Beating Covid-19 cybercrime
30 April 2020
With so many locked down at home in response to pandemic containment, the use of online services is exploding. But what is the risk to businesses? flow shares some tips to stay cyber-safe in a working from home environment
While businesses and households navigate Covid-19, cybercriminals are making the most of the disruption and finding ways of penetrating corporate defences. “Cybercriminals are attacking the computer networks and systems of individuals, businesses and even global organisations at a time when cyber defences might be lowered due to the shift of focus to the health crisis,” reports Interpol1.
“With a huge number of people teleworking rom home, often with outdated security systems, cybercriminals prey on the opportunity to take advantage of this surreal situation and focus even more on cybercriminal activities,” says Europol’s Executive Director, Catherine De Bolle.
“Cybercriminals prey on the opportunity to take advantage of this surreal situation and focus even more on cybercriminal activities”
As a result, sensitive information on companies and their customers could be put at risk. In the current climate, everyone should pay particular attention to e-mails, text messages and social media posts referencing the pandemic. They could be attempts at fraud.
This article provides an overview of the cyber risks associated with remote access and working from home and provides some practical guidance.
Beware of coronavirus phishing. Criminals are masquerading as reputable authorities to establish a pretext related to the current coronavirus pandemic. These fraudulent messages are designed to get individuals to reveal sensitive information, such as log-in data for online accounts, credit card details and mobile phone numbers through fake websites.
In other cases, employees may be invited to click on attachments or links, thereby infecting your computer or smartphone with malware that can access sensitive data or encrypt it for the purpose of extortion.
Security experts have observed an increase in these types’ of phishing attacks via e-mail, text message, phone call, messenger service and social media. On 17 April Google reported that scammers are sending 18 million phishing emails to gmail users each day2.
Here are some instances of current fraud variants:
- Fraudsters send out e-mails offering relevant information about Covid-19, for instance on the high-risk areas in the recipient’s city, in the name of a reputable health organisation such as the World Health Organization (WHO), the Centers for Disease Control and Prevention (CDC) or the Robert Koch Institute (RKI). Access to this type of information can allegedly be accessed by clicking on the fraudulent link or entering the log-in data of the recipient’s e-mail account.
- Crooks contact company managers by phone, e-mail or text message in the guise of a public authority to announce that the company is eligible for a grant under a coronavirus emergency support programme. The managers are requested to supply sensitive details of online accounts in order to facilitate the payment transaction.
- A fake e-mail purportedly from the company’s Human Resources department is sent to employees’ work e-mail addresses; it contains a link purportedly to management guidelines relating to the coronavirus crisis for their perusal.
- A hospital informs employees that they have tested positive for Covid-19; in this context, they are asked to supply personal information or to click on a link.
- Staff receive a text message recommending an app that will allegedly show them people who have tested positive for Covid-19 in their neighbourhood once they have made a small credit card payment.
- Companies are asked to make a donation to the coronavirus cause in the name of a reputable aid organisation. The account details stated are those of a fake PayPal or other account.
- Staff receive a fraudulent message stating that the costs of cancelled flights or booked accommodation will be reimbursed.
- Following a malware attack, a website suddenly appears in employees’ browsers, prompting them to download a malicious app with suggestions on how to protect themselves against the coronavirus.
- An item of fake news takes staff to a website offering products currently in short supply, such as disinfectants, respiratory masks or protective gloves; these will never be delivered.
How to protect against phishing
“Phishing emails remain our biggest cyber threat so we must stay vigilant,” says Carsten Fischer, Deutsche Bank’s Global Head of Information and Security Operations. He advises, “Before clicking on a link in an email ask yourself whether something marked urgent would have really been sent via email with a link. Remember the hacker is only one click away.”
The important thing is to recognise and repel the attacks. Here are some practicalities:
- Do not open any suspicious e-mail without first checking the sender’s address. The full e-mail address will be displayed if you hover over the sender’s name with the mouse.
- If the suspicious e-mail has purportedly come from a reputable organisation, you should check whether the e-mail address was sent from contains the same destination address (domain name) as the organisation’s bona fide internet address.
- How to identify the destination address in an internet address (URL): Starting at “://”, look for the next slash: http(s)://random-words.destinationaddress.com/other-random-words. Move backwards over the domain ending “.com”, “.org” or “.de” to the next dot on the left. Between this dot and the slash to the right of it is the destination address: http(s)://random-words.destinationaddress.com/other-random-words.
- Never click on attachments or links in an e-mail if you are not absolutely certain that it is trustworthy. Verify the sender of and pretext for sending the e-mail, for instance by phoning a phone number already familiar to you.
- Delete suspicious e-mails immediately.
