Cybercrime spike as pandemic creates perfect storm for fraud

With COVID-19 increasingly being used as a hook to commit fraud, threatening consumers and businesses of all sizes, a recent industry discussion was held to discuss ‘the rise of financial fraudsters during the pandemic’. The session revealed that fear, uncertainty and misinformation has created an ideal environment for the exploitation of victims.

Speakers at the event included David Emm, Principal Security Researcher at Kaspersky, Claire Hatcher, Global Head of Fraud Prevention Solutions at Kaspersky, Detective Superintendent Neil Jones (Greater Manchester Police) and moderator of the discussion, Martin Smith, Chairman and Founder at SASIG.

Together, they discussed the risks associated with more people having to use online systems for business and personal use, and how an uptake in this activity, fuelled by the coronavirus, has provided fertile ground for fraudsters. They also shared the key steps to improving security for both consumers and businesses.

David Emm kicked off the discussion with the observation that businesses and individuals have now been forced to do everything from home, from banking to shopping and communicating online, which has left many outside of the protective ring usually offered by a corporate network.

At the same time, criminals have also been offered a persistent threat hook. “Consider Valentine’s Day, Black Friday, the Olympics, the World Cup; they’re ‘here today, gone tomorrow’ topics that cybercriminals can latch onto. Frankly, who in the world is not keenly interested in what’s going on with this pandemic? Everybody is, and therefore, fraudsters have a persistent topic that they can milk, week after week. It’s made people even more vulnerable than seasonal events.”

Whilst the topic of COVID-19 continues to be exploited, the nature of attacks remains fairly consistent. Fraudsters are not changing their techniques, tactics or procedures, but they are cashing in and have recognised how important this is, as a global event, and how they can exploit it.

This observation was made by Claire Hatcher who commented: “It’s always a process of, get in through phishing, download some malware, then exploit the human aspect of social engineering to use those credentials. Essentially, the newness is just the context. The attack itself is the same one re-envisaged in the new world we live in, but naturally it has increased a lot, because we are more susceptible now.”

Aside from how the COVID-19 pandemic has impacted the cybersecurity landscape, the following themes emerged on how fraudsters are currently operating and how people can stay protected:

• A shift in focus from threat actors. Almost overnight, fraudsters have shifted their attention to COVID-related opportunities as a route in for phishing scams.
• Dating, courier and online shopping fraud continue to rise. Mandate fraud has decreased by nearly a third, likely because those working in finance and accounts aren’t in the office.
• Fraudsters are getting bolder. There has been an increase in scams asking people to verify who they are by taking a selfie with their driving license held up.
• Larger organisations should take on mentoring roles. Large organisations should mentor smaller businesses; after all, the more resilient their supply chain is, the more they bolster their own defences.
• It’s time to unite against cybercriminals. We must find a way to share information and threat protection tips, at all levels, across law enforcement, government bodies and cybersecurity experts.
• Remote working will become a key consideration for corporate security. For a lot of businesses, lockdown has put a very heavy focus on maintaining business continuity over security. Surviving through the pandemic is important, but it’s also crucial to ensure that staff and organisations are kept protected.

The discussion concluded with attendees agreeing that, while the COVID-19 pandemic has changed the security landscape in several ways, the risks are still manageable. For large organisations, retailers, financial services and governments, it is essential to have a multi-layered approach; not just second-factor authentication, to ensure all the different parameters are continuously analysed. For smaller organisations that don’t have the same money to invest in technology, going back to the basics, for them, and for individuals, is critical.

“Many organisations are going to read about these threats and think, ‘Oh my goodness, what can we do?’ Sometimes, it’s the basic things,” says David Emms.

“Protecting all devices, including mobiles – updating them and backing up data. Just trying to give staff some basic information about not replying to unsolicited texts, using unique passwords and using a password manager helps.

Whilst the basics can’t be overlooked, using a security solution that anyone can operate, no matter their level of technical knowledge, is fundamental. Cybercriminals have become more skillful and this has eroded the effectiveness of traditional perimeter-based security controls. Small office security solutions, which identify and block both malicious e-mails and phishing pages, will also help individuals and businesses become more resilient to these types of attacks.”