Fraud and social engineering claims filed by policyholders have dramatically increased since the start of the COVID-19 pandemic. *Reported losses ranged from $25,000 to $1.3 million per event, with threat actors exploiting COVID-19 and changes in organizations’ operating procedures.
Please be aware that email is not a secure medium, and one should never rely upon financial instructions sent via email without additional verification. We highlight below some of the criminal tools, tactics, procedures (TTPs) we see in use, and our recommendations for keeping your organization safe:
- Invoice manipulation: criminal actors are sending phishing emails with malicious links and files to trick individuals into providing credentials to their business email accounts. Once an email account is compromised criminals search for and doctor any discovered invoices with fraudulent wire instructions. They then use the compromised account (or a look-alike domain) to send the manipulated invoices to third parties claiming that, due to COVID-19, check payments are no longer being accepted and that all payments should be made to the new (fraudulent) account. Depending on whether an organization is on the giving or receiving end, it can suffer a 1st party loss of any funds transferred or liability to 3rd parties who are socially engineered into wiring funds as a result of an organization’s security failure.
- Look-alike Domains: related to the above, criminal actors commonly register domain names that appear similar to an organization’s or its partners’ domain names. For example, instead of receiving an email from your vendor’s real address (e.g., email@example.com), the hacker sends it from firstname.lastname@example.org. Did you spot the difference? Very often, these emails contain intimate knowledge of company procedures by virtue of their access to a compromised email account. While it can be easier to spot typos in an organization’s own domain, it can be very difficult to do so for vendors and partners, and all can be potential vectors of compromise.
- Domain Spoofing: criminals are preying on organizations that have failed to set up SPF email security, allowing them to send emails from an organizations’ actual domain (i.e. email spoofing). While many mail clients are set up to detect this, many are not, allowing an attacker to impersonate anyone in an organization without ever compromising an account.
In order to avoid these common attacks, we recommend that you:
- Never rely on wiring instructions sent via email or in attachments. Whenever receiving a new instruction or a request to change an existing one, be sure to use a dual-control method to confirm the instruction (e.g., if you received it via email, make a phone call to a known good phone number to verify).
- Always verify with your bank that the name of the organization you are transferring funds to matches the name associated with the account number provided to you (if it’s fraudulent, it often won’t).
- Always use 2-factor authentication. That way, if someone in your organization is ever tricked into disclosing their credentials, the hacker will be missing the 2nd factor to gain account access.
- Configure SPF and DMARC records to avoid email address spoofing — there is no cost to do so.
- Consider using an anti-phishing solution, or configuring your email client to notify you when you are receiving an email from outside of your organization.
Request A Complimentary Cyber Liability Risk Consultation