25 May 2020

Cyber Risk in The Age of Coronavirus

The COVID-19 pandemic has led to changes in “normal” consumer behaviour and business operations. Unscrupulous individuals are exploiting consumers’ fears, the uncertainties and misinformation surrounding this pandemic, to scam individuals and businesses alike. It is offering new pathways for fraudsters to access potential victims online. The media is full of stories of scams and as governments offer businesses help to mitigate the economic impacts of lockdowns and social distancing, fraudsters are attempting to pass themselves off as government entities offering loans or financial breaks.

Cyber-fraud like this has increased significantly and new threats are amplified by the massive increase in home-working, particularly for businesses who did not previously offer this flexibility. One of the key attack trajectories is in business email compromise (BEC) – and it’s also a quick way to lose a lot of money.

From the simple to the sophisticated

According to the 2019 Internet Crime Report from the US Federal Bureau of Investigation, the FBI received nearly 24,000 complaints about BEC resulting in more than US$1.7 billion in losses1. In April, the FBI warned it was anticipating a rise in BEC schemes related to the COVID-19 pandemic, citing two separate examples in which fraudsters had said that bank accounts had to be changed due to new coronavirus processes2.

BEC fraud schemes target commercial, government and not-for-profit organizations. Using social engineering or computer inclusion techniques, they come in a number of guises, and their aims are to persuade the receiver to release funds or sensitive data. Among them:

  • Spear phishing targets a specific individual by acquiring personal information and then posing as a known or trustworthy organization or individual. Phishing, by contrast, is mass-mailed and not personalized.
  • Social engineering uses a fake domain name that’s close to your business name and social engineering to establish the format of a company email addresses. So, Firstname.Lastname@fightcompany.com instead of Firstname.Lastname@rightcompany.com.
  • Email spoofing happens when an email originates on the internet but uses the correct email address. If you reply to these, the email will return to the real employee. This scam is used in conjunction with social engineering, for example, seeing on Facebook that the executive is about to board a flight and will be offline for a number of hours.
  • Malware is any ‘malicious software’ sent to a business network or an executive’s email address with the intention of causing damage or stealing data.

In most cases, these emails request funds. Alternatively, the emails may appear to come from a supplier and ask that future payments be sent to a new bank account – but the details are for the cyber criminals’ account. This is known as payment redirection fraud.

Preying on fears

COVID-related phishing scams are also rampant. Cyber-criminals are taking advantage of business concerns in the current economic environment and the widely-publicised government aid packages, to attempt to trick companies into handing over money or data. The Canadian Anti-Fraud Centre released a bulletin in March warning of reported COVID-19 scams such as fraudsters posing as financial firms offering loans, debt consolidation or other assistance, or financial advisors offering aid in the shutdown3.

On an individual level, the thirst for new information is leading people to click on unsafe links in emails and text messages. The emails can appear to be from the government, trusted news sites, power companies or even world bodies, like the World Health Organization. The links download malicious software onto the user’s device and if these devices are being used for work, they can offer a back door onto the business network.

The pandemic has also seen a revival in an older type of phishing, where scammers contact businesses offering to invest. Again, these emails prey on genuine concerns about surviving the economic downturn and hope that these concerns will outweigh due diligence. When it comes time to pay, the fraudsters say that there are wire fees or other payments due to clear the funds, but the funds never come.

Protecting your business against fraud and scams

Even in the most sophisticated scam, there are red flags to watch for:

  • Urgent payment requests
  • Senior executives requesting secrecy around a transaction
  • First time payment or an unusually large amount
  • Even the tone and language used in the email can tip employees off

To keep your business safe in this rising tide of cyber-crime, adopt stringent policies around payments:

  • Most importantly, raise awareness and educate staff to be on the look out for spoofed email addresses and other red flags, particularly those who work with invoices and in the finance department.
  • Consider a two-step verification process for wire transfer payments, such as calling executives directly using a verified number, not the one in the email. (For example, if you get an email from Joan in Finance you want to check, don’t call her “direct line” below her signature – call the finance department and ask for Joan.)
  • Always check who’s sent an email. While an email may appear legitimate at first glance, clicking on the sender’s information may reveal a different address to the organization they are impersonating.
  • Create a culture that encourages staff to report suspected fraud. Further, reward staff who escalate or identify potential fraud attempts – even if they turn out to be wrong. A strong culture of reporting issues will create a better working environment, stronger employee culture and a stronger business.

Whatever the scam cyber attackers try, from phishing to financial fraud, they target basic emotions. Today’s difficult circumstances offer a hotbed of fears, from health concerns to financial worries, for fraudsters to attempt to manipulate. The best defence for businesses lies in training and educating staff, so that a culture of vigilance and verification becomes second nature.

For further help, please see the following resources:

Our cybercrime hub - https://www.business.hsbc.ca/en-ca/cybercrime

Our webinar, Responding to COVID-19: Implications on fraud for corporates - https://www.brighttalk.com/webcast/17590/400728

Fraud Awareness for Commercial Targets, Competition Bureau, Government of Canada - https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/02600.html

The Canadian Anti-Fraud Centre - https://www.antifraudcentre-centreantifraude.ca/report-signalez-eng.htm

Get Cyber Safe - https://www.getcybersafe.gc.ca/cnt/prtct-yrslf/prtct-smlbsn/prmt-dvc-scrty-en.aspx

RCMP - https://www.rcmp-grc.gc.ca/en

FBI Internet Crime Complaint Center (IC3) - https://www.ic3.gov/default.aspx

Canadian Bankers Association (CBA) - https://cba.ca/

The Canadian Anti-Fraud Centre (CAFC) - https://www.antifraudcentre-centreantifraude.ca/index-eng.htm

Watch the full webinar

1https://www.fbi.gov/news/stories/2019-internet-crime-report-released-021120
2https://www.fbi.gov/news/pressrel/press-releases/fbi-anticipates-rise-in-business-email-compromise-schemes-related-to-the-covid-19-pandemic
3https://antifraudcentre-centreantifraude.ca/features-vedette/2020/covid-19-eng.htm

Disclaimers

© Copyright HSBC Bank Canada 2020. All rights reserved. No part of this document may be reproduced, stored, distributed or transmitted in any form without the prior written permission of HSBC Bank Canada.

The information presented is not meant to be comprehensive and does not constitute financial, legal, tax or other professional advice. You should not act upon the information contained in this document without first obtaining specific professional advice. While reasonable care has been taken in preparing this document, HSBC does not make any guarantee, representation or warranty (express or implied) as to its accuracy or completeness. The information presented in this document is subject to change without notice.

Certain of the products and services offered by HSBC and its subsidiaries and affiliates are subject to credit adjudication and approval. This document does not constitute an offer to provide the services and products described and the provision of such services and products remains subject to contract.

“HSBC” is a trademark of HSBC Holdings plc and has been licensed for use by HSBC and its affiliates.

You are leaving the HSBC Commercial Banking website.

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.

You are leaving the HSBC CMB website.

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.