Fortinet, a global leader in broad, integrated and automated cybersecurity solutions, warns that social engineering attack is the easiest and fastest way to exploit an individual or organization in Malaysia amidst COVID-19 pandemic fears. As the world is fixated on the global health emergency, cybercriminals are taking advantage of the fear and uncertainty to deploy social engineering scams and attacks on unsuspecting targets.
During this current pandemic, cybercriminals will typically try to manipulate those who attempt to provide financial support by creating fake charity websites in order to get donors to transfer money to help the victims.
And with so many major events being cancelled, cybercriminals may also try to take advantage of this situation by luring them with phishing scams on refunds and fake news to get victims to reveal their credit card information.
Below are six ways attackers are exploiting the COVID-19 crisis for financial gain:
• Phishing/Spearphishing – Email-based attacks that target everyone or a specific person or role within an organization in order to entice individuals to click on malicious links or enter credentials or other personal information.
• Social Media Deception – Adversaries create fake profiles to befriend victims while posing as a current or former co-worker, job recruiter, or someone with a shared interest on social media, especially LinkedIn. Their goal is to trick the victim into providing sensitive information or downloading malware to their device.
• Pretexting –Attackers focus on creating a good pretext, or a false but believable fabricated story, so that they can use it to pretend to need certain information from their target in order to confirm their identity.
• WaterHoling – An attack strategy where attackers gather information about a targeted group of individuals within a certain organization, industry, or region as to what legitimate websites they often visit. Attackers look for vulnerabilities in these sites in order to infect them with malware. Eventually individuals in the targeted group will visit those sites and then become infected.
Phone Based Attacks
• Smishing – A text-based message attack that impersonates a legitimate source in order to lure a victim into downloading viruses and malware onto their mobile device.
• Vishing (voice phishing) – Phone-based attack in which adversaries call a mobile phone pretending to be from a legitimate source, such as a bank, as a means to try and convince the target into divulging sensitive information such as credit card information or social security numbers. Tactics used by these scammers often rely on “caller ID spoofing” which allows them to generate phone calls that appear to be from a legitimate or local sources.
Fortinet advocates the following five simple steps to protect personal and proprietary information:
1. Be suspicious of any email or text message requesting sensitive information or financial transactions, especially third-party sources spreading information about COVID-19.
2. Hover over and review all hyperlinks prior to clicking to confirm they are from legitimate sources
3. Use multi-factor authentication for gaining secure access to sensitive systems and databases
4. Ensure your browser, mobile devices, and computer systems are updated with the most recent protections
5. Never reuse passwords across multiple accounts and devices. Password uniqueness and complexity are paramount to safeguarding against additional risk to our networks
“Social engineering constantly preys on humans, the only vulnerability that cannot be patched. Nobody is safe from these efforts – from administrative employees, contractors, and even business partners can be targets to obtain access to their networks and sensitive information.
And for those who are connecting to the office through home networks, even children are potential targets,” said Alex Loh, Country Manager for Fortinet Malaysia.
Read more: Why SMEs Should Leverage on Digitisation