“Follow the money.”
The Watergate-era adage still holds true today in describing the nature and M.O. of cyber criminals who target large government relief packages in times of national emergencies. For certain, the process is ripe for compromises: With $350 billion in loans (with possibly more to come) on the table, we’ve already seen the exposure of personally identifiable information (PII) of some Small Business Administration (SBA) loan applicants seeking COVID-19 relief. The businesses were attempting to qualify for Economic Injury Disaster Loan advances of up to $10,000.
If history has taught us anything, it’s clear that criminals go where the money flows, as we see every year with Black Friday/Cyber Monday, tax time and other high-profile seasons. Fraudsters are also known to leverage major economic relief efforts, such as Congress and the Obama Administration’s response to the Great Recession, in which scammers reached out to consumers on the Web and via phishing e-mails saying they could qualify them for payments from the last 2009 stimulus package, if the consumers/victims would give them their bank account information. With this, the scammers drained the bank accounts of the consumers’ money and disappeared. There were also “click here to qualify for funds” malware links sent, as well as requests for a small payment (such as $1.99) to receive a list of stimulus grants that the victims could apply for – resulting in the theft of credit card accounts.
Mid-market business owners and managers believing “this probably wouldn’t happen to us” because “attackers only go after large enterprises” should think again: Two-thirds of smaller-sized companies experienced an attack in the past 12 months, up from 61 percent which did so in 2017, according to the Ponemon Institute’s “2019 Global State of Cybersecurity in Small and Medium-Sized Businesses” report. The average cost of these incidents (combining damage, theft of IT assets/infrastructure and disruptions) amounted to $3.14 million in 2019, up from $2.23 million in 2017.
So, as a business executive or owner, how do you know whether cyber criminals are possibly targeting you through a COVID-19 or SBA relief-based scheme? It would likely involve a phishing/social engineering attempt, which accounts for the most common type of attack in the Ponemon report, as experienced by 53 percent of these companies. (Web-based attacks ranked #2, as experienced by 50 percent.) If you receive an email asking you to do something that a legitimate loan officer would never request – the transfer of money, the disclosure of PII/bank account/credit card information, etc. – then you should consider the email of a “red flag-level,” highly suspicious nature.
Similarly, if the email comes from an unfamiliar party requiring you “immediately” click on an attachment or link to “receive thousands of dollars now!,” you should exercise the most vigilant caution by not clicking on anything.
To offer additional guidance, we recommend the following time-tested “cyber hygiene” practices to help you and your staffers avoid COVID-19 relief fraud – as well as attacks in general year-round:
Raise awareness. You’d be surprised at how much you and your employees may not know about the latest attack methods. Fortunately, companies including Pondurance provide security awareness training and trusted organizations like the National Cyber Security Alliance aggregate Covid-19 resources from the security community, including free reference guides and training materials.
Establish multiple points in the loan application process. By putting in place a system of checks and balances overseen by yourself and others in the company, you will greatly reduce the risk of triggering an attack based upon one employee’s mistake. Designate multiple points of review/approval for loan application processes, so there are more cautionary “eyes” involved to flag potential fraud.
Verify senders of information. Bad guys will frequently pose as fellow employees on an email to trick a recipient into clicking on a malware-infected link or PDF, or disclosing PII/bank/credit card information. This is where smaller enterprises can actually have certain advantages over their larger counterparts: Because these workplaces are much more close-knit, it’s easy to verify that employees/senders are who they say they are by simply calling them (or walking over to their desk) and asking if they sent the email.
If the fraudster is posing as an outside party, you can verify/expose them through these steps: If they call you on a phone with a spoofed number identified on your screen as your bank, then ask for the caller’s name, hang up and then call your bank to confirm that the caller works there. Whether they reach out to you by phone or email, you can ask to schedule a web conference to go over loan details … They’d likely be extremely reluctant to show their faces, and will probably move on to the next intended victim on their list.
In other words: Educate yourself and your staff and put best cyber hygiene practices in play so your SMB doesn’t emerge as low-hanging fruit. At Pondurance, we can help you develop these practices while providing a proven Threat Hunting + Response (TH+R) platform. TH+R harnesses the experience of our expert analysts to combine the latest technology, authentic intelligence and expertise to stay one step ahead of attackers and protect your digital assets. If you’d like to know more about what we can do for you, then please contact us.