Cybersecurity experts warn the scramble to stay afloat through the COVID-19 pandemic is leaving businesses open to cyber attacks that could cost them everything.
The crisis has unleashed a wave of cyber attacks, with hackers and scammers taking advantage of widespread chaos, anxiety and the sudden mass migration to remote work to do their worst.
No target is too big or too small.
The U.S. Department of Health and Human Services was hit with a cyber attack March 15, and a major COVID-19 testing hub in the Czech Republic suffered a ransomware attack that same week. Europol arrested a man over a business email scam promising quick delivery of FFP2 surgical masks, which defrauded a pharmaceutical company out of €6.64 million. Distributed denial-of-service attacks — which are cheap and easy to run — are climbing. Individuals are also easy prey. A Google report found 522,495 phishing websites (many relating to fake COVID-19 treatments) were active in March — a 350 percent increase since the start of the year.
Phishing, vishing, spear phishing and smishing (that’s phishing via text message) are all spiking thanks to COVID-19. Cybercriminals are opportunists, and a pandemic presents the right conditions.
An ideal attack will catch you while you’re busy or distracted; it’ll make you react emotionally — in fear, sympathy or panic; and it will force a sense of urgency to make you ignore precautions and warning signs. So for a hacker, this crisis has it all.
“You cannot find a phishing or vishing news story that does not involve COVID-19,” Christopher Hadnagy, chief human hacker at Social-Engineer LLC, told the Business Journal.
“We have a bunch of people that are not used to working from home, and then they get an email that says it’s from HR saying, ‘Since you’re working at home, we need you to approve this, or we need you to use this program to communicate with the office — install this.’ All of these attacks are working. People are falling for it, because your normal protocols like standing up over the [cubicle] and saying, ‘Hey, did you send me this email?’ are gone.
“In addition, there’s brand new technology — like Zoom — so having your company ask you to install a foreign program is something that everyone’s accepting now.”
With employees scattered and work patterns upended, people struggle to figure out which requests are legitimate and which are dangerous.
“They’re just not used to those types of attacks,” Hadnagy said. “You take, on top of that, a world pandemic — social isolation, staying at home from work, not being with your family — these things have created an environment where fear reigns. Now if you get this email that says, ‘Due to COVID-19, the company is requiring you to do this,’ you’re mixing in fear with new technology and it’s working perfectly as an attack vector — it’s terrible. It’s perfect in a bad way, because it’s working.”
Employees new to the tools and tech needed for remote work are vulnerable. And if they haven’t been taught the cybersecurity measures needed outside the office, the whole company can become easy prey for cybercriminals.
“You have this scenario where it’s the perfect storm,” Hadnagy said, “and yes, we’re seeing a massive increase in all of these attacks — massive.”
“Everyone’s struggling to pivot quickly to try and overcome things,” said Shawn Murray, chief academic officer and president/CEO at Murray Security Services and lead cyber expert at Pikes Peak SBDC. The pandemic has paved the way for a surge in social engineering attacks, he said, because people are so vulnerable right now.
“They’re trying to stay alive, they’re trying to stay viable, they’re trying to stay employed through a small business, they’re trying to stay up — and they’re stressed out,” he said.
For hackers, it’s paying off. As of March 30, the FBI’s Internet Crime Complaint Center (IC3) had already received and reviewed more than 1,200 complaints about online COVID-19 scams.
Murray and Hadnagy explained some of the blind spots cybercriminals are exploiting.
Zoom, Slack, Microsoft Teams, Dropbox, GoToMeeting: Offices are switching to technologies and platforms they’ve rarely — or never — needed before.
“If you’re going to adopt new tech, secure it, configure it — consider cybersecurity,” Murray said. “If you don’t know anything about the tech that you’re using, ask somebody. There’s a lot of organizations out there offering to do this at no cost.”
Among them: the Information Systems Security Association, International Information System Security Certification Consortium, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
“There’s so many resources that are out there. Before you just jump into a piece of technology, make sure that you’re doing a little bit of homework,” Murray said.
If you’re using an online platform (like Office 365, Mimecast or Azure), it’s critical to configure it correctly so each employee only has the level of access needed to do their job. That way, if one employee is hacked or phished, you haven’t handed a cybercriminal the keys to your whole business.
“You have to lock things down the same way in the cloud platform as you would in the on-premises environment,” Murray said.
