As online shopping increased substantially this past year, so too did fraud attempts associated with e-commerce.
Leveraging current events, whether they be trends in consumer preference, disasters or other hardships, is the primary way cybercriminals engineer their initial intrusions. This is effective because there is usually a flood of donations and aid to those affected by negative events.
Targeting the Human, Not the Machine
Societies generally respond to traumatic events with an outpouring of support, while the affected communities become more vulnerable and must rely upon new mechanisms for short-term survival. Both of these natural, human responses create a prime opportunity for abuse by cybercriminals. This abuse has the potential to significantly change a company’s risk posture and has implications beyond just brand reputation issues.
Criminals, especially on the internet, leverage emotion to gain initial footholds into their victim’s machine or accounts. Whether it is through creating fake charity pages and relief signups or by finding clever ways to use information about the event, cybercriminals primarily target the human rather than technical systems to achieve their aims. This results in increased risk for all those impacted by the events at hand.
How Criminals Exploit COVID-19
Most recently, the COVID-19 pandemic and ensuing vaccine research and roll out have been a significant target for this type of activity. Risk has substantially increased both for individual users and corporations, due to people’s desire to stay up to date on the pandemic’s development and responses to it.
In March of 2020, security vendors and email providers were reporting spikes in phishing attempts ranging from a 350% increase to a 30,000% increase. These attempts predominately leveraged information around the virus, treatments or national responses to prey on the global fear caused by the pandemic in a bid to increase victim interaction.
In the weeks and months that followed, fear spread as the severity of the virus was becoming apparent, but reliable information was not easy to come by. Leveraging the virus as a topic quickly changed to leveraging national relief programs as the new phishing lure.
Targeting National Relief Programs
In the United States, as stimulus checks as well as paycheck protection programs rolled out, criminals quickly leveraged both topics as well as previously compromised data to steal money, take out fraudulent loans, apply for enhanced unemployment benefits and continue to harvest sensitive data.
The Small Business Administration has approved and disbursed more loans for COVID-19 relief than for all other disasters combined in the agency’s history. The rapid roll out of this program along with the changing guidelines proved a fertile hunting ground for cybercriminals looking to prey on people adversely affected by the pandemic.
For businesses, it can be hard to detect the direct impact of scams targeting consumers, and follow-on malicious activity can spread beyond just the individual involved.
In addition to pandemic-focused criminal activity, there was a marked increase in consumer-related fraud. As online shopping increased substantially, so too did fraud attempts associated with e-commerce. Fraud attempts using the pretext of lost packages and mail redirection increased significantly along with the amount of brand abuse from major retailers. Mail redirection schemes were particularly successful around the major shopping holidays in the U.S. when package carriers all experienced delays and service interruptions due to increased demand.
ZeroFOX observed a 600% increase in fraudulent uses of copyrighted and trademarked material for the purposes of impersonation and fraud. This activity includes not only direct messaging and social media impersonations, but also fraudulent web pages and other digital assets designed to mimic legitimate sites to steal financial and personal information.
The Risk for Businesses
For businesses, it can be hard to detect the direct impact of scams targeting consumers. There may be some brand damage for the entity being impersonated, but from a traditional business risk model, these types of hacks appear to be low impact.
However, that perception is deceiving. This criminal activity, when successful, harvests personally identifiable information, passwords, accounts and financial information. This pretexting allows for follow-on malicious activity that spreads beyond just the individual involved.
Businesses that have employees who fall victim to this type of activity can face:
- Compromise of corporate accounts if passwords are reused or there is enough information to social engineer a password reset.
- Increased tax liabilities if a significant number of employees have fraudulent unemployment benefits taken out using their stolen identities.
- Compromised performance or insider threat depending on the level of compromise and its impact on the victim’s life.
Additionally, these types of scams can be leveraged directly against employees, creating a direct risk to corporate systems. Phishing pages purporting to be a charitable foundation to support victims of a natural disaster to provide relief efforts for a tragedy such as the Notre Dame fire can mimic donations from payroll deductions.
Pages that require employees to log into a portal with corporate credentials and harvest payroll information “enabling a direct contribution from your paycheck,” is an easy and efficient way to gain access to corporate systems while also stealing personal identification information and financial information.
Current news items that elicit strong emotional reactions will always be leveraged by criminals to prey upon people. Anything that entices people to seek out information out of fear or provide information out of sympathy or hope will continue to be the basis used for initial reconnaissance of people and access to systems.
Understanding that this type of activity is the first step in a significantly more malicious chain of events will help companies and individuals take more preventative steps and reduce the impact of follow-on criminal activity.
Global Head of Security Architecture and Threat Intelligence at ZeroFOX
Ross Rustici is the global head of security architecture and threat intelligence at ZeroFOX. Ross previously worked at Cybereason and the U.S. Department of Defense. At ZeroFOX he is responsible for creating corporate strategy around threat intelligence for the company after launching its threat intelligence consulting program.
The original article can be read at the Brinks’ website HERE