As if dealing with a global health pandemic and a devastating economic downturn weren’t enough, the public needs to be aware of a growing effort by cybercriminals to hack our personal and professional data, according to a cybersecurity expert.
“Cyber criminals and hackers are taking advantage of the COVID-19 pandemic, especially because many of us are now working, living and socializing full-time at home,” explained Phillip Ferraro, managing director of the JPMorgan Chase’s Client Cybersecurity Awareness Program. “That’s often less formal and less secure than working in the office.”
Ferraro, who has spent nearly two decades in top cybersecurity roles at the U.S. Department of Defense, military contractors and Fortune 500 companies, spoke during a Delaware Business Times- and JPMorgan Chase-sponsored webinar Aug. 5 about the risks that come to businesses through email, phone calls, texts, and more.
The attacks typically come through what’s known in IT industry terms as “phishing,” or a cybercriminal posing as someone else to get an unwitting victim to do something.
Sensing an opportunity, phishers are increasingly using fear over the COVID-19 virus to contact potential victims, Ferraro said, noting that pandemic-related phishing attempts have increased 1,000%, according to a recent study. Those tactics have evolved over the months as well.
Cybercriminals have built COVID-19 tracking map apps with embedded malware that infect the user’s hardware if installed. As the pandemic grew in America, phishers began sending out emails offering information on the virus purportedly coming from trusted sources like the U.S. Centers for Disease Control and Prevention or the World Health Organization, seeking to get victims to click links. Cybercriminals even began calling people while posing as health officials and asking for personal identity information that could help them crack into sensitive accounts.
“Sometimes they even suggested that a family member was infected with the coronavirus,” Ferraro said.
The No. 1 way for phishers to make contact is through email, because it can be done quickly, cheaply, and en masse. Ferraro recommended that users be wary of several email factors:
- Is the purported sender’s email coming from an address familiar to you?
- Is there a subject line?
- Is the email rife with spelling or grammatical errors?
- Does the email urge you to act quickly?
- Does a link in the email hide its origin?
If a recipient sees any of these factors, it should give them pause, Ferraro said.
“If you get an email asking you to take some action, especially if they say you must take this action urgently, pick up the phone and call the person or the company directly on a known number,” he advised.
Cybercriminals have also become more sophisticated and when targeting businesses will employ “spear phishing,” or conducting online reconnaissance of a business to selectively target individuals with access to sensitive information, such as financials. In doing so, they often will also create “spoofed” domain names, or website names that are very close to ones you may be familiar with, changing just a single letter that you might overlook if scanning quickly, he explained.
“They particularly love to search social media sites such as LinkedIn and other legitimate places. That’s why it’s important for you and your employees to limit the amount of information that you post on social media,” Ferraro said.
That becomes even more important with the rise in business email compromise, where a cybercriminal gains access to a business’s computer systems. In those scenarios, a hacker can study a company’s financials and business practices, and typically retains access for upward of six months before detection. By then, they have likely spotted an opportunity to request a wire transfer from the finance department to a bank account in their control. In 2019 alone, U.S. companies lost $1.77 billion in such scams, according to a recent FBI report.
Allowing hackers to gain access to your systems also increases the risk of a ransomware attack, where they can cut off your access to your system until you pay a ransom. U.S. companies, ranging from large corporations down to very small businesses, lost more than $7 billion in such attacks last year.
A scam tactic prospering in the pandemic is invoice fraud, where a fraudster submits an invoice similar to one that a business may routinely pay but with altered bank account info, Ferraro said. With companies often buying supplies and materials from new vendors amid pandemic-spurred shortages right now, employees need to be confident in all payments.
Among the measures that Ferraro recommends to safeguard a company from these many threats are establishing a strong password policy that requires complex passwords that are different that an employee’s personal accounts; running antivirus software on all company and personal devices; using multi-factor account verification when possible; restricting who has access to sensitive info; backing up sensitive info frequently; and considering a virtual private network (VPN) for all remote working, especially during the pandemic as many employees are not in the office.
Although business owners face a growing number of threats through the internet, Ferraro said they are best served by remaining vigilant in their inspection of communications, requiring dual approvals for payments, and calling a recipient regarding any suspicious requests.
By Jacob Owens