1000px-cyberguy

ETA Expert Insights: Anticipating Cybersecurity Attacks and Fraud Associated with COVID-19

By Jim Bibles, Aperia; Tom Humphrey, Finix Payments; Sam Pfanstiel, ControlScan: Members, ETA Risk, Fraud, and Security Committee.

As the COVID-19 virus continues its spread and we are all concerned for our health and that of our loved ones and associates it is unfortunate we are also faced with security challenges as well, especially those brought by malicious actors seeking to leverage these concerns for their benefit by duping those who may have let their guard down during these anxious times. In this post, the ETA Risk, Fraud, and Security Committee present some of these factors and steps you can take to address them, in order to aid in the protection of our members and the payments industry as a whole.

Fraud Risks Due to Pandemic Opportunists

Sadly, in addition to the actions we must take to manage our daily lives in a world disrupted by the spreading virus it is also necessary to increase our awareness others may be attempting to defraud through activities such as creating malicious websites, phishing campaigns, or other scams.

Security experts report nearly 10% of all domain registrations for websites related to coronavirus this year were confirmed malicious or suspected to be.  Further, there have been numerous reports of phishing, spam, and phone calling efforts attempting to defraud recipients of funds and/or personal information.  Some specific incidents we are tracking include:

  • One email-based exploit called AZORult is targeting the financial industry, and uses email-based social engineering and to launch a “Coronavirus map” that steals login information, cryptocurrency, and other valuable information.
  • Another malware strain lures its victims to install a COVID-19 map on their Android device, but instead spies on users though their smartphone microphones.
  • The U.S. Secret Service also has identified several such scams, which include attempts to play on our altruistic nature to defraud. It is not hard to envision a spear-phishing or social engineering attack in which a fake health emergency is leveraged to elicit credentials from an unsuspecting employee.
  • The FBI released a recent Liaison Information Report to alert of a number of fraudsters purporting to sell personal protective equipment (facial masks).

It is vitally important, especially during times of uncertainty, for everyone to carefully read and evaluate unsolicited communications being careful to determine the likelihood of authenticity before taking any action.  For management, this means pro-active communications to remind employees of their right and responsibility to be suspicious, official communications channels, and how to safely contact their manager if they suspect a spear-phishing attack.

Unfortunately, just as we take steps to protect ourselves through social distancing and other practices, we should be just as wary of electronic communications. While on the surface these communications may appear to be helpful, they could be malicious attempts to dupe or defraud us.

Business Continuity and Working from Home in a COVID-19 World

By now, most businesses have implemented a plan to reduce the number of staff in the office and support a large number of employees from working from home.  Furthermore, if the threat is not contained, some organizations may experience a reduced workforce due to illness, especially in dense populations or where the employee workforce has already been commonly exposed.

While this distributed workforce structure may have been part of many business continuity plans (BCP’s), the size and scope of these recent BCP implementations may not have been anticipated and the need for quick activation may have necessitated companies to cut a few corners. Here are some things that the BCP coordinator, IT team, and Security Operations team may need to review, now that the plan is up and running:

  • Network/ Data Access – Is the appropriate authentication in place for the type of data that the employees will have access to?  Do all networks that contain sensitive data require multi-factor authentication and is the network properly segmented.  Do remote sessions automatically time out?
  • Types of devices – Are the employees who are accessing the network using company issued devices, or is it BYOD, and in either case, are all of the devices accessing you network properly patched and running appropriate security software?  Does the device get scanned to ensure it meets the networks security requirements before it is given access to the network?
  • Data Loss Prevention – Does the company have technology in place to prevent sensitive data from being downloaded or copied from the network?
  • Keep reviewing your logs – Do all the connections to your network make sense?  (Example: If all your employees are in a certain geographical area, make sure all of you remote connects are from that area).
  • Compliance impacts – While proper risk management and security should always be the top priority, it is also important to note that regulatory compliance factor into those risks.  Long-standing compliance requirements like PCI DSS, as well as privacy regulations such as HIPAA, GDPR or CCPA require control over their respective sensitive data. BCP and compliance teams must take into account the risk of exposure of personally identifiable information (PII) or cardholder data (CHD) by an employee who is using their own home computer, or where work devices are no longer maintained in the same physically secured environment.  The changes to your processes and network, such as virtual private network (VPN) or virtual desktop infrastructure (VDI), should be evaluated for impact to compliance, and documented in preparation for future assessments.

Bottom line, an organization needs to enforce the same network security hygiene on the distributed work environment that it does in the traditional setting.  An excellent textbook securely supporting teleworkers is freely provided by NIST, in their Special Publication 800-46 Revision 2. And for resources in contingency planning for future emergencies, the planning guide in SP 800-34 Revision 1 is also extremely helpful for organizations.  Tools are out there to support this type of an environment- they just need to be implemented.

Just like our combined efforts as lawmakers, researchers, healthcare workers, grocery operators, and business leaders must all contribute to protect those susceptible to this biological virus, our industry must combine efforts as risk, security, network, and compliance teams to ensure we do not expose our organizations to these additional risks.

For more information on COVID-19 and the payments industry, visit ETA’s COVID-19 Resource page here.