Cybercrime and Social Engineering Threats – COVID-19
Updated: Apr 14, 2020
Criminals thrive during tough fiscal times because they’re adept and skilled at exploiting people’s emotions who desire a better life, wish for better times, or are seeking a solution to the troubles they’re currently facing.
They know how to take advantage of the confusion, the breakdown of “normal” procedures, the proliferation of “misinformation” and they also understand the hunger for people to know more about what is going on – so more people are likely to click on a link to find out the latest “news”. Appealing to people’s sense of curiosity is a powerful weapon and it is a difficult behavioural pattern for many of us to control.
Whilst we sit back planning how to stay safe, healthy and protect the people and organisations we care about, make no mistake, the criminals are taking the steps they need to exploit the current situation. The Corona Virus or COVID-19 represents a perfect storm for cybercriminals to take advantage.
They will develop new techniques, they will use the situation to exploit current victims and opportunities, and as any good fraudster knows - use the age-old stick of 95% facts in any yarn they spiel.
Understanding how the criminals operate, what they do, when do they do it and why they do it can better prepare ourselves mentally and emotionally. Emotionally, because our emotions are our biggest target. Most cybercriminal efforts when targeting the human element is to socially engineer a result – click on a link, open an account, plug in a USB, download a file, be directed to a website of “truth”. Social Engineering has been described as “the clever manipulation of the natural human tendency to trust” but it goes further than that because it also targets our sense of compliance to authority, recognition of known brands, our willingness to be helpful, stress, pressure and fear, often with a sense of urgency. Social engineering targets to evoke an emotional response rather than a logical response. Gaining an appreciation of your own emotional vulnerabilities through some personal reflection can be incredibly powerful and insightful allowing you to take control of your own “emotional responses”. Understanding these issues and consciously considering them when you receive a communication of any description can help you keep a “logical” mindset where instead of “reacting” you consider, question, evaluate, judge and even be sceptical. Better to delete and walk away than click and deal with the headaches, stresses and consequences.
The average person would be astounded if they were briefed on the magnitude of the cybercriminal enterprise and just how extensive is their research and development, support networks, business channel models, specified roles and defined responsibilities. When conducting investigations into Nigerian Fraud, we saw them migrate from the classic inheritance and business investment operations to online Romance Frauds to take advantage of the uptake of online dating. During that process we uncovered a 72 page “How to…” dossier written by the crooks for the crooks – a step by step guide of who to target, what to say and all the contingency planning you can only imagine. They have an enterprise and coordinated structure that seeks to take advantage of every opportunity and milk it for all it’s worth. For example a fraudster who has exhausted the funds of one target will then pass on the victim’s details (for a price) to another criminal who may wait several months (to allow some financial recovery) represent themselves as a member of the Nigerian Economic and Financial Crimes Commission who would be prepared to launch an investigation and recover the lost money – but the investigation will have to be funded by the victim. I’ve seen people lose many hundreds of thousands of dollars over years and then still get squeezed for a mere $30.
It’s important to also understand that highly intelligent people are generally the biggest losers. World experience, tertiary educated, successful in life, people that have become financially independent are over-represented in the victim stakes. The simple reality is that any person if presented with the right approach, targeting the right emotion, at the right time may well fall victim irrespective of intellect.
Accept you will be targeted, understand how they will target you, appreciate you need to prepare yourself emotionally for the approach – all of this will build your resilience and reduce their chances of being successful.
What can we expect to see?
Phishing and Spear Phishing attacks utilising the COVID-19 theme, designed to illicit your personal and financial information can be expected to increase. We’ve already seen emails and websites providing “vital information” about how to keep you and your family safe. “Sign up here for the latest news and developments”, open an account now! Use a “safe password”, knowing that sadly still today most people use the same password on multiple sites so if you provide them with a “safe password” you’ve potentially provided them with the same password you use on your internet banking page.
Phone calls that may portend to be from a government endorsed support network offering an early warning service and quick response medical services for a small subscription which you “can sign up for now with your credit card”. Or pretending to be a home grocery delivery service that can provide pasta, flour, and toilet paper!!! Pay now and we will deliver to your door! We will reduce your risk of exposure and guarantee or supply of “essential items” by bringing everything to you.
Business Email Compromise (BEC) fraud to increase as people are working from home and even posting on Social Media that they are doing so! Rule number One – there is no such this as privacy on the internet. Nothing you “post online” is still under your control. With people no longer being able to call upon the support and guidance from their fellow team members the way they once did, it’s vital they adjust to a new process that affords equal protection. Where a member of the Finance team or Accounts Payable could turn to the colleague on their left and ask their opinion of the email they just received from the CFO requesting urgent payment of an outstanding invoice, or purchase of a set of gift cards for staff to increase morale during these difficult times…. They’re not there. They’re home alone. However, that does not have to be the case. Building the team concept across the landscape of the cyber environment can still be effective in reducing fraudulent impact. But make no mistake, the entities behind BEC will seek to use the current challenges to their advantage and it’s absolutely imperative we don’t inform them of any new mode of operation during these times of COVID-19.
Smishing – fraudulent text messages – carrying malware payloads via click links designed to steal your banking details.
Those people involved in “long distance” relationships – your love interests will be caught up in a foreign country with locked borders and desperately need money for accommodation and food. There will be a new “Corona Virus or COVID-19 Tax” requiring an immediate payment of $5,000 before they can leave the affected country, the financial situation has become so bad in that country that to avoid any money leaving the country, people are prevented by taking their money with them, these are just some of the excuses, reasons that could be provided to leverage the current relationship.
Fake websites seeking donations for research, victim family support and other humanitarian services that take advantage of people’s generosity and philanthropic natures.
People announcing on Social Media that they’re stuck in a certain location are telling fraudsters far too much. A quick check on their profile, where they are from, who they work for, where their family is, all provides the foundation of a social engineering attack to victimise their family, their identity, their employer. Perhaps the criminals will spoof a message to the family requesting urgent financial assistance? Or perhaps knowing the person workings in Accounts Payable, HR Payroll or Finance, an urgent request for payment of an invoice is made that is outside the scope of normal processing, because at the moment – nothing is normal!
Threats and extortion. Could we see criminals use COVID-19 as a weapon, “I have infected your house with an object and won’t tell you where it is until you pay me some money?” Or, “I will infect your home unless you pay me some money.”
Cures, we could possibly see online fund sourcing for the research of cures for COVID-19. Or we could see people that are infected and announced it online, be approached by quack cures that will cure them in a fraction of the time and removed all physical and medical risk to their bodies and their families.
And there will be others. The key is to know we will be targeted, understanding how they operate, and keeping to logical not emotionally led thinking. Always follow due process, get a second and even third opinion and if in doubt delete. I don’t think many would have lost their job for deleting, but I’m sure many have been put in jeopardy for clicking.
Let’s not give the crooks a head-start by putting a target on your back by posting too much information about yourself and your work situation during these challenging times. They don’t need to know, the world doesn’t need to know, exercise restraint, be aware and be safe.
Brian Hay, Executive Director, Cultural Cyber Security