Since the outbreak of the Covid-19 crisis, cybercriminals have wasted little time in exploiting the pandemic. In this time of uncertainty, coronavirus has led to a surge in cyber attacks, phishing scams and malicious activity, making Cyber Security awareness more important than ever.
Scammers Cashing in on Covid-19
In recent weeks, numerous scams have emerged as criminals seek to take advantage of the public’s concerns, ranging from how to reclaim money lost on holidays, to applying for financial support due to school closures.
According to Google, scammers are sending 18 million Covid-19 related emails to Gmail users every day in an attempt to persuade victims to download malicious software, steal sensitive information, or donate to fake causes.
In the last month, the National Cyber Security Centre (NCSC) has also reported that more than 2,000 online scams related to coronavirus have been identified and removed. In a bid to crackdown on fraudsters and phishing scams, the NCSC has taken down 471 fake online shops, 555 malware distribution sites, and 832 advance-fee frauds, where a large sum of money is promised in return for a set-up payment.
While the threat of Covid-19 builds, so too does the risk of attacks by opportunistic criminals aiming to exploit a society in lockdown. With the sudden shift in circumstances, and more people working from home than ever before, the Covid-19 crisis has presented ideal opportunities for cybercriminals.
Phishing and the Covid-19 Pandemic
As the public seeks information about the global pandemic, coronavirus phishing attacks have exploited recent news developments and government announcements.
The National Fraud Intelligence Bureau (NFIB) has reported a 400% increase in scams as a result of coronavirus-related phishing attacks.
Recent campaigns have also seen cybercriminals creating fake websites and emails masquerading as legitimate authorities such as the World Health Organisation and HMRC to infect devices with malware, steal personal information, and compromise accounts.
The most prevalent scams are those promising to share tips on how to avoid being infected, offer advice about financial support, provide updates on the spread of the virus, and access to personal protective equipment.
By encouraging users to act quickly and by provoking curiosity and fear, some studies have shown the click rate on phishing attacks has risen from less than 5% to over 40% with coronavirus scams.
Combatting Business Email Compromise During a Crisis
Amid a sharp rise in coronavirus-related phishing attacks worldwide, business email compromise attacks are now considered one of the biggest threats facing companies.
According to Gartner, BEC attacks are expected to double each year to over $5 billion by 2023, leading to large financial losses for enterprises by 2023.
Although relatively low-tech and simple to execute, these sophisticated scams not only cause crippling financial losses but they also impact relationships, organisational reputation, and stakeholder trust.
In February, a study found that BEC attacks increased by almost 25% and ranged from CEO fraud to fake invoices and compromised employee email accounts. To further leverage Covid-19 fears, fraudsters have been cashing in by asking organisations to contribute to bogus charities and invoicing for cleaning products and PPE.
Covid-19 and Video Conferencing
Like any technology, if not properly managed, video conferencing poses risks to the privacy and the security of our personal information. As people and businesses have become increasingly reliant on video conferencing to stay connected, fraudsters have been quick to exploit the opportunity.
This has resulted in a surge of incidents whereby hackers have gained unauthorised entry to video conferencing calls and eavesdropped on private conversations, hijacked screen controls, and launched an array of malicious attacks.
Earlier this year, security concerns were raised when the Zoom ID of a UK cabinet meeting was shared in a social media post. Along with the ID, the usernames of some of the cabinet ministers were also listed, which enabled cybercriminals to access the private meeting.
The Washington Post also reported that thousands of recorded Zoom meetings are viewable online, including therapy sessions, financial meetings, telehealth calls, and school classes that exposed the faces and other details about children.
Although most video conferencing applications have controls that can be configured to mitigate such dangers, it also presents a number of additional risks, such as accidentally screen sharing confidential information or having sensitive data on display in the background of the video. With this in mind, user education is vital for creating awareness about video conferencing risks and how to mitigate them.
Coronavirus Smishing Scams
Smishing, or SMS phishing, has experienced a sharp rise as scammers attempt to lure unsuspecting victims with misinformation about the coronavirus outbreak.
Recent smishing campaigns have claimed to be from companies that have experienced delays in deliveries due to the coronavirus. Other popular smishing scams have pretended to be from legitimate organisations, such as banks or government departments, to trick people into providing personal and financial information, open a malicious link, or pay money to a bogus cause.
Smishing has grown in popularity as it enables cybercriminals to lure recipients into revealing personal or financial information, without having to break through the security defences of a computer or network.
Fraudsters recently targeted those in lockdown with a devious Netflix scam that claimed to give away free subscription passes for the platform. The scam had been perfectly timed to exploit the current surge in people turning to streaming services during the isolation period.
With the average person sending 15 texts per day, smishing offers a unique opportunity for these malicious hackers to take advantage of victims who are distracted while working from home, or who are overwhelmed with information about the virus.
Research has also found that users are more likely to respond to a phishing attack on a mobile device as people are less cautious with text messages than they are with standard phishing scams, which are often blocked by spam filters.
Working From Home Vulnerabilities
As remote working becomes the new normal, it has also resulted in a growing number of threats for many organisations. In fact, 95% of Cyber Security professionals say they are facing additional challenges, with increased attacks and new work-from-home demands.
The sudden shift in circumstances has impacted the way that employees access business applications and increased the potential attack surface.
Aiming to take advantage of workplace disruption, hackers have been exploiting a variety of known vulnerabilities in VPNs and unsecured WiFi networks in an attempt to steal valuable information.
With some workers forced to use personal devices for work tasks, this has also increased the risk of malware finding its way onto devices, resulting in both personal and work-related information being compromised. Often, these devices lack the tools built in to business networks, such as corporate antivirus software, customised firewalls, and online backup tools. The use of personal devices presents multiple opportunities for a hacker to exploit.
In an effort to prevent fraudsters from listening to confidential conversations and conference calls, some organisations are also urging their staff to turn off smart speakers and voice assistants such as Amazon Echo, Apple HomePod and Google Home devices.
According to a report from Northeastern University, smart speakers accidentally activate as many as 19 times a day, recording as much as 43 seconds of audio each time. Recent research also suggests that 59% of smart speaker users have privacy concerns, with unwanted listening and data collection being front and centre.
Even in normal times, working from home can make employees vulnerable to attacks. However, the current climate has created the perfect storm in which hackers, scammers, and spammers can thrive.
Researchers at Zscaler say, since January, they’ve seen a 15%-20% increase each month in hacking incidents, and an increase in hacking threats that use terms like “coronavirus” or “Covid-19”.
Cyber Awareness is More Important Than Ever
Malicious cyber actors are continually adjusting their tactics to take advantage of new situations, and the Covid-19 pandemic is no exception. As cybercriminals increase their efforts, awareness is the most powerful weapon against these evolving threats and techniques.
Scammers will be quick to take advantage of any lapses in security, and organisations should continue to empower and educate employees to remain vigilant. Cyber Security is everyone’s responsibility, and with so many potential attack points, the key to improving security is to create a culture of cyber awareness.
Free Covid-19 Awareness Assets
In this time of uncertainty, MetaCompliance is committed to supporting organisations mitigate the risk of cyber threats.
To help communicate good cyber hygiene and vigilance, we have created a bank of free digital assets, which you can use to support your communications during this challenging time.
Click here to access your free Covid-19 awareness assets.