Dubious websites, business opportunities too good to be true, EU -or- British passports … you name it, it’s on the internet. Using Brexit (Feb. 1, 2020) and the COVID-19 pandemic declaration (Mar. 12, 2020) to bookend our discussion, we still have plenty of fodder to discuss online scams.
Scams can aim for anything, from cash donations, to socially engineering users to visit malicious websites, phishing links, or on to more targeted spearphishing tricks. In this respect, COVID-19, like Brexit before it, demonstrates how rapidly malicious actors can switch gears, leveraging any change that may benefit them.
Securing digital assets when change appears
NAFTA, GDPR, Brexit, trade wars … and COVID-19, just to name a few. When most people think about disruptions to business continuity, they think of unplanned events: fires, power outages, and for IT, ransomware attacks. However, other categories exist where change, rapidly unfolding events or even longer-term developments also bring clear risks to IT infrastructure and online users.
Other examples include unfavorable outcomes of local, regional or national elections; regional or global trade deals; public disputes; and economic sanctions. These are in addition to “normal” threats such as hurricanes, border controls or even highway maintenance. In short, any of these threats can trigger digital risks to your operational security!
Scams and social engineering: A bridge between digital and physical
Physical impacts to business continuity from scams are regularly recorded – substandard concrete or steel finding their way into a bridge as a result of a scam, for example. However, there are also digital counterparts with their own impacts. Online scammers are known to zero in on misfortune, exploiting users’ goodwill, then digging in for the fattest portion.
For consumers this often manifests as scam emails seeking financial “help,” but with the real intention being to collect money and/or personal data. In business, we can imagine this in reverse – scammers offering products or services with the intention of collecting data or other intelligence. When conditions are right, there are business scams aplenty.
Scams and social engineering enable corporate misery too
Here is another scenario. Post-hurricane, alongside the appeals for aid in cash and kind, agencies and businesses alike queue up to award or win contracts. Opportunity abounds, and your company is in the mix!
But amidst the tenders, proposals and contracts, another kind of frenzy can unfold. Business reps, engineers and back-office staff are all more likely to open e-mails titled “Request for proposal (RFP),” to click on unsolicited PDFs – a prime source of ransomware infection – or, even more basic than these pitfalls, to give away “need to know” information, e.g., the direct email and phone number of the CFO. Each of these “harmless acts” risks ransomware infection, or worse, persistent threats introduced to your network.
Yes, that too! GDPR’s journey to its May 2018 launch seemed to give businesses adequate time to prepare for compliance. However, it also wreaked havoc on many a business model and internal process. Simply put, the change in regulatory landscape opened up space for scammers to leverage uncertainty around GDPR compliance and privacy rights. The same can easily be said of CCPA in the US … or newly implemented laws and regulations around COVID-19.
Phishing: here come the sharks!
Help, perhaps in the form of consulting on regulatory compliance or business development “opportunities,” may serve to put phishing in the spotlight. It is a threat to businesses and can intensify when competition heats up. Often, as communications from multiple companies and/or institutions start to concentrate interest and buzz, increasingly valuable data can begin to leak. What might begin as the smell of business intel can grow to attract the interest of criminals and competitors alike.
Shifting supply chains
Along with physical disruptions to a business’s supply chain, digital counterparts exist. When any shift occurs, whether it is driven by costs or an IT security incident, manufacturers often scramble to substitute suppliers, change reporting and communication processes, and replace even whole logistics systems at times.
Unfortunately, in moving quickly, a business seeking to rapidly address a perceived inefficiency in its supply chain or processes might just as easily enter business with companies that haven’t done due diligence in risk assessment or met basic IT security norms. In this case, a properly managed security suite becomes even more essential. Imagine the major shifts in logistics around COVID-19. Both shortages and overstocks across the supply chain can create conditions in which companies may seek rapid change to operations, raising risks.
Elements of these scenarios have been seen in the past, with major disruptions to global supply chains via the NotPetya malware costing billions of USD and having stiff market impacts. In addition to direct impacts from ransomware-like symptoms experienced by some businesses, others unaffected by the malware essentially cut contacts with their counterparts up and down the supply chain in a bid to stay safe.
Global risk = dollar signs to malicious actors
COVID-19 has just provided the fuel to launch scamming and more persistent crimes to a new level – let’s say to outer space. Escape velocity, the speed necessary to escape earth’s orbit, seems possible here too as IT systems, security software and processes, as well as user awareness will all be tested.
Basically overnight, hundreds of millions of users intensified their online activities. Most of those users are likely to mix business with pleasure – I mean personal. And how many users, now off their better-protected corporate networks, have the solid practices, tools and security-mindedness to safely continue their work lives online? It is time to prioritize your digital security.
written by James Shepperd, ESET