- Fake log-in pages are often difficult to distinguish from the original. So, never enter confidential information such as credit card details, passwords and other log-in data on websites you have opened by clicking on a link in an unsolicited message.
- Senders and recipients of standard e-mails cannot be sure of one another’s identity or of the integrity of the e-mail’s content. So, only use encrypted e-mails to send sensitive information and only trust e-mails received in encrypted form from your correspondent – this a system Deutsche Bank uses.
- Never click on links in suspicious text messages, messenger service or social media posts. Even telephone numbers or profiles that appear to be trustworthy can be fake.
- Don’t engage in phone conversations with dubious callers and never divulge sensitive information. To verify that the phone call is genuine, first ask the caller if you can phone back. Use the time at your disposal to check the caller’s identity and the reason for the call – perhaps by making internal inquiries or by phoning the organisation for which he or she claims to work.
“Phishing emails remain our biggest cyber threat so we must stay vigilant”
Trustworthy sources of information
So what sources of information can you trust? Don’t forget that that reputable health and aid organisations will never send e-mails asking you to enter personal information on websites.
If you have questions about the coronavirus pandemic, you can find
information on the websites of the Centers for Disease Control and Prevention (CDC), the World Health Organisation (WHO) and the National
Institutes of Health (NIH).
The coronavirus map currently most commonly faked by crooks is the one provided by Johns Hopkins University in the USA. Its genuine internet address is https://coronavirus.jhu.edu/map.html.
The following is a summary of Deutsche Bank processes and we would advise you to check for equivalent safeguards in your interactions with other providers.
- Deutsche Bank never sends its commercial clients e-mails containing links to online banking with a request to enter account numbers or log-in data.
- Commercial clients of Deutsche Bank with access to the Deutsche Bank platform, DB AutoBahn will note that our platform offers two-factor authentication via a smartphone app for iOS and Android in the form of the DB Secure Authenticator.
- Never log in to online banking on an unfamiliar computer. Further security advice relating to payment transactions involving Deutsche Bank is available here.
- Never use the same password for multiple accounts, otherwise cybercriminals who have managed to steal a password from you could gain access to your other accounts by means of what is known as “credential stuffing”. The risk of this is high if you already use your e-mail address as a user name for several accounts.
- Do not give passwords to others.
- Pick passwords of at least 15 characters in length which contain a mix of upper-case and lower-case letters, numbers and special characters. Such passwords only need to be changed if you suspect that they might have fallen into the wrong hands.
- Never save passwords as digital notes, e.g. in the address book of your smartphone or in documents on your computer, server or in your cloud.
- Use two-factor authentication whenever you can.
Cyber criminals attempt to steal log-in data from your smartphone via infected apps, thereby posing a threat to the security of two-factor authentication systems you have in place.
- Only download apps for your smartphone and tablet from reputable sources such as the Google Play Store or Apple’s App Store.
- Restrict the access rights of your apps. Do not allow an app to access text messages.
- Always keep the operating system of your smartphone and your apps up to date, because updates are generally designed to resolve security vulnerabilities.
- Pay attention to any signs that may indicate the presence of malware on your smartphone: a sluggish device, short battery life, memory that is suddenly full, appearance or disappearance of apps without any input from you.
Risks posed by split operations and working from home
Many employees are currently working from home to prevent the spread of Covid-19 – and there is the risk that certain technical and organisational measures taken by the company to protect sensitive information will prove inadequate.
Precautionary measures such as split operations and the self- quarantine of employees have substantially altered routine workflows, responsibilities and communication channels, thereby providing cyber criminals with new avenues of attack – particularly with respect to social engineering.
A company’s sensitive information could also become accessible to unauthorised persons in the home environment if it is overheard, seen on a screen or left lying around in printed form. Phone calls and conversations could also be exposed via virtual assistants with network capability such as Amazon’s Alexa, Google Home or Facebook Portal.
It is up to management to respond to such risks in timely fashion. Education and communication about technical measures such as the provision of VPN connections, on regulations and arrangements for the use of private devices for business purposes, and on making employees aware of the particular threats associated with working from home during the current coronavirus pandemic is of paramount importance.
Current cases of social engineering
Crooks gather information about staff, customers and suppliers in the course of phone calls as well as online and social media research with a view to identifying potential targets. This allows them to perpetrate successful spear phishing attacks on vulnerable persons in the company, manipulate internal business processes and redirect payments onto fraudulent bank accounts.
Fraudsters are currently exploiting amended stand-in arrangements in companies to perpetrate a new kind of CEO fraud. One version of this involves contacting a newly appointed stand-in via e-mail in the guise of a company employee claiming to have been authorised by the management to approve an urgent payment transaction.
