Cybercriminals have taken advantage of the disruption to launch new threat campaigns.

Cybercriminals have taken advantage of the disruption to launch new threat campaigns. Source: Shutterstock

Google and KPMG experts on COVID-19 cyber scams

  • Cyber scams based on COVID-19 have become prevalent in recent months, as hackers look to capitalize on the virus-driven uncertainty affecting individuals, enterprises, & governments
  • Google and KPMG online security observers share their insights for securing accounts and access, even while operating from remote locations

The past two months have seen the largest ever migration of individuals to digital platforms and tools in order to stay connected, for both productivity and personal purposes.

Millions turned to virtual tools such as videoconferencing apps, many utilizing them for the first time. At the same time, building closures and the rapid shift towards remote working policies left many enterprises and governmental organizations scrambling to ensure adequate measures had been taken to shield confidential data, private servers, and other exposed systems.

In an era of social distancing, it is fortunate that technology has evolved to a point that many services can be rendered completely online. Yet with each new helpful technological advancement, comes the possibility of introducing new online security risks.

Hackers and other cybercriminals tend to look at crises as opportunities, and COVID-19 has proven to be the mother of all crises as not only are systems vulnerable due to quickly changing world circumstances, but everyone is constantly looking to digital means to keep them connected.

“Right now, everyone is heavily reliant on their laptops or mobile phones to conduct their everyday needs such as online banking, shopping or donating to causes and charities. Criminals are not afraid to take advantage of that,” warned Tan Kim Chuan, Head of Forensic at KPMG in Malaysia.

Mark Risher, Senior Director for Account Security, Identity, and Abuse at Google, says Google’s team of cybersecurity experts have encountered coronavirus-related cyber scams aimed at individuals, companies, and government administrations.

“Our Threat Analysis Group continually monitors for sophisticated, government-backed hacking activity and is seeing new COVID-19 messaging used in attacks, and our security systems have detected a range of new scams such as phishing emails posing as messages from charities and NGOs battling COVID-19, directions from “administrators” to employees working from home, and even notices spoofing healthcare providers,” Risher noted.

“Our systems have also spotted malware-laden sites that pose as sign-in pages for popular social media accounts, health organizations, and even official coronavirus maps.

“During the past couple of weeks, our advanced, machine-learning classifiers have seen 18 million daily malware and phishing attempts related to COVID-19, in addition to more than 240 million COVID-related spam messages.”

Awareness is paramount when it comes to cyber scams

With such prolific fraud attempts out there, realization of what forms these COVID-19 scams take – and how they should be best handled – should be of urgent importance for both the organizations and the people who work for them.

Specialists believe prioritizing cybersecurity awareness campaigns at the public policy- and enterprise-levels could help, as Azlan Mohamed Ghazali, Engagement Director in the Emerging Tech Risk & Cyber (ETRC) Department at KPMG in Malaysia, pointed out recently.

“It is essential for organizations to continuously promote the importance of cybersecurity threats to internal staff as well as to the public through Info Security Awareness. The government should also consider establishing an extensive Cyber Security Awareness Program that could be easily replicated across to all government agencies.

“Additionally, each agency should have internal staffs that are capable of handling and managing cybersecurity threats without fully relying on an external third-party agency. Companies should at least make it compulsory for employees to partake in a yearly Information/Cyber Security Awareness Training.”

Google’s Risher also told Tech Wire Asia some of his tips to avoid cyber scams:

# 1 | Use enterprise email account for work-related messaging

Even when working from home, it is critical to keep work and personal email separate. Enterprise emails have additional security features to keep confidential data private, such as two-factor authentication which can be enabled by the company’s IT professional.

# 2 | Secure video calls on chat apps

Most videoconferencing apps can now add additional verification layers to ensure only invited attendees can access the call. Organizers can vet individual attendees, and invites to install new communication apps should be double-checked to ensure they are authentic invites.

# 3 | Installing security updates

Security updates provide fixes for known threats, so users should be sure to update their home devices like how their work hardware gets automatic updates.

# 4 | Using a password manager to create strong passwords

Remote working might require a host of new application and service accounts to be created, and users might be tempted to use the same passwords for all these accounts.

Unique, hard-to-guess passwords are the best option, and a password manager tool like the one built into Google Chrome would be the most dependable solution for end-users.