COVID-19 and fraud: Protect your business from a different sort of virus
By ATB Financial 4 April 2020 8 min read
Uncertainty during the COVID-19 pandemic has led to a sharp increase in digital, credit card and other types of fraud as criminals launch phishing attacks and large scale fraud campaigns specifically looking to exploit public fears.
Knowledge and education are the best weapons to protect your business and ATB is here to help. The first step is becoming aware of the current and emerging threats, and educating your employees as the first line of defense. Gather this information by using reputable sources, such as government websites, The Canadian Anti-Fraud Centre, and financial institutions, and share these resources with your employees.
More than ever before, Canadians need to be vigilant while fraud groups come up with creative ways to exploit the COVID-19 crisis to facilitate fraud.
Here are some examples of scams that are trending, alongside tactics to keep your enterprise and yourself safe from frauds leveraging heightened emotions during the coronavirus pandemic.
Coronavirus cyber scams
During a crisis such as the coronavirus pandemic, emotions at an all time high include anxiety, fear, uncertainty, and misinformation. Cyber criminals in particular are exploiting people’s sense of vulnerability through a number of means.
“More and more people are relying on their digital devices to continue day-to-day activities and business operations, leading to higher vulnerabilities. The most popular schemes are phishing attacks where criminals send emails saying to be from legitimate organizations with information about the coronavirus. Instead, the links or attachments included within the body of the messages, downloads malware that takes control of your computer – and accesses your personal and financial data,” says Aisha Kitchlew, ATB Senior Manager, Fraud Investigations and Anti-Money Laundering.
“What you need to do is inject a healthy dose of paranoia in your employees to always think before they click. Offer that periodic or annual training for all levels of employees. Teach them the red flags and what to look for. Keep up to date with the recent scams and campaigns that are active. Build an internal site for your employees to access for updates on the epidemic, current and reported fraud campaigns, any policy changes, business continuity plans, or any other changes made as a result of the epidemic”
Trending Coronavirus-themed campaigns include:
- Zoom or Google Hangouts/Chat based phishing emails indicating that your company is having a meeting through one of these platforms, with an invite or “link” to download what appears to be a file with the word Zoom or Google in it. If not legitimate, clicking this link will download malicious software or malware onto your device.
- Communication which looks like a legitimate incoming e-transfer notification and states that the recipient is receiving a "Canadian Emergency Response Benefit". The link contained within this email leads to a page listing several financial institutions (FI), including ATB Financial, where the victim is requested to choose which FI to deposit the funds into.
- Online advertising offering items that are high in demand such as cleaning products, hand sanitizers, gloves, or masks requesting payment details. Often, these advertisements impersonate reputable entities such as the Red Cross.
- Phishing campaigns sent through email or SMS, impersonating provincial, national or international health agencies luring the public into clicking on links and downloading malicious software or malware onto the device.
- Campaigns urging businesses to invest in new stocks related to the virus or donations towards research in creating a vaccination.
- Emails saying the recipient has been contaminated by COVID-19 and must provide personal data such as their social insurance number, health care number or bank account details.
Fraud actors are aware that sudden disruptions such as this epidemic, may cause a decreased level of manpower, new employees, constantly changing processes, gaps in business continuity plans, etc. They use these vulnerabilities as leverage to execute fraud schemes successfully.
It’s never been more important to equip your employees with confidence, knowledge, awareness and the right information. If you feel you are involved in a fraud scam, follow three simple steps:
- Stop: Slow down, take a moment to breathe and think about what you have at hand. Follow your instincts.
- Assess: Carefully observe the situation and look for the red flags.
- Report: Try to confirm validity of what is being requested, and report any concerns.
Reducing fraud risk
There are a number of simple and successful steps you can implement right away to help keep your business safe. Start by ensuring clear communication with your employees about the threats and how to recognize red flags. And be open to comments.
“Make sure people have a way to report security issues or phishing emails - give a quick and easy way such as creating an email inbox and an easy to remember email address,” Aisha says.