THE HOME FRONT
Home offices leave plenty of chinks in the armor for hackers, because most are using outdated or inadequate security.
“Companies are now having to deal with that risk,” Murray said. “Their focus is to keep their employees working, doing things from home — but they can’t control the environment.”
“When they were sitting in the office, your employees had a firewall, they had VPNs, they had systems monitoring traffic and making sure it was filtered properly,” Hadnagy said. “Guess what: Now that guy’s or gal’s whole computer is on their home network, where they may be using a crappy Best Buy router that they never changed the admin password on. Have you given them a firewall? Have you taught them how to help them set up their network securely? Have you taught them what not to do on that work computer? These are things that need to be taught to employees as they go to work from home.”
Hadnagy said Social-Engineer has even started giving organizations free help on how to run properly secured Zoom meetings, because in the rush to remote work, too many are “just throwing technology out there and they’re not helping their employees learn.”
“Think about one of these recent attacks in vishing: A company transferred $5 million [to a cybercriminal posing as a vendor] over three phone calls,” Hadnagy said. “Five million dollars because they called and said, ‘You’re late on this payment … Here’s the wire transfer details’ — Bam. … You’ll never recover that — the bank account’s in some foreign country and they’ve already emptied it. That’s gone forever.”
Murray was taken aback by a “very complex, very credible” attack that targeted his own company as the pandemic unfolded. It started with a letter in the mail from “a city here in the United States that we do business with on a regular basis” — he wouldn’t name it — “and the context of the mail says, ‘On behalf of this city …. we’re moving everything online. We’re only going to provide ACH payment through a clearing house, so please fill out all your banking information on the back of this document and then we’re going to do a follow-up phone call with you in a week.’”
Busy, Murray set the letter aside. Then came the phone call, which “sounded credible — but something just wasn’t right.”
Murray started asking questions. The answers didn’t add up.
As his suspicions mounted, he contacted the cybersecurity department for the city the fraudster claimed to be from, and merged the calls. Still, the woman attempting the scam answered increasingly detailed questions.
“For them to stay on the phone for the entire scam was absolutely amazing to me,” Murray said. “The complexity of the scam, the viability of the scam, just amazed me. … I’m a cybersecurity person so it didn’t smell right to me — but what if you are a small business who’s struggling right now to get resources? It would have been very easy for them to fall victim to this type of an attack.”
His advice: If vendors need payments or banking information, contact them directly via a phone number or email address you already know and trust.
And work out a multi-person approval process for transactions above a certain amount — or set up a system that requires a valid purchase order from a manager or a finance officer in your organization before anyone spends any money.
“The big issue is to slow down,” Murray said. “Before you do something, take a look at it. Analyze in your head what the risk is if you do this wrong.”
At ftc.gov, the Federal Trade Commission details coronavirus-related public health scams, home test kit scams, family emergency scams, coronavirus relief check scams, business email scams, IT scams, student loan debt relief scams, supply chain scams, robocalls and charity scams.
Cybercriminals are exploiting the spike in unemployment and the flood of information on emergency loan programs for small businesses to get a foothold, Murray said.
“People are scrambling to find jobs, so these scams target individual citizens: ‘We’ll set you up with a job and we’re going to onboard you online. Provide your banking information, because we’re only going to do ACH deposits.’ Only it’s not a real company — and they clean out your bank account,” he explained.
Small businesses are big targets right now, Murray said. With numerous COVID-19 emergency loan programs and relief funds available, they’re trying to understand their options — and cybercriminals are cashing in.
“They’ll say through an email, ‘We’ll make it easy for you to apply — click here and fill this out. What banking information do you want us to send this money to?’ Some of these businesses are now falling victim to these online scams — and whatever resources they may have in their bank are being wiped out. This is absolutely happening now.”
Murray urged businesses to contact their local chamber of commerce, Small Business Development Center or Better Business Bureau for resources and help.
With BBB of Southern Colorado CEO Jonathan Liebert, Murray will lead an online workshop for Pikes Peak SBDC called “Financial & Legal Scams: COVID-19 Cybersecurity Scams & The Impact on Small Business” on Friday, April 17, from 11:30 a.m.-1 p.m.
Pikes Peak SBDC also offers free one-on-one cybersecurity consulting — visit pikespeaksbdc.org/consulting.