Covid-19 brings its own challenges to business, but existing threats do not go away. If anything, some of the established threats may be amplified due to the distractions caused by a major global pandemic. One such area is cyber risk, which we examine.
With huge increases in the number of people working from home significantly more people will be vulnerable to attempted fraud and the criminals are taking advantage.
Graeme Biggar, Director General of the National Economic Crime Centre, said:
“Criminals are exploiting the Covid-19 pandemic to scam people in a variety of ways and this is only likely to increase. We need individuals and businesses to be fully aware and prepared.”
The vast majority of scams being seen are targeted phishing emails designed to trick people into clicking on a bad link. But what is phishing and how can you protect yourself?
What is phishing?
Usually an illegitimate email is sent with the express plan to get you to click on a rogue link. This link will likely download a virus on to your computer or send you to a website designed to capture your personal data or passwords.
These phishing attacks are becoming more sophisticated and it can be almost impossible to differentiate them from the real thing. An email from your bank, a switch in your invoicing account details, a government rebate. They look and feel like the real thing.
The latest phishing scams all seem to involve coronavirus in some form or another. By late March the City of London police reported a 400% increase in scams as a result of coronavirus related scams and the UK is, by far and away, the most targeted country, according to research by cyber-security company Trend Micro, accounting for over 20% of global malicious Coronavirus spam.
Some examples include online shopping scams involving in-demand items, such as hand sanitiser and face-masks, fake lockdown fines, HMRC goodwill payments and even an email claiming to be from the World Health Organisation suggesting you download a PDF document with advice on how to stay safe during the outbreak.
So, how do you protect yourself?
Spot the signs
There are some common signs to watch out for:
- Authority – If you get an email claiming to be from your bank, doctor, solicitor or Government department you should immediately be extra vigilant.
- Urgency – Be wary of responding to anything claiming you must take action within a time period. This is designed to remove the time you would normally take to check the validity of the email. It’s playing on your animal instincts not your human intellect.
- Emotion – If the email makes you feel strongly about something: panic, anger, joy there is a chance that it is trying to get you to respond before you have the chance to really scrutinise the logic behind the claims. The recent text mail scam suggesting you’ve been fined for going outside is, when you’ve had the chance to calm down, clearly ludicrous. But it can make you angry and not think straight.
- Scarcity – Fear of missing out on a good deal or opportunity can make you respond quickly, so watch out for emails claiming ‘last few remaining’. Current events often exploit news stories and big events to make their scam more relevant.
We have got used to using two-step authentication nowadays. This is where we sign in to a website and then a code is sent to your phone to authenticate it is definitely you trying to login.
So, do the same in reverse. When you receive an email or text from a company, call the company and check it’s really them sending it to you. It should be the same when you get a message from a friend, either by email, text or social media. Call them to check it’s genuine.
Scammers can often hack a company’s email account but won’t do anything immediately. Instead they will watch the emails being sent and received and wait for the opportune time to strike. Usually this will revolve around invoicing. Waiting until an invoice is sent and then sending a new email from the correct account with new bank account details or issuing a new invoice entirely with the alternative bank account details. Hoping the customer will make payment without thought.
What to do if you’ve already clicked
- If you’re on a work computer then let your IT department know. Don’t try and hide it.
- If you’ve given out your bank or other professional account details contact them immediately and let them know. They can often put a freeze on any transactions before the scammer gets the chance to take advantage.
- If you have had money removed from your bank illegally this is a crime. So make sure you have alerted your bank but also report it via Action Fraud either online or over the phone on 0300 123 2040
- Run your antivirus on your computer to see if it can find any malware or viruses
- If you’ve given away passwords change them immediately. Consider using a secure password generator in the future.
Don’t be an easy target
We’re making criminals lives much easier by regularly giving away our most personal information. This can then be used against us by demonstrating authenticity. In the worst case scenarios we give away enough information for fraudsters to access our accounts without further involvement.
- Review your privacy settings on social media. Do you have to share everything publicly?
- Check to make sure friend requests are genuine. Some fake profiles are designed to make you ‘Add friend’ when the real person is not even on social media.
- Don’t post when you’re on holiday…you’re publicising that your home is empty
- Flag suspicious emails by marking them as spam
- Keep up-to-date. Make sure your computer is regularly updated and you have up to date antivirus software completing full scans periodically.
Cyber insurance is now an essential protector for most businesses against many types of loss you may incur. As well as the phishing scenarios discussed above the increased risk of data leakage from employees home working must be recognised, managed and insured if required. A cyber insurance policy will help you in this area.
If you would like any help with cyber risk and insurance please contact your Account Executive.