How has COVID-19 left business vulnerable to cyber attacks?
The effects of Coronavirus have not gone unnoticed in the workplace. Back in March 2020, the majority of us packed up our desks and moved into our makeshift home offices, over 9.9 million of us were furloughed and the latest statistics show that unemployment has increased to 1.69 million in the UK alone.
The way in which businesses quickly adapted to the pandemic left security systems vulnerable to cyber attacks and criminal infiltration. In this blog, we discuss the top five cyber frauds you should be aware of in the current climate and the ways in which you can minimise the risks.
Increased risk of cyber attacks
For many businesses and organisations Cyber security and planned IT security improvement programmes had been put on hold whilst other operational challenges are prioritised. In addition to this, the increased use of remote access tools used by employees whilst working from home increases the risk of cyber attacks.
Malicious cyber criminals can take advantage of this by:
- Targeting remote access systems with denial of service attacks, disrupting business operations, or attempting to extort money.
- Increasing phishing attacks.
- Corrupting home Wi-Fi networks and accessing IT systems via unsecure VPNs.
CEO fraud and impersonation fraud
CEO fraud and impersonation fraud involves employees within an organisation receiving emails seemingly from a senior executive, instructing the transfer of money to a cyber criminals account or requesting confidential financial information. This may be carried out in one of two ways:
- Name spoofing – uses the name of the CEO but a different email address (which might look similar to the company’s email address).
- Name and email spoofing – the CEO’s email address has been compromised and the attacker uses the CEO’s name and genuine email address.
It has also been known for fraudsters to pose as the company IT team through emails or calls to obtain passwords or enable malicious software to be downloaded onto IT systems. Our current working circumstance increases the risk of these types of fraud as more of us are working from home and this can be used as justification for unusual and non-routine procedures and processes.
Fraud in the supply chain
Rarely have supply chains faced pressure as immense as that brought on by the COVID-19 outbreak. This increased pressure can increase the risk of fraud in a variety of ways, including:
- Reliance on new and alternative suppliers.
- Lack of quality control and due diligence.
- Risk of improper payments to “grease the wheels”.
Insider fraud occurs when a current or ex-employee, contractor or any other party who once had access to confidential data commits fraud by misusing the information, for example by selling data to competitors or using the insider information to make personal investments.
According to data shared by the Office for National Statistics, August 2020 saw 13.3 per 1000 employees were made redundant or took voluntary redundancy. The unprecedented events of 2020 meant many organisations across the country were forced to make employees or entire departments within their workforce redundant.
Employees that have been made redundant or facing potential redundancy might be influenced to steal intellectual property, motivated by financial gain, or to cause reputational and financial damage to the organisation.
Phishing, whaling, and smishing attacks
It’s no surprise that COVID-19 created long-term phishing tactics for cyber criminals, pandemic-focused attacks exploited the heightened anxiety and fear felt by those throughout the pandemic.
“Phishing” is the use of fake emails or shared links to gather sensitive and confidential information about victims, such as:
- Usernames and login details.
- Bank account details.
Phishing can also be used to deploy vicious malware onto computer systems. Barracuda reported a spike in COVID-19-related phishing attacks since the end of February 2020. 77% were scams, 22% were brand impersonation, 1% business email compromise.
“Whaling” is similar to phishing but is targeted and aimed at senior level staff within a business. For example, a CEO or Senior Executive may receive a fraudulent email from a trusted supplier, partner, or employee requesting a transfer of funds.
“Smishing” is a phishing-style fraud carried out using SMS. Common examples include text messages seemingly from HMRC ‘informing’ victims of tax refunds they are owed.
How can you protect yourself against cyber criminals?
The different types of fraud listed above are examples of how cyber criminals exploit the remoteness of individuals through the use of technology, involving unauthorised access to a business’s computer systems, or payments made to a fraudulent recipient, usually with the unintentional assistance from a member of staff. Alternatively, employees can pose a potential threat to the business via supply chain fraud or insider fraud.
Because of this, it is essential for organisations to ensure that they monitor the activity of all employees while working from home. Organisations should introduce processes to identify any suspicious or threatening activity and that all employees are properly trained on the potential threats presented to the business and how to identify them during these uncertain times.
Here are our recommendations, which will help to mitigate the risk of fraudulent activity taking place in your business:
- Ensure that remote access systems are patched and secure for employees working from home.
- Having adequate security controls that are able to withstand distributed denial-of-service attacks.
- Provide employees with guidance and training on potentially fraudulent activity such as how to avoid cyber security breaches and how to spot suspicious activity.
- Agree on internal procedures and implement additional verification procedures before making payments.
- Ensure any electronic invoices are genuine by:
- contacting various individuals to validate the notification;
- verifying the email address you have received the email from; and
- sending a new email to a known contact rather than replying directly to the email received.
- Ensure existing policies and procedures are effective and up-to-date.
- Practise due diligence.
- Monitor financial controls and ensure that they are adequate.