The outbreak of Covid-19 has not only presented unprecedented global health and socio-economic challenges, but has also created opportunities for fraudulent activity. Regulators and security firms continue to remind the public of the proliferation of scams and other deceptive practices as well as emerging trends and threats. For example, see FINRA Regulatory Notice 20-13 (Heightened Threat of Fraud and Scams).
During this crisis, millions of workers were abruptly forced to work from home. The sudden shift not only brought about a myriad of challenges for businesses, but also highlighted a number of security vulnerabilities with telework arrangements -- especially given how many companies set up tech and remote access “on the fly,” which cybercriminals immediately began to exploit. And we are now seeing a surge in unemployment imposter fraud amid the extraordinarily high volume of unemployment applications filed by furloughed and laid off workers. On April 16th, during a webinar hosted by the Aspen Institute, Tonya Ugoretz, Deputy Assistant Director of the FBI’s Cyber Division, said the Internet Crimes Compliant Center was receiving between 3,000 to 4,000 cybersecurity complaints each day, a noticeable spike from around 1,000 complaints per day prior to the coronavirus pandemic.
Let it be said that criminals love nothing better than a good crisis of which to take advantage. Bad actors continue to leverage old and develop new tactics to defraud victims of sensitive information, money, and other entitlements. As such, it’s imperative to keep security, collaboration, communication, and education at the forefront.
Firms should assess (or even re-assess) risks to their organization presented by the pandemic, and then implement measures to reduce their overall exposure to those threats. Consider whether your business has:
- controls around fund transfers, financial account creation, data/system security, data exfiltration, access management, and remote access security;
- processes for identity verification, account/systems monitoring and maintenance, data/system back-ups and recovery, and escalation;
- a third-party risk management program;
- adequate employee training and education, and appropriate channels for communication;
- policies and procedures that clearly express business, legal, and other requirements, prohibitions, and consequences;
- an incident response plan, including dedicated teams/staff to address security and other risk events;
- adequate internal and external resources to support critical functions, especially with a larger remote workforce;
- lists of key contacts (e.g., staff, vendors, business constituents, law enforcement, regulators, insurer, law firm); and
- considered key person risks.
Additionally, with increased participation in virtual meetings, pay attention to “what’s behind you” (literally) and what you may unknowingly be revealing about yourself. Personal pictures, posters, layout of your remote workspace, etc. are “food for hackers” and can be used against you.
While crises, such as the one we are currently facing, can present profound challenges, they also give rise to opportunities for new and innovative solutions. Don’t just weather this storm, but rather take advantage of this watershed moment to innovate, evolve, and adapt.