The ongoing strains on technology and on individuals amid COVID-19 continues to make this a prime environment for criminals to exploit. As previously discussed in our March 20 and April 1 alerts, paying extra attention to cybersecurity best practices is an absolute necessity at this time.
Ransomware Threats for Critical Response Businesses
In addition to the plethora of COVID-19-related scams the FBI is already tracking, international law enforcement agency Interpol reported over the weekend that it has identified “a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in virus response.” As a result, Interpol issued a notice of a “heightened” threat of ransomware, especially for health care providers. Microsoft has also joined in this warning and issued warnings last week to dozens of health care providers about potential vulnerabilities in their data security infrastructure.
Even before the crisis, ransomware incidents have surged over the past two years. With the advent and increased prevalence of cryptocurrency such as Bitcoin, cybercriminals have an easy and essentially untraceable currency to pay ransoms that allow them to avoid the risk of having to deal with traditional bank transfers.
Ransomware comes in a variety of forms, the most common of which encrypts the victim’s data unless they pay the ransom to obtain the “code” (encryption key) that unlocks the data so the business can access it again. New variations of ransomware are even more nefarious, not only encrypting data, but extracting it. This gives criminals even more leverage to secure the ransom because, even if you have back-up systems that can restore the encrypted data, if you don’t pay, criminals can threaten to sell the protected data or simply release it online.
As with other forms of malware, the best protection against most ransomware attacks is vigilance and clear direction to employees. Remind employees not to click on links in unsolicited or questionable emails and avoid questionable websites. This message should be delivered with particular emphasis while employees are working remotely and may have greater access to websites that would otherwise be restricted on work networks. Training on how to properly remotely access work networks is also vital. Employees should be given explicit instruction on when and how to enter credentials to access remote environments. Importantly, the message that credentials must only be provided as explicitly directed has to be delivered clearly and repeatedly.
FBI Warns of Increased Work-From-Home and Charity Schemes
Yesterday, the FBI posted an article warning of “money mule” scams in which criminals are using unsuspecting victims to move illicit funds. In particular, the FBI is warning people to watch out for online job postings and emails from individuals promising quick and easy money for little to no effort. Some of the common red flags associated with the scams include:
- The “employer” you communicate with uses web-based services such as Gmail, Yahoo, Hotmail, Outlook, etc.
- You’re asked to receive funds in your personal bank account and then “process” or “transfer” funds via wire transfer, ACH, mail, or money service businesses such as Western Union or MoneyGram
- You’re asked to open bank accounts in your name for a business
- You’re told to keep a portion of the money you transfer
Along the same lines, the FBI noted it has seen an uptick in scams involving emails, private messages, and phone calls from individuals who claim to be located abroad and in need of financial support. Criminals use these scams to try to gain access to US bank accounts to move fraud proceeds from victims to the criminals’ bank accounts. Common fictitious scenarios include:
- Individuals claiming to be US service members stationed overseas asking you to send or receive money on behalf of themselves or a loved one battling COVID-19
- Individuals claiming to be US citizens working abroad asking you to send or receive money on behalf of themselves or a loved one battling COVID-19
- Individuals claiming to be US citizens quarantined abroad asking you to send or receive money on behalf of themselves or a loved one battling COVID-19
- Individuals claiming to be in the medical equipment business asking you to send or receive money on their behalf
- Individuals affiliated with a charitable organization asking you to send or receive money on their behalf
Business Email Compromise Scams
Business email compromise (BEC) scams come in a wide variety of forms, but the common factor is targeting employees who are responsible for paying legitimate expenses and invoices, including accounts payable employees, accounting department employees, and administrative assistants who pay bills. Cybercriminals can either use social engineering tactics or hacking to identify appropriate individuals and transactions to target for these scams.
The FBI has noted a recent increase in BEC scams targeting victims, especially municipalities, that are attempting to purchase personal protective equipment as well as medical and other supplies needed in the fight against COVID-19.
The typical BEC scheme involves the victim receiving an email that appears to be from a legitimate vendor, supplier, or other business partner requesting payment for an invoice or transaction. The email could be from a “spam” email account: an account that looks very much like the legitimate email address but contains minor differences such as extra letters or slight misspellings that aren’t readily noticeable on a quick review. The key factor to look for in these scams is a request that the funds be sent to a new account or one that otherwise alters standard payment practices. There’s typically some sort of urgency expressed in the email—for example, we need immediate payment of this invoice, otherwise, the delivery of supplies will be significantly delayed.
The FBI noted the following recent examples of BEC scam attempts related to COVID-19:
- A financial institution received an email from the alleged CEO of a company who had previously scheduled a transfer of $1 million requesting that the transfer date be moved up and the recipient account be changed “due to the Coronavirus outbreak and quarantine processes and precautions.” The email address used by the fraudsters was almost identical to the CEO’s actual email address, with only one letter changed.
- A bank customer was emailed by someone claiming to be one of the customer’s clients in China. The client requested that all invoice payments be changed to a different bank because their regular bank accounts were inaccessible due to “Corona Virus audits.” The victim sent several wires to the new bank account for a significant loss before discovering the fraud.
The FBI noted the following red flags that signal BEC scams:
- Unexplained urgency
- Last-minute changes in wire instructions or recipient account information
- Last-minute changes in established communication platforms or email account addresses
- Communications only in email and refusal to communicate via telephone or online voice or video platforms
- Requests for advanced payment of services when not previously required
- Requests from employees to change direct deposit information
The FBI also recommends the following tips to help protect against BEC scams:
- Be skeptical of last minute changes in wiring instructions or recipient account information.
- Verify any changes and Information via the contact on file—don’t contact the vendor through the number provided in the email.
- Ensure the URL in emails is associated with the business it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.
If you need assistance because you believe your own or your company’s information has been compromised as a result of one of these scams or if you’d like to discuss how to best protect your business from these scams, Barclay Damon’s cybersecurity attorneys are available to help.
If you have any questions regarding the content of this alert, please contact Nick DiCesare, Cybersecurity Team leader, at ndicesare@barclaydamon.com or another member of the firm’s Cybersecurity Team.
We also have a specific team of Barclay Damon attorneys who are actively working on assessing regulatory, legislative, and other governmental updates on non-trademark-related COVID-19 matters and who are prepared to assist clients. You can reach our COVID-19 Response Team at COVID-19ResponseTeam@barclaydamon.com.