News & Events

Malta News - 23/04/2020

Watch out for cybercrime during COVID-19 pandemic

Author: George Mangion
Published on Malta BusinessToday 23 April 2020

Watch out for cybercrime during COVID-19 pandemicAs most businesses on lockdown are relying on staff working remotely at homes, one regrets that the incidence of cybercrime is another unexpected headache. Across the globe, we notice how COVID-19 infections have increased over the past month, (albeit in South Korea, one is noticing a drop in the number of infected cases) yet we’ve seen an unsettling trend of cybercriminals taking advantage of this pandemic by targeting small businesses through phishing emails.

As most businesses on lockdown are relying on staff working remotely at homes, one regrets that the incidence of cybercrime is another unexpected headache.

Unfortunately, it is not common for small businesses to afford time and expertise to build a business continuity plan.  This is a roadmap that helps firms prevent and respond to cyberattacks or breaches. The same types of thefts using deception encountered during the COVID-19 crisis have existed before, but criminals have adapted their modi operandi to the current situation.

The number of attempts involving these types of thefts and scams is likely to increase in Malta. Ideally, as a means to defend local firms, they can be advised to engage a designated team of key personnel assigned to specific response roles to face such a breach scenario.  The best line of defense in any phishing attempt is to educate staff, now mostly working online at home: to take steps to increase your employees’ acumen in both recognizing and reporting phishing emails.  Staff should avoid using emailed links as much as possible.

The ability to conduct Incident response planning, including tabletop exercises, will help firms when such attacks occur. One may ask, is this a storm in a teacup? Not really watch how for instance, in the UK, phishing is becoming a common occurrence. One of the latest scams involve criminals asking for donations to help the National Health Service fight COVID-19, and total losses of those targeted had reached £1.6m as of the beginning of April.

Typically, one reads about advice given by security experts that cybercriminals are increasingly sending coronavirus-themed phishing emails designed to resemble reputable organizations such as the US Centers for Disease Control (CDC) or the World Health Organization (WHO).

As can be expected, ransomware operators have escalated the targeting of hospitals. Some darknet markets have become overcrowded with listings for PPE products and fraudulent COVID-19 cures.

One case involved the transfer of €6.6 million from a company to another company in Singapore to purchase alcohol gels and masks. The goods were never received. In another case, an EU company attempted to purchase 3.85 million masks and lost €300,000. The pandemic has overnight created a particularly high demand for certain types of healthcare and PPE products (masks, gloves, cleaning products, pharmaceutical products).

There is a risk that counterfeiters will use acute shortages in the supply of these goods to increasingly provide counterfeit alternatives. This may include sub-standard or counterfeit foods, hygiene items, and other everyday goods. This acute scarcity yields a fertile land for fraudsters to create a substantial market for product counterfeiters, fraudsters, and profiteers.  Some instances, such as the distribution of fake corona home testing kits, are particularly worrying from a public health perspective.

There is no limit for a scammer’s ingenuity on how to manipulate unprecedented fears surrounding the virus to fleece victims at every possible opportunity. The media has revealed how fraudsters are setting up fraudulent COVID charities, sadly, anything you can think of — cybercriminals can be quite creative. It comes as no surprise that fraudsters have been very quick to adapt well-known fraud schemes to target individual citizens, businesses, and public organisations.

These include various types of adapted versions of telephone fraud schemes, supply scams, and decontamination scams.  Fraud linked to the current pandemic is likely highly profitable for the criminals involved as they attempt to capitalise on the anxieties and fears of victims throughout this crisis period.

At this juncture, one may ask what is a phishing email? The answer is that it is a type of social engineering scam, that uses email or malicious websites to solicit personal information by posing as a trustworthy organization. Some phishing emails even offer health advice on how to protect yourself against the coronavirus from counterfeit health-care professionals.

This can be an ideal time for such criminals to play on the weakness of small firms and others to willingly donate funds to fake charities or even open up databases by malicious means. This is easily done. For example, by deceit one is encouraged to click a link in these fake emails which could potentially install malware on your computer, or land you on a phishing page where your credentials could be compromised.

It looks dangerously easy at a time when staff are working from home and do not benefit from immediate IT advice. Ideally, the staff at home should be aware of such pitfalls.  Experts tell us that the most effective response to a phishing attack should begin before any attack occurs. Most advise that if employees have access to sensitive data, they should be provided a company-controlled and secured laptop, inclusive of encrypted hard drives.

While ideally, everyone will have a secure laptop to work remotely, that may not be a financial reality for small firms. If you need to prioritize, focus on the high-risk employees based on the sensitivity of the data they need to access.

Try to limit the options for employees to save data out of secured locations to their own devices.

Ensure you establish and communicate clear expectations of the work-from-home strategy. While the rush to secure jobs and making use of remote access to company databases was the first priority, little regard was given to the risks the company will be exposed due to cybercrime.

Experts tell us that if firms may not be able to implement full technical controls to manage risk, then the next step in the circumstances is to start training employees on how to work efficiently and securely. In conclusion, a severe pandemic has paralyzed global business in many sectors with potentially devastating consequences to human life and the operational stability of the economy.

George Mangion

 

Author: George Mangion
Published on Malta BusinessToday 23 April 2020
Get in touch: info@pkfmalta.com