies. False emails typically include attachments that contain malware designed to harvest sensitive data, or harmful ransomware that could disrupt access to, or availability of, information systems.

View more

Hidden malware

We have seen a rise in malicious emails directing recipients to educational and health-related websites riddled with malware. One email, masquerading as a notice from a virologist, read: “Go through the attached document on safety measures regarding the spreading of coronavirus. This little measure can save you.” Recently, coronavirus maps have enticed users to click on maps loaded from legitimate sources that run malware in the background.

View more

False advice and cures

Emails purporting to hail from regional medical providers, sent to people in Japan in January and February, were among the first coronavirus-related phishing attacks. Some phishing emails invite recipients to download attachments containing “secret cures” for the virus. The attachments instead contain malware designed to steal the personal and financial information of the victim. Some emails include conspiratorial and false claims that COVID-19 was manufactured to reduce the world population.

View more

False charity

Another phishing campaign involves emails designed to mimic the CDC, soliciting donations to fight the spread of the virus. The emails appeal to recipients’ altruism, urging victims to donate into a Bitcoin wallet or to make other types of payments. The CDC, a federal agency under the Department of Health and Human Services, is taxpayer-funded and would not solicit donations. Other malicious actors may create fraudulent charities. One should never donate to charities via links in emails; instead, give at the charity’s website. Follow fundraising platforms’ guidance on  how to recognize and report fraudulent charities.

View more

Fraud that go beyond business email compromise

Your cybersecurity team should coordinate fraud detection and response with your organization’s fraud management teams. During crises and economic downturns, many other types of frauds increase, and they can be harder to detect and may require adjustment to controls to mitigate the risk. For example, customer account security controls, such as risk scoring models, will need to be recalibrated to discern fraudulent transactions from legitimate transactions. Fraudsters may target different products than they did prior to the crisis, as customers may change behaviors and preferences amid the crisis and the economic downturn.

View more

Help your employees fight cyber attacks

Threat-aware employees are the first line of defense against cyber intrusions. Too often, that defense needs strengthening. Even before the COVID-19 crisis, in a PwC simulated phishing attack on mid- to large-size financial institutions, 70% of phishing emails were delivered to their targets, and 7% of recipients clicked on the malicious link. As has been proven time and time again, it only takes one. One click, one missing endpoint agent, one failed alert, one unsuspecting employee, and the adversary can proclaim victory over your network. 

Heightened awareness can be a powerful antidote. To protect from a social engineering attack, coach all employees to take these precautions, particularly on their mobile devices.


Assure your employees that heightened awareness can be a powerful antidote. To protect from social engineering attack, coach all employees to take these precautions:
1
Be skeptical of emails from unknown senders or familiar people (like your company’s CEO or your doctor) who do not usually communicate directly with you.
2
Don't click on links or open attachments from those senders.
3
Don't forward suspicious emails to co-workers.
4
Examine the sender's email address to ensure it's from a true account. Hover over the link to expose the associated web addresses in the “to” and “from” fields; look for slight character changes that make email addresses appear visually accurate — a .com domain where it should be .gov, for example.
5
Note grammatical errors in the text of the email; they’re usually a sure sign of fraud.
6
Report suspicious emails to the IT or security department.
7
Install the corporate-approved anti-phishing filter on browsers and emails.
8
Use the corporate-approved anti-virus software to scan attachments.
9
Never donate to charities via links included in an email; instead, go directly to the charity website to donate.

Caring for your employees: healthy, safe — and productive and secure

Telecommuting, which increases during public health crises, inadvertently can lead to cybercrime. CISA (Cybersecurity and Infrastructure Security Agency) has just issued an alert regarding vulnerabilities caused by remote access to organizations’ computer systems. A proliferation of cloud-based apps makes it easier for bad actors to exploit holes in networks. 

Companies only have days or weeks during this crisis to facilitate the shift to a telecommuting workforce. You should transition in a way that doesn’t bypass the security you have in place.

