The Covid-19 pandemic has led to millions of employees working remotely, often on less-secure devices and networks.
“The sudden shift from face-to-face office encounters to digital communication makes possible myriad scams that are tailor-made for a newly divided workforce,” says CyberScout founder and chairman Adam Levin.
A recent survey found that 49% of businesses expect to experience a data breach or security incident within the next month, with 40% of respondents admitting to cutting their cybersecurity budget as part of their response to the pandemic.
While businesses and organizations have long been targeted by widespread and sophisticated cybercrime campaigns, many familiar scams have taken on new Covid-19 related tacks.
As businesses have increasingly embraced videoconferencing as a method of communication, hackers haven’t missed a beat. Using fraudulent meeting invitations and emails, hackers are busy infecting computers with malware targeting an organization’s network and phishing for credentials or whatever else they can get.
One common approach is to direct users to “spoofed” (fake) domains and sites that look like Zoom, Microsoft Teams, and Google Classroom. Since mid-April, nearly 2,500 Zoom-related domain names were registered with thirty-two of them confirmed to be malicious. Another 320 were labeled “suspicious” by security researchers.
50,000 Microsoft Teams users were hit in two separate email campaigns targeting user credentials for Microsoft’s suite of Office 365 tools. Employees who received these emails were directed to a phony login page that captured their logins and passwords.
“The goal is simple,” says Levin. “Lure a potential victim into opening a malicious attachment sent via email, or trick them into clicking a link that lands them on a booby-trapped webpage.”
The army of employees now working from home and-or using shared internet connections has meant more virtual private networks (VPN). Between March 8 and March 22 alone, there was a 124% increase in the adoption of VPNs. Unfortunately, their widespread adoption has led to a number of suspicious, if not outright fraudulent applications and services claiming to provide a legitimate extra layer of security.
Where a phishing scam may have the ability to compromise a single account, a fake VPN app or account has the potential to siphon all of the internet traffic coming to or from a computer or a device, not to mention the possibility that it could install malware.
Free apps are a decent indicator of a potentially suspect VPN. Reviews and downloads are not reliable data points.
VPN Master - Free VPN Proxy, an app listed on the Google Play store had a high rating and over 100,000 downloads. Researchers discovered eight separate malware and adware variants on the platform. Another study of mostly “free” or low-cost VPN apps designed for the Android platform found that 82 percent attempted to access personal user data and 38 percent contained malware.
“Never use a ‘free’ VPN service. As with everything else online, if you’re not paying money for a product or service, you’re paying with your data,” says Levin.
Human resource departments and payroll services have been targeted by several variations of payroll scams since the pandemic began.
One of the most common methods deploys email from a spoofed domain sent to a manager or an HR department that links to a fake version of their payroll services website. Scammers capture their victim's login credentials and use them to access the real payroll accounts for companies.
Companies that have received loans through the federal Paycheck Protection Program or Economic Injury Disaster Loans have been a specific target of these scams.
“[W]hile you’re focused on getting a loan, scammers may be focused on you: hoping to trick you into giving them sensitive business information, like your bank account numbers, employees’ Social Security numbers, and even your money,” warns the FTC website.