Comfortable in some sort of “shelter at home” situation in front of a computer, cyber criminals are taking full advantage of unique vulnerabilities created by these unprecedented pandemic conditions. The Federal Bureau of Investigation (FBI) has stepped up its efforts to notify the public in response, issuing more frequent cyber security alerts than it usually does when large-scale threats are identified.
So far the FBI has issued specific cyber security alerts on human trafficking, COVID-19 scams, vulnerabilities in networking platforms (such as Zoom), and cloud-based business email compromise campaigns. The agency has also posted public notice that it is closely monitoring potential exploitation of children taking remote classes from home, hate crimes, and general scam and breach attempts that target personal information during the pandemic.
Increased FBI engagement as cyber threats spike
In addition to novel attempts at fraud and system compromise that try to play off of the coronavirus pandemic, certain categories of cyber crime are also seeing significant spikes as criminals try to exploit strained IT departments.
Scams that make use of the COVID-19 pandemic are rampant, and the most insidious (and effective) are those that purport to come from legitimate health organizations and charities. In addition to having their names used in fraud attempts, organizations such as the WHO and CDC are also under direct assault from skilled nation-state hackers. Security firm Barracuda Networks has additionally observed a staggering 667% increase in phishing attempts on individuals in the month of March.
The pandemic has created a perfect storm of opportunity for attackers. People are scared and constantly seeking new information, and perhaps more likely than usual to drop their guard for an unfamiliar email or website. Organizational security measures are strained by revenue loss, layoffs and inability for workers to get from place to place. And an unprecedented wave of employees and students working from home has added new traffic and new security vulnerabilities to exploit.
The FBI’s early cyber security alerts
The FBI’s Internet Crime Complaint Center (IC3) had not issued a public warning since January 21 before the coronavirus safety measures began; it issued two cyber security alerts in the month of March, and two more in the first week of April alone. These announcements are relatively rare and usually reserved for widespread security issues; only nine were made during all of 2019.
The first of these recent cyber security alerts, issued on March 16, was a warning about the use of social media platforms and dating sites to recruit sex trafficking victims. While this warning did not have a particular focus on minors, there is increasing concern about the vulnerability of children attending classes over the internet as schools look to be closed for the remainder of the academic year.
The FBI also issued a March warning about various scams related to coronavirus, specifically naming phishing emails, scams involving fake treatments and equipment, and spoofed malware emails that appear to be from the CDC.
At the beginning of April the FBI issued a general warning about vulnerabilities in virtual environments. “Zoom bombing” was not specifically named, but it seems very likely that the app’s constant presence in the news had at least some influence on this announcement. This announcement also provided more specific guidance on safety in children’s educational platforms and in securing against business email compromise attempts.
The most recent of the cyber security alerts added more information about business email compromise attempts, with a more detailed description of some typical methods that criminals use.
In addition to the detailed cyber security alerts provided through the IC3, the FBI has been issuing a series of more general press releases warning of specific notable issues. These include fraudulent sales of medical equipment and “money mule” schemes that prey on job seekers looking for work-from-home opportunities.
A deluge of cyber crime
With the extra strain on resources and manpower put on by the pandemic conditions and this massive uptick in cyber crime, organizations may be starting to feel a little overwhelmed.
However, the main port of entry for the vast majority of these attacks is the same as ever: a successful phishing email that gets an employee to click links to an attack site. The current FBI cyber security alerts specifically cite fake charities and donation programs, airline refunds, fake vaccines and “alternative” cures, and fraudulent offers of testing kits as the leading subjects among the wave of opportunistic phishing attempts.
Augmenting standard employee phishing awareness training with these current guidelines is a good start for any organization. Given the manpower challenges that many face, this is also an opportune time to ensure that automated lines of defense are up to par as well. At the very least, the absolute basics should be in place: anti-malware measures that are regularly updated, multi-factor authentication and a URL filtering service. It’s also more important than ever to apply new hardware and software patches as often as possible; advanced nation-state hacking groups are more active than ever and are being extremely opportunistic.