- Remind your employees to be vigilant against fake emails: double check addresses and names. Often scammers change just one letter in a name or put slightly different addresses – such as ATB.ca. instead of the legitimate atb.com
- Don’t click on links from unknown sources, or links included in emails from known entities which don’t include a subject line or, have an uncommon subject line.
- Beware of any email claiming to be from recognized health authorities such as the Center for Disease Control and Prevention or the World Health Organization. Again, double check the address. You can also hover your cursor over the link provided to observe the URL which the link is being directed to.
- Be aware that no financial institution, agency or government will solicit funds or ask for your social insurance number, credit card or bank account number via email or over the phone.
- Do your homework when it comes to donations, whether through charities or crowdfunding sites. The Canada Revenue Agency has a list of registered charities. Do not wire money for donations.
- Immediately delete any email claiming a cure, treatment or vaccination against the coronavirus. There currently are none, online or in stores.
Cyber security and the future
As businesses that can move to virtual offices, it is important to enable safe and secure remote working measures, Aisha notes. “Although your priority may be the need to take proactive measures to protect the health of your employees, you also need to ensure this doesn’t create a threat to your cyber security health by opening up cyber security risks that you may not have already identified.
“One thing will remain constant at any time, is that fraudsters will always look for vulnerabilities. This is the perfect time, because employees are already overwhelmed and distracted.”
Cyber Security: A strong cyber presence and awareness will help reduce your business’ vulnerabilities to fraud if it is current and able to perform optimally when many are connecting remotely. Here are a few points to keep in mind.
- Run periodic tests to identify any gaps and issues in your IT and cyber security system.
- Make it easy for users to get started and ensure devices and systems are fully protected with complex passwords.
- Apply all the latest software patches to ensure devices are protected against the latest detected vulnerabilities and threats.
- Encrypt your devices, ensure passwords are set and proper password hygiene is maintained.
- Use VPN - virtual private network – and never public wifi when working remotely as the VPN connection is sent back to your office and is secure.
Business Continuity Plan: Review your business continuity plan for cyber security procedures and have an incident management plan in place. Provide an easy way to report security issues – including phishing emails – through an email inbox and simple email address.
Multi-factor Authorization: One of the most simple and effective means of safeguarding against fraud is using two-factor authorization. This requires two separate people or departments to sign off on transactions.
Get Professionally Scammed: Discover the security gaps in your business by hiring an external company to run a phishing test. Train your employees, phish them, and then share the results.
Promote Password Hygiene: Educate your employees what strong password security is. This includes:
- Use a password manager
- Don’t use real words or personal information
- Use a different password for each account
- Do not recycle, repeat, or use variations of your current password
- Change passwords frequently
- Do not trust your browser and never save your credentials to avoid them auto populating if a device is lost or stolen.
You’ve been scammed: Now what?
If you think your organization or business has been victimized by fraud, contact ATB immediately as the sooner we are aware of the situation, the more efficiently we can support you. We will walk you through a process to help determine if you may be vulnerable or have been defrauded.
Once a fraud incident has been confirmed, you may consider contacting the two main credit reporting agencies, Equifax and TransUnion, to provide details on the incident. Ensure a fraud alert is placed on your credit reports for any future applications made using your identity. This will prompt the creditor to contact you at a phone number provided by you before approving any additional lending or opening new accounts.
You may also consider reporting to:
- Your local law enforcement agency to provide any details you know of the incident. ATB will be happy to assist with providing any required documentation to law enforcement upon request through appropriate channels.
- The Canadian Anti-Fraud Centre (CAFC) collects information about fraud incidents across Canada. Visit the CAFC website to learn about any next steps you should take.
At the end of the day, the best defense against a fraud incident is education – at the executive and employee levels. Understanding and knowing what you are up against will allow you to consider what controls are best suited for your business. And know that you can count on ATB, in good times and bad. We will offer tips, guide you to resources and help you through these new realities in an attempt to reach a new, stable normal.