Businesses are making sure that their employees are taking the right precautions, with social distancing guidelines and travel restrictions. They’re also preparing for quarantines and lockdowns. And they must maintain critical operations for their customers, partners and suppliers. In fact, 42% of CFOs surveyed by PwC said workforce/reduced productivity is among their top 3 concerns with respect to COVID-19.

Many organizations are enabling work-from-home at an unprecedented pace to ensure business continuity.

  • Transitions to rapid, secure, remote work models are now possible with enabling technology and guidance. Companies have days or weeks during this crisis to implement infrastructure to support a largely work-at-home workforce. What wasn’t doable in the past is now possible with a full suite of capabilities. 
  • Solutions can be matched to circumstances. Some organizations can’t provide laptops to all employees. Some workers have been given laptops, but need more help securely managing access to data and networks. 
  • Transitioning to work-at-home can be done without compromising security. 

Consider the crisis as an ongoing test of resilience: emerge stronger

You can avoid harm from COVID-19-themed phishing and BEC scams with skepticism, training and technical safeguards.

You need a multifaceted defense strategy, in addition to raising security awareness for your workers. PwC’s cyber experts recommend taking these steps:

Plan your response to a phishing attack. Incorporate lessons learned from your previous simulations to close gaps in your response plan. Assign responsibility for communicating with stakeholders, including customers and the media.

Strengthen your perimeter. Use security solutions to identify and deflect threats before attackers can penetrate your systems. Incorporate tested and proven detection and monitoring controls. Minimize your exposure to attack and limit access to your data as much as possible.

Strengthen your remote access management policy and procedures. Implement multifactor authentication for VPN access, IP address whitelisting, limits on remote desktop protocol (RDP) access and added scrutiny of remote network connections.

Fortify your endpoint protection. Protect your devices against standard and advanced malware. Test your security software to make sure it works as it should, and use it in your broader detection-and-monitoring program. Harden and patch your devices. 

Secure supplier portals and other externally facing applications using multifactor authentication and risk-based authentication, especially for applications that would allow a supplier (or a cybercriminal posing as a supplier) to change bank account information, divert payments or make other changes that could impact financial payments.  

Strengthen financial and treasury controls to require call-backs or confirmations of emailed payment and change requests.

Team up with other functions — including Financial Controls, Treasury and Fraud teams — to sharpen fraud prevention and detection. Broaden your view of threats and risks during the crisis. Work with risk management and fraud management teams to improve detection and monitoring, and accelerate responses. 

Begin planning for a new approach

Many cybersecurity strategies today protect a perimeter, as it were, checking for credentials of someone attempting to gain access and discerning whether the actor is legitimate or malicious. Phishing and social engineering attacks are typically the initial entry vectors for malicious actors to bypass these perimeter controls and gain access to key systems or business processes. 

In addition, businesses’ critical applications no longer have borders, meaning that security solutions have to protect not just a perimeter, but also the data. Borderless Data Access Controls (BDAC) are one solution. BDAC conducts strict identity verification, inspection and monitoring of every user and every device trying to access your private network — internal and external. It doesn’t matter where the user or device is located: All face the same stringent scrutiny before gaining access to sensitive data.

Under this zero trust model, trust isn’t freely given, but must be earned. Everyone must pass the virtual “sniff test” every time, and continuously. BDAC asks “who, what, where, why and how” for every attempt to gain access to your critical data and infrastructure, and it authenticates relentlessly. This zero trust model provides additional protections against both endpoint compromises (using phishing and/or malware) and attacks targeting borderless applications.

Contact us

Sean Joyce

US and Global Cybersecurity and Privacy Leader, PwC US

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

Kristin Rivera

Partner, Global Forensics Leader, Global Crisis Consulting Leader, PwC US

Emily Stapf

Principal, Cybersecurity and Privacy, PwC US

Brian Castelli

Partner, PwC US