Dramatic rise in COVID-19 related cyber attacks and frauds

Author
Neil Clarke
Director of Cyber Security | KPMG
22nd April 2020

At KPMG we are warning clients of a dramatic rise in COVID-19 related cyber attacks and frauds.

Right now, attacks are primarily of three types: phishing scams preying on people’s concerns about the virus; hacks that exploit the IT vulnerabilities associated with the rapid adoption of remote access for homeworking on a grand scale; and financial re-direct fraud, targeting large and rapid change in organisation's supply chains.

 The region’s businesses and organisations are at significantly greater risk of such incidents at the moment due to an increase in attempts by organised criminal gangs to exploit the uncertainty and change, sometimes with limited control, that COVID-19 has brought.

Many cyber criminals have changed their tactics to use COVID-19 related materials on health updates, fake cures, fiscal packages, emergency benefits, supplies and suppliers.

 The lockdown in human terms has triggered the opposite requirement from systems in some cases, which have had to open up to a greater extent than ever before to facilitate a significant and rapid rise in home working.

As the region’s workforce copes with new ways of working and using technology, IT systems and processes, including some security protocols, are also being altered. The human, process and the infrastructure elements of a business may be more vulnerable to cyber crime during this time.

 At this time, just as many businesses are consolidating their financial position, the last thing that business directors, already focused on multiple challenges, want to fly onto their agenda is a fraud or a hack.

High level tips for Reducing Cyber Risk

Social engineering is often used, making people the weak point. Raise the workforce’s awareness levels, letting them know it’s a time of heightened risk. Don’t just rely on annual training; freshly educate the workforce to be vigilant to suspicious activity, looking for the usual giveaways of a phishing email in a work context.

Look out for:

• poor email quality in terms of grammar, spelling and design;

• not addressed by name but uses terms such as “Dear colleague,” “Dear friend” or “Dear customer”;

• includes a veiled threat or a false sense of urgency;

• directly solicits personal or financial information;

• unexpected attachments that play on individuals curiosity and may appear confidential in nature - 'staff bonuses', 'holiday entitlements', 'staff to be furloughed', 'Covid-19 redundancy plans'; 

• includes a link to a website asking you change something; and

• of course, if it sounds too good to be true, it probably is.

Consider: 

• Run a helpline or online chat line that staff can easily access for advice or to report any security concerns including potential phishing;

• Make sure strong passwords are set up, and preferably two-factor authentication (2FA), for all remote access accounts; particularly for Office 365 access;

• Ensure that critical security patches are applied and update firewalls and anti-virus software across the IT estate, including any laptops in use for remote working

• If you employ a third party IT provider, check their financial resilience at this stage and their own approach to some of the points discussed here;

• Disable USB drives to avoid the risk of malware, offer employees an alternate way of transferring data such as a collaboration tool;

• Ensure that finance processes require finance teams to confirm any requests for large payments - 'out of band' of the communications medium that the request has been made by i.e. If an email has been sent, pick up the phone - but not using any contact details in the originating email. This can help to guard against the increased risk of business email compromise and frauds; 

• Back-up all critical systems and validate the integrity of backups, ideally arranging for off-line storage of backups regularly;

• Ensure the organisation has an alternate audio and video conferencing environment available. This could be needed if a ransomware incident disrupts IT systems and also offers another option if the primary conferencing provider has capacity or availability issues;

• Consider how at some point you will review any system changes made at pace to gain confidence in the controls around them - people, process and technology; and 

• Hope for the best, plan for the worst - consider running an internal exercise to 'war game' your business response to losing finances, information and/or system availability due to an incident.

More information

If you’re looking for further insight and guidance, as a team we regularly update information on threats and good practice here

Do you want to join the conversation?

Sign up here