Technology Is Not Immune to COVID-19 Cyber Fraud

Note: As the COVID-19 cyber environment is constantly evolving, please be advised that this alert does not cover every instance of cyber vulnerability. Businesses should regularly consult agency guidance on the latest COVID-19 cyber threats. Further, internet-based fraud and crimes can be reported to the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center.

Phishing Scams

The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert on April 8 citing an increase in phishing campaigns utilizing COVID-19 themes to lure in victims. Phishing is a type of cyber fraud where a malicious cyber actor poses as a trusted source to gain access to sensitive information, such as usernames, passwords, and credit card numbers. See the U.S. Federal Trade Commission’s (FTC) guidance on How to Recognize and Avoid Phishing Scams.

Most phishing attempts are by email. The CISA and NCSC have observed recent attempts using email subjects like “2020 Coronavirus Updates,” “Coronavirus Updates,” “2019-nCov: New confirmed cases in your City,” and “2019-nCov: Coronavirus outbreak in your city (Emergency).” These emails often contain a “call to action” and encourage victims to visit a website that is used to steal user data.

According to the FBI, phishing emails may be related to:

• Charitable donations
• General information on COVID-19 (e.g. from the U.S. Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO))
• General financial relief
• Airline carrier refunds
• Fake cures and vaccines
• Fake testing kits

However, the CISA and NCSC have also observed recent phishing attempts by robocalls, text messages (SMS), and messaging applications (e.g. WhatsApp). The U.S. Federal Communications Commission (FCC) and the Better Business Bureau (BBB) have identified text messages and robocalls about free COVID-19 home testing kits, mandatory quarantines and testing, health insurance, and other efforts to “prey on virus-related fears.”

COVID-19 related financial relief also increases the risk of malicious cyber actors posing as government agencies asking to verify financial information related to receiving an economic stimulus check. The FBI reminds consumers that government agencies are not sending unsolicited emails or texts asking for private information in order to send stimulus checks. The U.S. Internal Revenue Service (IRS) will distribute payments to most Americans via direct-deposit information that the agency has on file from previous tax filings.

Further, the FBI and the FCC provide the following general “cyber hygiene” and security measure tips:

• Do not open attachments or click links within emails from senders you don't recognize.
• Do not respond to calls or texts from unknown numbers, or any others that appear suspicious.
• Do not provide your username, password, date of birth, social security number, financial data, or other personal information in response to an email or robocall.
• Always verify the web address of legitimate websites and manually type them into your browser.
• Check for misspellings or wrong domains within a link (for example, an address that should end in ".gov" ends in “.com" instead).
• Be cautious if you’re being pressured to share any information or make a payment immediately.
• Scammers often spoof phone numbers to trick you into answering or responding. Remember that government agencies will never call you to ask for personal information or money.
• Do not click any links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to make sure they weren't hacked.
• Always check on a charity (for example, by calling or looking at its actual website) before donating.

Specifically, those seeking to donate to charity are cautioned to thoroughly research organizations and pay close attention to organizations with names that are very similar to reputable charities. In general, legitimate charities do not solicit donations through money transfer services.

Ransomware Attacks

Interpol’s Cybercrime Threat Response team has detected a significant increase in ransomware attacks against key organizations and infrastructure responding to the COVID-19 pandemic. Interpol has issued a Purple Notice to police in its 194 member countries alerting them to the heightened ransomware threat.

Ransomware is a type of malware—or malicious software—that denies access to a computer system or data until a ransom is paid. According the CISA, ransomware is typically spread through phishing emails or visiting infected websites. As discussed above, Interpol notes that typical phishing emails fraudulently claim to be from government agencies and contain false information or advice regarding COVID-19.

