“Follow the money.”
The Watergate-era adage still holds true today in describing the nature and M.O. of cybercriminals who target large government relief packages in times of national emergencies. For certain, the process is ripe for compromises. With $350 billion in loans (and possibly more to come) on the table, we’ve already seen the exposure of personally identifiable information (PII) of some Small Business Administration (SBA) loan applicants seeking COVID-19 relief. The businesses were attempting to qualify for Economic Injury Disaster Loan advances of up to $10,000.
If history has taught us anything, it’s clear that criminals go where the money flows, as we see every year with Black Friday/Cyber Monday, tax time, and other high-profile seasons. Fraudsters are also known to leverage major economic relief efforts, such as Congress and the Obama administration’s response to the Great Recession, in which scammers reached out to consumers on the web and via phishing emails, saying they could qualify them for payments from the last 2009 stimulus package if the consumers would give them their bank account information. With this, the scammers drained the bank accounts of the consumers’ money and disappeared. There were also “click here to qualify for funds” malware links sent, as well as requests for a small payment (such as $1.99) to receive a list of stimulus grants that the victims could apply for, resulting in the theft of credit card accounts.
Midmarket business owners and managers believing “this probably wouldn’t happen to us” because “attackers only go after large enterprises” should think again. Two-thirds of smaller-sized companies experienced an attack in the past 12 months, up from 61% in 2017, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report. The average cost of these incidents (combining damage, theft of IT assets and infrastructure, and disruptions) amounted to $3.14 million in 2019, up from $2.23 million in 2017.
So, as a business executive or owner, how do you know whether cybercriminals are possibly targeting you through a COVID-19 or SBA relief-based scheme? It would likely involve a phishing or social engineering attempt, which accounts for the most common type of attack in the Ponemon report, as experienced by 53% of these companies. (Web-based attacks ranked No. 2, as experienced by 50%.) If you receive an email asking you to do something that a legitimate loan officer would never request — the transfer of money, the disclosure of PII, bank account, credit card information, etc. — then, you should consider the email of a red flag-level, highly suspicious nature.
Similarly, if the email comes from an unfamiliar party requiring that you immediately click on an attachment or link to “receive thousands of dollars now!” you should exercise the most vigilant caution by not clicking on anything.
To offer additional guidance, we recommend the following time-tested cyber hygiene practices to help you and your staffers avoid COVID-19 relief fraud, as well as attacks in general year-round:
Raise awareness. You’d be surprised at how much you and your employees may not know about the latest attack methods. Fortunately, companies including Pondurance provide security awareness training, and trusted organizations like the National Cyber Security Alliance aggregate COVID-19 resources from the security community, including free reference guides and training materials.
Establish multiple points in the loan application process. By putting in place a system of checks and balances overseen by you and others in the company, you will greatly reduce the risk of triggering an attack based upon one employee’s mistake. Designate multiple points of review or approval for loan application processes, so there are more cautionary eyes involved to flag potential fraud.
Verify senders of information. Bad guys will frequently pose as fellow employees on an email to trick a recipient into clicking on a malware-infected link or PDF or disclosing PII, bank, or credit card information. This is where smaller enterprises can actually have certain advantages over their larger counterparts. Because these workplaces are much more close-knit, it’s easy to verify that employees or senders are who they say they are by simply calling them (or walking over to their desk) and asking if they sent the email.
If the fraudster is posing as an outside party, you can verify or expose the person through a few simple steps. If the fraudster calls you on the phone using a spoofed number identified on your screen as your bank, ask for the caller’s name, hang up, and call your bank to confirm that the caller works there. Whether the fraudster reached out to you by phone or email, you can ask to schedule a web conference to go over loan details. The fraudster will likely be extremely reluctant to meet face to face and will probably move on to the next intended victim on the list. In other words, educate yourself and your staff and put the best cyber hygiene practices in play so your SMB doesn’t emerge as low-hanging fruit. At Pondurance, we can help you develop these practices while providing a proven Threat Hunting and Response platform (TH+R). TH+R harnesses the experience of our expert analysts to combine the latest technology, authentic intelligence, and expertise to stay one step ahead of attackers and protect your digital assets. If you’d like to know more about what we can do for you, please contact us.