How to avoid COVID-19 cyber scams – advice from Google and KPMG

Hackers and other cybercriminals tend to look at crises as opportunities – and COVID-19 has proven to be the mother of all of them.
25 May 2020

Cyberattacks set are going to be more targeted in 2021 – 3 trends. Source: Shutterstock

Hackers and other cybercriminals tend to see a crisis as an opportunity, and COVID-19 has proven to be the mother of all crises.

Not only are systems vulnerable due to quickly changing world circumstances, but everyone is constantly looking to digital means to keep them connected.

The past two months have seen the largest ever migration of individuals to digital platforms and tools in order to stay connected, for both productivity and personal purposes.

Millions turned to virtual tools such as videoconferencing apps, many utilizing them for the first time. At the same time, building closures and the rapid shift towards remote working policies left many enterprises and governmental organizations scrambling to ensure adequate measures had been taken to shield confidential data, private servers, and other exposed systems.

“Right now, everyone is heavily reliant on their laptops or mobile phones to conduct their everyday needs such as online banking, shopping or donating to causes and charities. Criminals are not afraid to take advantage of that,” warned Tan Kim Chuan, Head of Forensic at KPMG in Malaysia.

Mark Risher, Senior Director for Account Security, Identity, and Abuse at Google, says Google’s team of cybersecurity experts have encountered coronavirus-related cyber scams aimed at individuals, companies, and government administrations.

“Our Threat Analysis Group continually monitors for sophisticated, government-backed hacking activity and is seeing new COVID-19 messaging used in attacks, and our security systems have detected a range of new scams such as phishing emails posing as messages from charities and NGOs battling COVID-19, directions from “administrators” to employees working from home, and even notices spoofing healthcare providers,” Risher noted.

“Our systems have also spotted malware-laden sites that pose as sign-in pages for popular social media accounts, health organizations, and even official coronavirus maps.

“During the past couple of weeks, our advanced, machine-learning classifiers have seen 18 million daily malware and phishing attempts related to COVID-19, in addition to more than 240 million COVID-related spam messages.”

Awareness is paramount when it comes to cyber scams

With such prolific fraud attempts out there, realization of what forms these COVID-19 scams take – and how they should be best handled – should be of urgent importance for both the organizations and the people who work for them.

Specialists believe prioritizing cybersecurity awareness campaigns at the public policy- and enterprise-levels could help, as Azlan Mohamed Ghazali, Engagement Director in the Emerging Tech Risk & Cyber (ETRC) Department at KPMG in Malaysia, pointed out recently.

“It is essential for organizations to continuously promote the importance of cybersecurity threats to internal staff as well as to the public through Info Security Awareness. The government should also consider establishing an extensive Cyber Security Awareness Program that could be easily replicated across to all government agencies.

“Additionally, each agency should have internal staffs that are capable of handling and managing cybersecurity threats without fully relying on an external third-party agency. Companies should at least make it compulsory for employees to partake in a yearly Information/Cyber Security Awareness Training.”

Google’s Risher also told revealed some of his tips to avoid cyber scams:

# 1 | Use enterprise email account for work-related messaging

Even when working from home, it is critical to keep work and personal email separate. Enterprise emails have additional security features to keep confidential data private, such as two-factor authentication which can be enabled by the company’s IT professional.

# 2 | Secure video calls on chat apps

Most videoconferencing apps can now add additional verification layers to ensure only invited attendees can access the call. Organizers can vet individual attendees, and invites to install new communication apps should be double-checked to ensure they are authentic invites.

# 3 | Installing security updates

Security updates provide fixes for known threats, so users should be sure to update their home devices like how their work hardware gets automatic updates.

# 4 | Using a password manager to create strong passwords

Remote working might require a host of new application and service accounts to be created, and users might be tempted to use the same passwords for all these accounts.

Unique, hard-to-guess passwords are the best option, and a password manager tool like the one built into Google Chrome would be the most dependable solution for end-users.