Beware of COVID-19 Cyber-Fraud

Concept of cyber crime, hand holding smartphone and show malware screen that comes with email, hack password from bank accounts and personal data.
©Sitthiphong, adobe.stock.com

With the COVID-19 crisis sweeping the globe, cyber criminals are aiming to exploit people’s fear and uncertainty, preying on the current weaknesses most businesses and individuals are facing, including temporary closings. Scammers and fraudsters are taking advantage of rapidly changing data and facts associated with COVID-19, both in the workplace and in our homes. Government agencies, corporations and news outlets continue to warn individuals to be mindful of increased fraudulent activities during these uncertain times.

These scams, which can be sent via email, text message and social media, claim to provide COVID-19 updates, sell products, ask for charitable donations or reference government aid packages. Messages appear legitimate but seek to fraudulently obtain personal data, financial gain and to create panic. Use the following tips to identify and avoid scams:

Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts claiming to have inside information on the virus. There are currently no vaccines, potions, lozenges or other prescriptions available online or in-store to treat or cure COVID-19.

Do your homework before donating to charities or crowdfunding sites. Fraudsters are advertising fake charities. Do not let anyone rush you into a donation, particularly those who ask for cash, gift cards or wiring of funds.

Do not click on links or open attachments from unknown sources. Cyber-criminals are using COVID-19 to spread viruses and steal information. Do not provide personal, payment or sensitive workplace information via suspicious email addresses.

Be suspicious of urgent demands and emergency requests. Do not fall for scammers threatening fees or fines, canceled deliveries and health concerns in exchange for financial gain.

If it sounds too good to be true, it likely is. Many individuals are receiving robocalls and social media requests for Social Security numbers, banking information and gift cards. Scammers promise high-paying work from home opportunities, free sanitation and cleaning, as well as COVID-19 protection in exchange for payment and sensitive information.

Be mindful of scammers using government aid packages for gain. The government will not request payment, nor will anyone reach out requesting personally sensitive health or financial information in exchange for financial support.

Get news from a trusted source. Be mindful of text message scams, social media polls and fraudulent email accounts sharing false information to create panic. Before acting on information, review its source and check a trusted news outlet to confirm its validity. If you believe you have fallen victim to a scam, call your local police at their non-emergency number and consider reporting to the FBI’s IC3 Internet Crime Database.

Now more than ever, as operations are moving towards more digital platforms, their exposures to enhanced cyber-risk and vulnerability are increased as well. While dealing and recovering with the aftermath of the pandemic, more businesses are at a higher risk of becoming the victims of cyberattacks. In one prevalent tactic known as “social engineering,” criminals gather information and then form relationships with key people to execute their plan, often via email. Sophisticated methods can fool even the most trained employee into releasing sensitive data. Several methods of social engineering are seen frequently, such as:

Business Email Compromise (BEC)

The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A wire transfer, W-2 forms or other sensitive information from the compromised email account is requested from someone responsible for processing transfers. The demand is often made in an urgent or time-sensitive manner.

Spear phishing is an email aimed at a particular individual or organization, desiring unauthorized access to crucial information. These hacks are most likely done by individuals out for trade secrets, financial gain or military intelligence. These emails appear to originate from within the recipient’s own organization or someone they know personally.

A whale phishing attack centers on high-profile, senior-level employees, such as the president or CEO, aimed at stealing vital information. The term “whaling” signifies the size of the attack. Since they are targeted, whaling attacks are more difficult to notice compared to the standard phishing attacks.

Voice response/phone phishing (aka “vishing”) uses automation to replicate a legitimate sounding message that appears to come from a bank or other financial institution and directs the recipient to respond in order to “verify” confidential information.

Another fraud is bogus invoicing, where a business that has a long-standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The request appears similar to a legitimate account and would take very close scrutiny to determine if it was fraudulent.

According to the FBI’s 2019 Internet Crime Report, BEC scams were, by a considerable margin, the most damaging and effective type of cybercrime in 2019. Accounting for half of last year’s cybercrime losses, BEC attacks amounted to $1.77 billion in losses for victims, which is, on average, $75,000 per complaint. All companies should implement basic risk avoidance measures:

• Educate and train employees to be vigilant and recognize fraudulent behavior

• Require verbal or emailed requests for funds or information transfers to be confirmed in person or via phone by the individual making the request

• Consider two-factor authorization for high-level IT and financial security functions and dual signatures on wire transfers above a certain threshold

• Avoid free web-based email. Establish a private company domain and create valid email accounts

• Be careful of what is posted to social media and company websites, especially job duties/descriptions, hierarchal information and out-of-office details

• Do not open spam or unsolicited email from unknown parties, and do not click on links in the email. These often contain malware that will give subjects access to your computer system.

• Do not use the “Reply” option to respond to any financial emails. Use the “Forward” option and use the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.

• Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.

Despite these efforts, organizations can still fall victim. These incidents can be reported it to the joint FBI/National White-Collar Crime Center at the Internet Crime Complaint Center.

The initial concern after such an event often focuses on the amount of stolen funds. However, there could be an even greater threat, since these incidents often involve the compromise of personally identifiable information, which can be later used for identity theft of multiple people. This will often trigger legal obligations to investigate the matter and to communicate to affected individuals and regulators. This often leads to litigation and significant financial and reputational harm to businesses. Costs to comply with privacy law can include fines, legal fees, IT forensics costs, credit monitoring services for affected individuals, mailing and call center fees and public relations costs.

Insurance Protection

Fortunately, crime insurance policies can cover fraudulent funds transfers while cyber-insurance policies may cover costs related to unauthorized access of protected or sensitive information. However, the insurance buyer must be wary of various policy terms and coverage limitations. Some crime policies can contain exclusionary language for cases involving voluntary transfer of funds. Other insurers might add policy language to crime or cyber-policies to cover this situation. The most effective risk management plans aim to prevent social engineering fraud incidents from happening and mitigate the damages.

Working with a specialty insurance broker who understands the issues and negotiates coverage customized toward your business’ risks is key in guaranteeing balance sheet protection and preventing additional disruption. Most importantly, stay safe and vigilant, and we will get through these times together.

Frank DeLucia is a senior vice president of HUB International Northeast, a full-service global insurance brokerage. He can be reached at 212-338-2395 or at frank.delucia@hubinternational.com.