Cyber security experts have found that the 2019 novel coronavirus (COVID-19) has led to a surge in phishing scams, with both individuals and organisations at risk.
Things could get worse in the coming weeks, as organisations scramble to find solutions for the disruption that COVID-19 is causing. For example, millions of employees will likely to be forced to work remotely, as the UK government prepares for a lockdown scenario.
Although that will help limit the spread of the disease – which is obviously the priority – it will introduce new business risks that organisations must prepare for.
Let’s take a look at some of those risks and how you can address them.
Scammers are cashing in on coronavirus
It’s no surprise that cyber criminals are rolling out coronavirus-themed phishing emails.
Crooks notoriously use the curiosity or fear that comes with news stories to propagate their scams. Phishing emails imitating HMRC are a given at tax season, as are they during major sporting events, at Christmas and on Black Monday. Meanwhile, three-plus years of Brexit negotiations saw a healthy dose of political scams.
What is phishing?
Phishing is a type of cyber attack in which scammers send malicious messages that appear to be from a trusted source.
The purpose of these messages is to get the recipient to hand over login details or infect their system with malware. The scammers do this by including a link that replicates a genuine website or attaching an infected file to the message.
These scams are usually delivered by email, but they can also occur on social media, by text or over the phone.
If you thought the coronavirus situation was too grave for cyber criminals to consider profiting from it, you are wrong.
We first reported coronavirus-themed phishing scams last month, after IBM discovered a series of attacks targeting Japanese organisations. At the time, the country was the second-worst affected by the disease, but as the infection has spread, so has the scope of the scam.
Proofpoint detected a series of bogus emails that exploit coronavirus-related fears in several ways. Many of them, such as this example, prey on people’s desire to find guidance on how to stay safe:
A similar scam imitates the president of an organisation, who is seemingly giving advice to the organisation’s staff.
The attack may well have been made possible following a BEC (business email compromise) scam, in which case the criminal has obtained a list of employees’ email addresses.
This makes the message even more dangerous – not only because more people are being targeted, but because an all-staff message looks authentic.
At the extreme end of the spectrum, Proofpoint found a phishing email that claims that the pandemic is a biological weapon designed to control the population.
The content of this message might sound so absurd that it harks back to the classic Nigerian prince scams, but – depressingly – there are some people that this will appeal to.
For example, Piers Corbyn, the weather forecaster and brother of Labour leader Jeremy Corbyn, recently tweeted his belief that COVID-19 was designed to cull the population and fight climate change.
THE CV PANDEMIC WAS SIMULATED OCT 2019 BY MEGA-RICH CONTROL FREAKS BILL GATES, GEORGE SOROS +CRONIES.
NOW IT’S FOR REAL.
THE AIM IS A WORLD POPULATION CULL (“PEOPLE cause #CO2 problem”) by THEIR mass VACCINATION PLAN CONTAINING POISON.
— Piers Corbyn (@Piers_Corbyn) March 16, 2020
He is not alone. The American talk show host Sean Hannity claimed that the “deep state” is using the pandemic to manipulate the stock market, while a small sector of the Reddit community have raised their doubts about the nature of the virus.
Expect disruption and chaos
The panic surrounding coronavirus might have you screaming ‘scam!’ every time you receive an unexpected email. Although exercising caution is never a bad idea, it’s important to note that these are unprecedented times and there will be unusual but legitimate requests.
For example, with organisations across the globe moving towards remote working amid a lockdown scenario, there will be a spike in virtual interactions. You will get emails and instant messages from employees who can no longer simply come over to your desk with their requests.
As such, you should take the time to work out how to differentiate a legitimate message from a scam.
Looking for the signs of a scam can seem daunting at first, but once you get the hang of things, it will become second nature – something that’s essential given the volume of communication that will soon be happening online.
This is particularly important if your IT team is also working from home or depleted due to illness. They will have limited powers to prevent attacks or mitigate the damage once a breach has occurred, meaning there’s an extra burden on employees to stay safe.
You should also be prepared for third-party disruptions. Platforms like Slack or Microsoft Teams are built to help workers communicate when they’re not in the same office together, and if you’re not already using those services, you should expect to in the coming weeks.
Unfortunately, these programs are only designed to handle a certain number of people at a time. They’ll no doubt be preparing for a boost in users as workers are increasingly set to work from home, but there will almost certainly be disruption during peak hours and you might receive emails such as this:
If you are suddenly unable to access the system, or it repeatedly crashes, don’t simply assume that a cyber attack is to blame. It’s far more likely that the servers are overwhelmed.
Those who are in any doubt should contact their IT department for guidance.
Remote workers are a massive security weakness
Cyber criminals will be licking their lips at the prospect of a lockdown scenario. As we’ve already demonstrated, they aren’t above exploiting COVID-19 for their own ends, and because they already operate from the comfort of their own homes, the outbreak will have little impact on their ability to conduct attacks.
Meanwhile, the prospect of millions of employees working from home presents all kinds of opportunities for new schemes.
Remote working is an information security risk at the best of times – albeit one that can be managed through effective planning.
For example, employees can take training courses to understand their security obligations – websites they should avoid, how to prevent unauthorised people viewing sensitive information, managing updates and patches on their devices, etc.
Organisations can also set up controls that mitigate risks, such as restricting remote workers’ access to third-party websites that are especially vulnerable when employees’ connections aren’t protected by on-premises defences such as firewalls.
However, many of those measures simply won’t be possible in a lockdown scenario – either because the organisation doesn’t have time to implement measures or it doesn’t have a plan to find workaround solutions.
When remote workers are banned from using vulnerable systems, for example, they can either wait until they’re back in the office to perform the relevant task or ask a colleague to do it. But if everyone’s working from home for the foreseeable future, then what?
Management will have to decide whether to suspend whatever practice requires the use of that site, or lift the restrictions, exposing them to a cyber attack.
Meanwhile, the rapid onset of remote working en masse means many employees won’t get the training they need to manage risks effectively.
Suddenly you have an entire workforce trying to do their jobs with insufficient training, perhaps with unfamiliar kit, away from the protections that the office provides them and distracted by daily updates of a devastating pandemic.
For cyber criminals, it will be like shooting fish in a barrel unless organisations prepare their employees.
Do staff understand the risks?
Educate your employees on the steps they must take to stay safe while working remotely with our Complete Staff Awareness E-learning Suite.
This online solution covers everything you need to know, from organisations’ legal requirements to specific issues that employees face, such as phishing emails and social media scams.
Because it’s an online course, you can roll it out to staff who are already working from home without jeopardising their safety.