In mid-April – when the UK was on the absolute frontline in its fight against Covid-19 – the country’s National Cyber Security Centre was forced to take decisive, rarely seen action against the rapidly rising tide of Coronavirus-related scams and phishing emails hitting people’s inboxes.
Having shut down more than 2,000 virus-themed scams in March alone, in April it felt it necessary to set up an email reporting service where people could flag up any further bogus campaigns. The need was real – at one point during the same month, Google reported 18 million Covid-related scam emails in one single day.
It’s blatantly clear that cybercriminals have no moral code. Worse still, they actually thrive off the fear and panic that catastrophic events create, and prey on these emotions in order to achieve their own, single objective – making money.
Whether it’s smishing campaigns which bogusly encourage users to download tracing apps so they can discover if they’ve been in proximity of someone who has tested positive for the virus, or a phishing email offering discounted hand sanitiser, the cyber-underworld is using every trick in the book to exploit this pandemic.
This crime wave impacts businesses not just consumers. By clicking on a link included in one of these scam emails, the recipient could unwittingly install malware that could give the hacker a shortcut into their company’s IT infrastructure. This is especially likely now, as more people are working from home and using their own devices for both work and leisure.
The financial services sector is particularly exposed to risk. Many of these bogus campaigns will, one way or the other, entice users to give up their bank account or credit card details. While they think they are ordering hard-to-get face masks, they may be unwittingly sharing their credentials with – or even making a payment to – a criminal ring. The banks then have to mop up, working out whether the payment was authorised or legitimate, as well as deciding whether their customer should foot the bill or whether they should be reimbursed.
To defend against this unprecedented volume of attacks, here are some of the techniques organisations should warn their employees and customers to look out for:
Whenever there is a global or national event, scammers will always attempt to capitalise on people’s interest in the topic. For example, in the run-up to the tax self-assessment deadline, people will expect to receive messages from legitimate senders such as HMRC or their accountants. This is open season for hackers, as they realise their victims might not be able to spot a scam email on the same topic.
Fraudsters are using the coronavirus in a similar way, adding to the discourse on it, and scaremongering in order to increase their illegitimate profits.
Their cunning is undeniable. For example, there has been one campaign where prospective victims received an email detailing a tax refund programme that was coming into effect as a result of the Covid-19 outbreak. Not only did the criminals use the virus as the hook to bait users, they even posed as the UK Government, in co-operation with the NHS, to improve their persuasiveness.
This is just one of the sly ways in which fraudsters use the news agenda to ‘brain-hack’ their intended victims. This particular fraudulent email included a link to a fake but official-looking website where the individual was then asked to input all their tax and financial information.
Employees and customers should be warned to be extremely sceptical of online advertisements for Covid-related goods. The tech giants such as Twitter and Facebook have taken major steps to remove misinformation from their sites, but it is like a game of ‘Whack a mole’ with new ads popping up as quickly as they are taken down.
These ads mostly attempt to bait victims into buying in-demand products and, as fear around the virus continues to escalate, more sophisticated items, such as self-testing kits.
Of course, the products advertised do not exist, and fraudsters are simply pocketing the money.
Phishing attacks always feature:
These type of attacks – often leveraging both the phone and email – are a common part of a hacker’s arsenal. From the criminal’s point of view, they are a cost-effective way to reach new victims.
There have been numerous spear-phishing campaigns, where a fraudster directly reaches out to their intended victim, usually posing as a person of responsibility, working for a legitimate organisation. They will have done their homework and will have a certain amount of information about their victim in order to make the approach seem credible.
Looking at email campaigns in particular, one widely circulated phishing email was a malware-laden message claiming the virus was now airborne. Scared users were enticed to click on the link to find out more. Another ‘linked’ to details of a cure, while another asked for donations to the ‘coronavirus cause’. Even more audaciously, one message appeared to come from the World Health Organization, and included the phrase “this little measure can save you” as a way to get recipients to click on a malicious link.
The impact of this activity
The heightened activity is causing a spike in both the number of compromised online accounts and incidents of attempted bank fraud.
By providing their personal details on the phone or on fake websites, people are opening themselves up to the possibility of their information being used to create synthetic identities and mule accounts. Their own data could be even turned against them, for example, if it is used as the basis for a genuine-looking phishing attempt at some point in the future. And so the circle continues.
Bogus emails often contain links or attachments which, if opened, download malicious software onto the user’s device. These could be keyloggers, which can intercept sensitive information such as usernames or passwords, or remote access trojans (RATs) which can be used to obtain complete and anonymous control of a user’s device. These are often used as a way to access an enterprise network, a user’s personal bank account, or both.
If an individual sends money to what they believe is a charity account but is actually a mule account, it is likely they have been a victim of an authorised push payment (APP) scam. It’s a similar case when they buy goods that they do not receive. As these payments have been authorised by the account holder, it is notoriously difficult for banks to detect and block this type of fraud. Investigating exactly what happened can be hugely problematic and time consuming for financial services companies in particular.
The world is in uncharted territory: this is exactly the type of environment fraudsters and hackers love.
They will try anything and, as long as the situation continues, they will try to exploit it. Organisations must urge their customers and their employees alike to be extra vigilant right now. A healthy dose of scepticism is required if organisations are going to successfully keep hackers out of both their corporate infrastructures and their customers’ online accounts.
Tim Ayling, vice president EMEA, buguroo