By Steve Sanders
Any event like the COVID-19 pandemic is accompanied by increased risk of cybersecurity threats. Unfortunately, cyber criminals are adept at taking advantage of the increasing vulnerabilities stemming from remote work environments. During this time, it is critical that you and your institution’s employees exercise caution and remain nimble in your cyber defenses to prevent falling victim to one of the many attacks and scams.
PANDEMIC-RELATED CYBERSECURITY THREATS
As many employees work from home or participate in hybrid work schedules, criminals understand normal operating procedures may not be in place for many institutions during this time. Criminals use psychological principles, especially in times like this, to coerce us into doing things we might not do in normal circumstances. So, employees may be more susceptible to fraud with remote working procedures in place.
From malicious websites to emails containing phishing links or attachments, scammers are targeting financial institutions with a variety of tactics. As these attacks continue, your institution must maintain a heightened sense of awareness — especially as employees work remotely — and understand the latest cybercrime trends.
The easiest way to infiltrate a business continues to be through email because it is the primary means of internal and external communication at every enterprise. Its prevalent use allows criminals to replicate their attacks again and again across a multitude of organizations.
As we continue to seek the latest information on the pandemic, email-related schemes may be particularly effective. The only way to win is by staying one step ahead and recognizing cyber criminals’ latest tricks, including:
McAfee, the global computer security company, reported a spike in phishing scams during early 2020 as institutions adjusted to remote work. Scammers are sending phishing emails that appear to come from familiar organizations, and many of these emails contain correct spelling and grammar, along with logos and brand colors identical to the real thing. Criminals have significantly increased the level of sophistication in their traditional phishing attempts, requiring employees to exert a higher level of discernment.
On top of that, cyber criminals are exploiting “lateral phishing.” As CSO Online explains, “Attackers use hijacked accounts they’ve recently compromised to send phishing emails to an array of recipients, ranging from close contacts within the company to partners at other organizations.” Since the email is sent from a known source, the recipient is not likely to suspect foul play. This technique has even fooled email protection systems, making it even more important for employees to exercise caution.
Websites are being created to provide information about topics related to the pandemic, with many containing the word “corona” in the name. Unfortunately, many of these sites are fake and designed to impersonate legitimate sites. According to CSO Online, at least 86,000 domains of the 1.2 million that were registered containing COVID-related keywords were classified as risky or malicious.
Business Email Compromise (BEC)
BEC scams are not new, but cyber criminals are continuing to rely upon this tactic to target victims. The FBI issued a warning in April 2020 about an increase in pandemic-related BEC scams targeting organizations from financial institutions to municipalities, warning that fraudsters are using the uncertainty surrounding the pandemic to their advantage. The Financial Crimes Enforcement Network (FinCEN) recently warned that a common BEC scam involves criminals convincing companies to redirect or alter payments, blaming the changes on pandemic-related operations. The emails in the scams are becoming more sophisticated, with scammers sending emails from a trusted company with whom the victim would normally conduct business.
While email is the typical point of access, malware is the criminal payload it injects into a target’s systems. Here are some examples of malware that fraudsters commonly deploy:
This malware secretly observes your activity. It can take the annoying, but relatively harmless, form of adware and cookies, but far more concerning is spyware in the form of keyloggers, stealware and system monitors. The primary goal of destructive spyware is to covertly steal information like passwords or credit card numbers that can be used to commit identity theft and fraud. During the pandemic, cyber criminals have copied legitimate COVID-19 trackers and launched them in malicious domains to target victims.
Once installed, this type of malware locks out the authorized user and encrypts the available data to be held for ransom. In March, security vendor Carbon Black reported a 148% increase in ransomware attacks — which included a large increase in attacks on financial institutions — compared to the previous month.
This form of malware allows a hacker to use a victim’s computer to mine cryptocurrency and is much less conspicuous than ransomware. Cryptojacking allows cyber criminals to operate in the background, and the user may only experience an unexplained drag on system performance. This means miners can continuously earn more money with less chance of being identified or caught than with ransomware. The risk to organizations manifests in increased help desk and IT costs trying to identify and fix the problem.
“Since so many employees are working from home, normal software and operating system update procedures may not work as planned.”
DEFENDING AGAINST CYBERSECURITY THREATS
Again, since so many employees are working from home, normal software and operating system update procedures may not work as planned. Cyber criminals are keenly aware of this vulnerability, and they are prepared to take advantage of any security weakness that becomes available.
Awareness is the first step toward protecting your institution from cybersecurity threats. The second step is adopting an appropriate cybersecurity framework for your institution’s size and risk profile. This strategic tool is meant to deliberately inform your cybersecurity decision making. Employ the following strategies to help ensure your institution remains secure:
Employee cybersecurity awareness training
Conducting awareness campaigns throughout the year that provide information on the latest threats is the best way to keep your employees on guard against phishing and other types of social engineering.
Ensuring your institution has secure internet and remote virtual private network (VPN) access is crucial. Make sure you have the appropriate technology in place to detect malicious files or unusual activity, including malware detection. Segmenting your networks also limits the damage from a malicious attack.
For additional protection against threats, financial institutions should identify network vulnerabilities using penetration testing tools. By testing your security infrastructure against the real-world tactics used by cyber criminals to exploit your network, your organization can strengthen its security and compliance.
Establish a process and schedule for fixing vulnerabilities as soon as possible after they are identified. Business-critical and enterprise-wide systems should receive the highest priority, but this is important for any hardware or software used in your environment.
Web content filtering
Especially important in remote work environments where employees are out from behind your firewall, web content filtering tools provide additional layers of security to prevent your employees from accessing malicious websites.
Acceptable use policies
Ensure your employees are familiar with your acceptable use policies for devices, including avoiding using company-owned devices for personal business such as e-commerce.
As we continue adapting to the evolving COVID-19 situation, financial institutions and their employees must remain vigilant against cybersecurity threats.
TIPS FOR PROTECTING YOUR INSTITUTION
As the pandemic situation continues to evolve, exercising caution is critical. Stress and unusual circumstances can cause us to be more susceptible to social engineering. In addition to implementing the strategies previously mentioned, protect yourself and your institution’s employees with frequent reminders, including the following:
- Never click on links or open attachments from an email you weren’t expecting.
- If you receive an email from a high-level executive or trusted vendor with an unusual or suspicious request, including a request involving a financial transaction, use a method other than email to confirm their message.
- If you receive a suspicious email that appears to come from an official organization, such as the FDIC or FTC, report the email to your security team to investigate.
- If you want to make a charitable donation, go directly to the charity’s website to submit your payment. Type the charity’s web address into your browser instead of clicking on links in emails or other messages.
- When security updates are available, encourage employees to be diligent in installing such updates to prevent hackers from gaining access through a vulnerability associated with an out-of-date system.