To protect against ransomware, the CISA recommends the following precautions:

• Update software and operating systems with the latest patches.
• Never click on links or open attachments in unsolicited emails.
• Backup data on a regular basis and store backups on a separate device, offline.
• Restrict users’ permissions to install and run software applications and apply the principle of “least privilege” to all systems and services.
• Use application whitelisting to allow only approved programs to run on a network.
• Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
• Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
• Configure firewalls to block access to known malicious IP addresses.

Investment Scams

On April 13, the U.S. Securities and Exchange Commission (SEC) updated its February investor alert that warns investors of internet and social media promotions claiming “the products or services of publicly traded companies can prevent, detect, or cure coronavirus, and that the stock of these companies will dramatically increase in value as a result.” Such promotions are often presented as “research reports” and predict a specific “target price.” The SEC also identifies microcap stocks—low-priced stocks issued by small companies—as particularly vulnerable due to a lack of publicly available information.

The SEC cautions investors to carefully research investments, especially those in companies that claim to focus on COVID-19 related products and services. See recent SEC trading suspensions here.

Product Scams

The FTC and the U.S. Food and Drug Administration (FDA) issued joint warning letters to companies selling products claiming to treat or prevent COVID-19. The FDA reminds consumers that “there are no approved vaccines, drugs or investigational products currently available to treat or prevent the virus.” Consumers can sign-up for consumer alerts from the FTC here.

The FBI warns consumers about counterfeit products such as sanitizing products and personal protective equipment (PPE) including N95 respirator masks, goggles, full face shields, protective gowns and gloves. More information from the CDC on unapproved or counterfeit PPE can be found here.

Telework Software Vulnerabilities

To maintain productivity while working from home, businesses are heavily relying on software to enable remote access to business applications, resources and shared files during the COVID-19 pandemic. However, an exponential increase in use of such software has also revealed significant gaps in privacy and security measures. Sharing sensitive business information over the internet may allow malicious cyber actors to gain access to confidential files or eavesdrop on virtual conference calls and meetings. According to the FBI, businesses should avoid or limit:

• Using software from untrusted sources.
• Sharing sensitive information over VOIP phones, video conferencing equipment, and cloud-based communication systems.
• Remote desktop sharing.
• Renting laptops from foreign sources.

The FBI also provides the following “teleworking tips.”

Do:

• Select trusted and reputable telework software vendors; conduct additional due diligence when selecting foreign-sourced vendors.
• Restrict access to remote meetings, conference calls, or virtual classrooms, including the use of passwords if possible.
• Beware of social engineering tactics aimed at revealing sensitive information. Make use of tools that block suspected phishing emails or allow users to report and quarantine them.
• Beware of advertisements or emails purporting to be from telework software vendors.
• Always verify the web addresses of legitimate websites or manually type them into the browser.

Don’t:

• Share links to remote meetings, conference calls or virtual classrooms on open websites or open social media profiles.
• Open attachments or click links within emails from senders you do not recognize.
• Enable remote desktop access functions like Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC) unless absolutely needed.

Specifically responding to the risks associated with a surge in video conferencing, Senator Edward J. Markey has urged the FTC to issue “comprehensive guidelines for companies that provide online conferencing services, as well as best practices for users.”

New software technologies present promise for new challenges but need to be tested, and users must be trained to use new technologies safely.

Business Email Compromise (BEC)

Business Email Compromise (BEC) occurs when a malicious cyber actor sends a fraudulent email requesting money to be transferred to a new account or to change standard payment practices. BEC typically targets individuals and businesses with the ability to send wire transfers, checks and automated clearing house (ACH) transfers. Malicious cyber actors may use the COVID-19 pandemic to impersonate vendors and request payment outside the normal course of business.

In response, the FBI urges particular caution around the following situations:

• The use of urgency and last-minute changes in wire instructions or recipient account information;
• Last-minute changes in established communication platforms or email account addresses;
• Communications only in email and refusal to communicate via telephone;
• Requests for advanced payment of services when not previously required; and
• Requests from employees to change direct deposit information.