Crooks masquerade as service providers or suppliers to present ostensibly plausible invoices featuring fraudulent account details. A fraudster purportedly working for a company’s house bank could contact a member of the accounting staff by e-mail to request that the latter enter the company’s online banking log-in data on a fake website in order to facilitate payment of a bridging loan applied for in connection with the coronavirus pandemic. The crook will then use this stolen log-in data to save fake bank account details for the company’s payment recipients.
Both management and staff should therefore always take care not to reveal confidential information on internal responsibilities, customer relationships and business processes on social media, on the company’s website or in the course of phone calls with strangers.
Private e-mail accounts, devices and networks
The risk of a cyber-attack is particularly high in cases where business information is sent digitally to private e-mail accounts, devices and networks, thereby removing the information from the company’s technical protection.
Management and staff alike should consequently refrain from using private applications. Private devices should only be used for work-related purposes in order to access a company’s networks and applications via virtual private network (VPN).
Video conferences and online collaboration
Cyber criminals can gain access to telephone and video conferences if they manage to get hold of the respective log-in data and conference times – for instance via an intercepted e-mail or one that has been forwarded in error. Organisers of these meetings should specify a password for use by participants and send it to them in advance, separately from the meeting ID.
Check to see which video-conferencing applications can be used by staff in compliance with data protection provisions.
Up to 200 million people a day are currently using the video-conferencing application Zoom, because it is so easy to operate3. However, strangers can access a Zoom call if the organiser has failed to provide a password for participants. There have also been technical security vulnerabilities associated with the use of Zoom. Users should nevertheless take care to update the Zoom app regularly and to use password protection for calls.
Collaboration applications such as Google Docs and Slack make it easier for teams whose members are in different locations to work together. However, if access authorisations are not assigned painstakingly, unauthorised persons will also be able to access these kinds of confidential communication – for instance, if participants are able to log in using any private e-mail address.
Useful security tips for employees working from home
In March 2020 the World Economic Forum noted. “One of the key public health responses to the global coronavirus pandemic has been social distancing – avoiding large groups of people in close quarters in order to inhibit the spread of COVID-19, the disease caused by the virus. Along with shutting down sports leagues, closing churches and stores and limiting restaurants to take-out service only, a major tactic for social distancing has been encouraging – or requiring – people to work from home.”4
Various commentators have observed that once the pandemic is behind us, working at home rather than in an office will grow and that businesses will be reviewing their real estate and facilities needs in the light of what worked during the crisis.
Maintaining a clear divide between work and home in the home environment is of paramount importance – for social and mental health reasons – but above all for security. Do not reveal any business information in your private social media profiles – and it would be advisable not to make known publicly you are currently working from home.
Here are some other security tips when working from home:
- Do not use private e-mail accounts, text messages and social media for business purposes.
- Wherever possible, sensitive phone calls made on your private smartphone should be re-routed so that they are conducted using your landline business number.
- Only use the video and telephone conference and collaboration platform solutions approved by your company.
- Only save sensitive work-related information in your company’s protected network. It should never be saved on private storage media – neither on the computer’s hard drive, nor on mobile storage media or in your cloud.
- Always keep the operating systems and software of your private computer and home router up to date by downloading manufacturer updates regularly. By doing so, you will be protecting both your own sensitive data and the systems of your company if you access these from home.
- Install anti-virus software on your private devices and keep it up to date.
- Protect your router with a strong password of at least 24 characters in length, otherwise crooks could install malware remotely on your devices. Cyber criminals are currently using this method to lure you onto fraudulent websites related in some way to the coronavirus pandemic. Back up your data regularly.
- Don’t use the automatic form-filling function to complete inputs.
- Do not list company contacts in your private address book on your smartphone.
- Never make sensitive work-related phone calls from places where you could be overheard by others.
- Ensure that nobody else can look at your screen and glimpse sensitive documents while you are working.
- Activate the locking feature whenever you take a break. Use a secure password that only you know.
- Make sure you keep your desk clear and uncluttered leaving no papers unattended even when working from home.
- Only use social media for work-related communication if expressly permitted to do so.
YOU MIGHT BE INTERESTED IN
Disruption caused by Covid-19 has pivoted the world towards technology to keep things moving. Given some technology trends will endure beyond the pandemic, flow ’s Janet Du Chenne examines how they could be managed to support a sustainable recovery
With cyber-crime on the rise, and the implementation deadline under PSD2 for Strong Customer Authentication (SCA) in online payments coming up fast, banks and payment service providers are coming up with some innovative solutions. flow reports on what this means in practice
Cybersecurity and fraud protection: exposing bad actors Cybersecurity and fraud protection: exposing bad actors
As spear phishing, business email compromise and other attacks on corporates increase, the chief information security officer is everyone’s new best friend, report Wade Bicknell and Vanessa Riemer.