The coronavirus (COVID-19) pandemic is changing our lives. People are concerned, and with that concern comes a desire for information, safety and support. Organised crime groups are exploiting the fear, uncertainty and doubt which the coronavirus pandemic brings to target individuals and businesses in a variety of ways.
The threat
Since mid-February, KPMG member firms have seen the rapid build-out of infrastructure by cyber criminals used to launch coronavirus themed spear-phishing attacks and to lure people to fake websites seeking to collect Office 365 credentials.
Examples of campaigns mounted include:
- Coronavirus themed phishing emails attaching malicious Microsoft documents which exploit a known Microsoft vulnerability to run malicious code.
- Coronavirus themed phishing emails attaching macro-enabled Microsoft word documents containing health information which trigger the download of Emotet or Trickbot malware.
- Multiple phishing emails luring users to fake copies of the Centre for Disease Control
(CDC) website which solicit user credentials and passwords. - A selection of phony customer advisories purporting to provide customers with updates on service disruption due to Coronavirus and leading to malware download.
- Phishing emails purporting to come from the World Health Organisation, government authorities, and legitimate businesses (including travel agents and telcos) directing precautionary measures, again embedding malware.
- Coronavirus tax rebate phishing lures encouraging recipients to browse to a fake website that collects financial and tax information from unsuspecting users.
Many existing organised crime groups have changed their tactics to use coronavirus related materials on health updates, fake cures, fiscal packages, emergency benefits and supply shortages.
Typical giveaways that an email may be suspect include:
- poor grammar, punctuation and spelling
- design and quality of the email isn’t what you would expect
- not addressed to you by name but uses terms such as “Dear colleague,” “Dear friend” or “Dear customer”
- includes a veiled threat or a false sense of urgency
- directly solicits personal or financial information.
Of course if it sounds too good to be true, it probably is.
The response
There are some key steps you should take to reduce the risk to your organisation and your employees, particularly as you move to remote working:
- Raise awareness among your team warning them of the heightened risk of coronavirus themed phishing attacks.
- Share definitive sources of advice on how to stay safe and provide regular communications on the approach your organisation is taking to the coronavirus pandemic.
- Make sure you set up strong passwords, and preferably two-factor authentication, for all remote access accounts; particularly for Office 365 access.
- Provide remote workers with straightforward guidance on how to use remote working solutions including how to make sure they remain secure and tips on how to identifiy potential phishing attacks.
- Ensure that all provided laptops have up-to-date anti-virus and firewall software.
- Run a helpline or online chat line which they can easily access for advice, or report any security concerns including potential phishing.
- Encrypt data at rest on laptops used for remote working given the risk of theft.
- Disable USB drives to avoid the risk of malware, offering employees an alternate way of transferring data such as a collaboration tool.
Also, make sure that your finance processes require finance teams to confirm any requests for large payments during the coronavirus pandemic. This confirmation can help to guard against the increased risk of business email compromise and CEO frauds. Ideally, use a different channel such as phoning or texting to confirm an email request.
Ensure that you apply critical security patches and update firewalls and anti-virus software across your IT estate, including any laptops in use for remote working. You should expect organised crime groups to exploit any failures in the maintenance of IT systems during this pandemic.
Make certain that you back up all critical systems and validate the integrity of backups, ideally arranging for offline storage of backups regularly. Expect an increased risk of ransomware during the Coronavirus pandemic as organised crime groups exploit COVID-19 themed phishing.
Lastly, work with your incident and crisis management team to strive to ensure your organisation has an alternate audio and video conferencing environment available. This alternate platform will be needed if you do have a ransomware incident that disrupts your IT systems. And will also provide additional redundancy if your primary conferencing provider has capacity or availability issues.
Coronavirus will drive significant changes in how you and your organisation work, stay safe and stay secure. If you have any questions or would like additional advice, please contact us.
You can download the COVID-19: Staying cyber secure PDF online.
Bryan Beesley
Associate Director, Advisory
KPMG Crown Dependencies