Cybercriminals typically scramble to take advantage of any newsworthy event, and the COVID-19 pandemic is no exception. By late March, the number of domain names registered with keywords like “COVID” and “corona” spiked from 190 to over 70,000. That number included a large number of phishing websites designed to tempt users to give up their email login credentials, credit card details and other personal information, often by posing as legitimate government and international organizations such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC).
Unfortunately, cybercriminals are using this type of stolen information in increasingly sophisticated account takeover attacks, raising the risks to users and organizations. Instead of basic, velocity-driven brute force attacks that are relatively easy to identify, bad actors are turning to strategies that imitate human behavior and are much trickier to catch. To protect your company and your customers from pandemic-related cybercrime, you may need to level up your cyber defenses.
Account takeover attacks cause monetary and reputational damage
Login credentials stolen in phishing attacks are often used in account takeover attacks, where a cybercriminal uses stolen credentials to log into a user account. The impact of an account takeover depends on both the criminal’s end goal and the type of account they take over.
If they log into a consumer’s account on a website of a major retailer like Target or Amazon, they might make fraudulent purchases on the user’s saved credit card, which is bad enough. However, if they log into the account of an employee at a major tech company, they might exploit that employee’s access to powerful internal admin tools to take over multiple user accounts (a strategy used in July’s high-profile Twitter hack).
Whatever actions the criminals take, account takeovers can be costly for the affected companies. Since 2019, the cost of fraud to U.S. retailers has risen 7%. And attacks like the one that hit Twitter can inflict reputational as well as monetary damage, as potential customers may lose faith in your company’s ability to protect their accounts and personal data.
Cyberattacks are getting more and more human
The most basic account takeover attacks are relatively easy to detect. These high-volume automated attacks input as many credentials as possible into as many platforms as possible. That means they indulge in obvious non-human behaviors, such as inputting login credentials multiple times per second. Many companies already have protections in place to detect and defend against these types of bot attacks.
But defending against a sophisticated attack is less straightforward because it’s harder to differentiate these attacks from a legitimate login attempt. More sophisticated cyber criminals make an effort to spoof their IP addresses, trigger the generation of new valid device IDs, and wait for the web page to fully load before inputting any credentials, like a normal user would. In addition, they may circumvent protections like CAPTCHAs by employing “human farms” — offices full of human workers, often in developing countries, who perform rote online tasks for pay. In the first half of 2020, according to NuData research, 96% of all attacks on financial institutions imitated human behavior with tactics like this, making them much harder to identify and defend against.
3 layers of cybersecurity defense
Defending against the kind of sophisticated attacks that threaten most companies today requires a multi-layered approach that can repel different types of attacks using a variety of tactics. We apply this idea all the time when securing places and objects in physical space. Think of the security systems on your car — you probably have strong locks securing its doors, but also an alarm system that will sound if someone breaks a window. Effective cybersecurity strategy requires a similar approach.
1. Educate your employees
Even during the best of times, human beings tend to be the weak link in organizations’ cyber defenses. And the rise in remote work during COVID-19 has made employees more vulnerable to phishing scams or other attempts to steal their credentials and personal data.
Employees may be more likely to log into personal accounts on work devices or vice versa when working from home, increasing security risk. A lack of clear policies around cybersecurity best practices for remote work or security infrastructure such as VPNs also creates a perfect opportunity for hackers.
To close the gap, require cybersecurity training for all remote employees. Employees should understand what phishing and malware are, and why it’s important to use strong passwords and change them frequently. By showing that security is a strategic priority for the organization, you’ll motivate all levels of employees to prioritize security in their day-to-day work.
2. Secure accounts with multi-factor authentication
In the fight against cybercrime, multi-factor authentication (MFA) and other strong authentication protections on user accounts are table stakes — and companies without them are prime targets. While no authentication scheme is foolproof on its own, a good MFA strategy will significantly increase the time and effort a cybercriminal must invest to take over an account on your system, making it less likely they’ll prioritize attacking you.
3. Continuously validate identity with passive biometrics and behavioral analytics
Considering both the popularity of phishing and the vast amounts of personal data available on the black market, you can’t assume that everyone using legitimate credentials is actually a legitimate user. That means you need other methods to detect when an unauthorized user is in your system — namely passive biometrics and behavioral analytics.
Passive biometrics look at a user’s inherent behavior, including how they hold their device, while behavioral analytics looks at the user’s habits, such as where they usually log on from and when. Combining these two approaches lets you create a unique profile for each user that’s very hard for an attacker to imitate.
If a user has legitimate credentials but doesn’t have the behavioral biometric signature typically associated with that account, you can set your system to automatically lock them out or require additional identity verification to continue. This extra line of defense makes it harder for cybercriminals to make use of stolen credentials and personal data.
There’s no silver bullet when it comes to cybercrime. A sound cybersecurity strategy will reduce, but never fully eliminate, your risk. However, by layering multiple security protections including employee education, strong authentication protections, passive biometrics and behavioral analytics, you’ll go a long way toward making your employees and customers safe.