Criminals wasted no time in taking advantage of the panic created by the COVID-19 pandemic. AFP’s new Payments Guide provides an in-depth look at how fraudsters have adapted their tactics to the current, remote working environment and what you can do to thwart their efforts.

COMMON SCHEMES

The Department of Justice provided a detailed list of common fraud schemes that have been recently been identified. Among the most potentially dangerous scams for companies are phishing emails that appear to come from the Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO) and similar organizations. The emails claim to offer information on the virus and ask the recipient to click on a link or open an attachment.

Additionally, fraudsters are sending phishing emails requesting that the recipient verify personal information in order to receive an economic stimulus check. In actuality, the government is not sending unsolicited emails requesting personal information to receive stimulus money.

The FBI and the Internet Crime Complaint Center (IC3) have also identified phishing emails that claim to be related to charitable contributions, general financial relief, airline carrier refunds, fake cures and vaccines, and fake testing kits. Although many of these scams are targeted at individuals, clicking on a bad link can have major repercussions in a remote working environment. If you're using your work computer when you fall for any of these scams, or if you occasionally use your personal device for anything work-related, you can open your entire organization up to criminal activity.

Some of the schemes have been even more elaborate. In March, cybersecurity blogger Brian Krebs reported that a member of a Russian cybercrime forum began selling a digital infection kit that includes a Johns Hopkins University interactive map of coronavirus infections and deaths. The map uses real-time data from WHO and other sources to fool people into thinking that it is legitimate. "[T]hey will open it and will spread it to their friends and it goes viral!" the user wrote on the forum.

In early May, the Financial Industry Regulatory Authority (FINRA) issued a notice about fraudulent activity that has been increasing throughout the pandemic crisis. “In addition to new scams focusing on COVID-19, previous scams may also find new life as fraudsters adapt to and exploit recent events and related vulnerabilities, especially those related to the remote working environment,” the organization said.

FINRA warned that the remote working environment may increase fraudsters' ability to impersonate broker-dealers when communicating with customers, even going so far as to create fake online presences and websites. Fraudsters may seek customers' account information, or trick them into transferring funds. These criminals will also attempt to dissuade customers from calling the actual broker-dealer firm by warning them of long wait times.

The current environment may also increase opportunities for social engineering around IT help desks, FINRA noted. In one type of attack, fraudsters reach out to the help desk, posing as a legitimate contact and request a password reset. Within the conversation, the criminal will attempt to get the IT staff member to reveal information about the firm's business operations. Another form of this attack involves fraudsters posing as a member of the help desk team itself and contacting associated individuals to steal user credentials or infect the users' systems with malware. These types of social engineering schemes are not limited to financial firms and can be easily used against corporates.

“Fraudsters will use headline issues that the media is all over at any point in time, whether it be COVID or hurricane relief or any of these issues that are a national headline,” said Brad Deflin, CEO and founder of Total Digital Security and frequent speaker at AFP events. “They will use it as bait, because it looks familiar to the user. And when things look familiar, it tends to add an element of credibility.”

BEC IN THE COVID-19 WORLD

The coronavirus environment has made business email compromise (BEC) scams even easier to execute. FINRA identified a new variant of BEC in the remote working environment—gift card procurement scam. Posing as a manager or executive, a fraudster will email a subordinate with an urgent request for them to secretly purchase gift cards as motivational awards or surprise gifts for staff. FINRA advises companies to monitor for potential red flags, such as requests arriving and unusual times of day, emails using atypical language or greetings, etc.   

But some of those telltale signs that BEC scam experts can spot a mile away aren’t so frequent anymore. Fraudsters have honed their craft and gotten much, much better and impersonating actual senders. That’s why it’s critical to continue to pick up the phone and directly confirm with that manager or executive before moving any money.

“Emails are looking more legitimate, whether it be around COVID prevention, or equipment websites that are being created to look very legitimate, mimicking the CDC and WHO,” Deflin noted. “Without a sharp eye, you might think was the real thing.”

Ultimately, it comes down to an understanding of authentication. The recipient has to view every email with the mindset that what they’re looking at is not authentic. “It’s guilty until proven innocent,” Deflin added. “And so we as the employee, as the user, as the individual, need to have some practices to go through some sort of an authentication process, whether it be an incoming email or invoice or a website.”

DMARC POLICIES

One of the best protections that companies can implement are Domain-based Message Authentication, Reporting and Conformance (DMARC) policies. These are highly effective email authentication protocols that protect domains from being susceptible to email spoofing, which is often how BEC scams begin.

Spoofed emails can be very hard to identify under normal circumstances because the scams have become so sophisticated. When BEC scams were in their infancy, spoofing wasn’t difficult to spot to the untrained eye; often the sender’s name would be spelled slightly differently or the domains would be one character off (for example, a lower-case “l” may be changed to a “1” or a capital “i”). But modern spoofed emails will have the actual email sender's username and domain, and a header that can easily be perceived as being authentic.

Through a DMARC policy, a sender's domain will indicate whether their emails are protected by Sender Policy Framework (SPF) and/or Domain Keys Identified Message (DKIM). If the message then does not pass those authentication protocols, it tells the receiver whether to reject the message or send it to junk.

“Unfortunately, many companies have still not instituted DMARC policies,” Deflin said. “And I think probably even more companies have probably not gone through an appropriate level of training and awareness, whether it be in treasury or any place else, to understand the nature of authentication and the tools and practices that can be used to authenticate what they're looking at to decide their next actions.”

For further insights, download the new AFP Payments Guide, Combating Fraud in a Remote Working Environment, underwritten by MUFG Union Bank.