The FBI provides the following tips to avoid BEC:

• Check for last-minute changes in wiring instructions or recipient account information.
• Verify vendor information via the recipient's contact information on file—do not contact the vendor through the number provided in the email.
• Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's email address appears to match who it is coming from.
• If you discover you are the victim of a fraudulent incident, immediately contact your financial institution to request a recall of funds, and contact your employer to report irregularities with payroll deposits. As soon as possible, file a complaint with the FBI's Internet Crime Complaint Center at ic3.gov or, for BEC and/or email account compromise (EAC) victims, bec.ic3.gov.

Report Suspicious Financial Activity

The Financial Crimes Enforcement Network (FinCEN) reminds financial institutions to “remain alert about malicious and fraudulent transactions similar to those that occur in the wake of natural disasters.” FinCEN points to its previously issued Advisory to Financial Institutions Regarding Disaster-Related Fraud that outlines potential areas of fraud following natural disasters, such as benefits fraud. Many malicious cyber actors will use the current challenge to attempt to swindle people out of money through imposter frauds, product scams, insider trading or investment scams of the types described above.

Financial institutions must monitor for these types of suspicious activities, and the financial institution should file a Suspicious Activity Report (SAR). Financial institutions are encouraged to review their typologies to ensure that the current circumstances and current fraud scams are being monitored for and investigated.

For suspected suspicious transactions linked to COVID-19, FinCEN is encouraging financial institutions to enter “COVID19” in Field 2 of the SAR-template

Best Practices for Businesses

After several weeks of remote work has tested the strength of IT systems and cybersecurity, businesses should continually review and update their business continuity plans and consider the following possible best practices:

1. Risk and Governance Come From the Top. Senior management should understand technology being deployed and arrangements being made to combat the emergency. Management must make clear that security must be considered throughout new work activities.
2. Review IT System Security. Confirm with your IT department that the appropriate resources and attention are being directed to defend against risks to your organization’s cyber systems and work from home arrangements. New software should be tested and investigated before being trusted with confidential information.
3. Communicate With and Train Employees. Carefully explain how employees are expected to utilize systems in a work from home environment. Employees should be instructed on how to access systems and be reminded of cybersecurity precautions to utilize while working remotely, including taking care with respect to their surroundings, phone calls, printing and system access.
4. Implement Multi-factor Authentication. Implement multi-factor authentication on all remote systems to ensure that access is limited to legitimate, trustworthy personnel. Remind employees of the importance of these systems and having authentication mechanisms, including any required tokens, available and kept secure.
5. Strengthen Passwords. Remind employees of the importance of keeping up-to-date and strong passwords and protecting those passwords when using their systems in remote locations.
6. Warn Employees About Phishing. Raise employee awareness of malicious cyber actors using fear over COVID-19 to design phishing emails attempting to trick victims into revealing information. Remind employees of the importance of taking steps to avoid phishing and social engineering attempts to breach their systems and that they should never click on links in unsolicited emails or reveal personal or financial information in response to emails.
7. Manage Third-Party Vendors. Check in with key third-party service providers to ensure readiness and planning. In the event of their own increased customer demands, do vendors you rely on have the right plans in place?
8. Review Regulatory Obligations. Businesses should consider regulatory obligations, including any reporting obligations that they may have. Arrangement should be made for any regulatory reporting that may need to be required, including testing whether there are secure remote systems for such reporting. Confirm that COVID-related scams are being identified and reported.

   ---

Pillsbury’s experienced multi-disciplinary COVID-19 Task Force is closely monitoring the global threat of COVID-19 and providing real-time advice across industry sectors, drawing on the firm’s capabilities in crisis management, employment law, insurance recovery, real estate, supply chain management, cybersecurity, corporate and contracts law and other areas to provide critical guidance to clients in an urgent and quickly evolving situation. For more thought leadership on this rapidly developing topic, please visit our COVID-19 (Coronavirus) Resource Center.