How to avoid COVID-19 phishing scams

As the vast majority of companies have had to shift to operating remotely in compliance with stay-at-home orders, the UK National Crime Agency, the US Federal Bureau of Investigation, and other law enforcement organisations are warning of a spike in COVID-19-related phishing campaigns targeting individuals and businesses.

Accountants in particular are prime marks for targeted phishing scams by criminals hoping to defraud companies that may not have been totally prepared to accommodate a 100% remote workforce, according to Alyn Hockey, the vice-president of product management at the cybersecurity firm Clearswift, based in Reading in the UK.

“What we are seeing is criminals indiscriminately working through LinkedIn to find people in certain departments, and then targeting all those people en masse to try to get through to someone who is gullible enough to take the bait,” Hockey said. “Anyone in finance departments, accounts payable, or billing is really vulnerable to these attacks.”

Scammers are becoming increasingly sophisticated, and with so many people working from home, it can often be tricky to tell the difference between a legitimate request and one from a fraudster.

Luckily, finance professionals can take steps to protect themselves and the organisations they work for.

Know the typical scams targeting accounting professionals. Most accountants are aware of the risks of business email compromise (BEC) — a scam in which the scammer impersonates a company’s CFO, vendors, or other clients and uses social engineering to manipulate their target into wiring them funds or sending them sensitive information.

“A typical email might say something like, ‘Hey, so I just got notified that people are positive in my area, and we are on lockdown, so I don’t have access to my desktop, and I need you to wire money to one of our suppliers immediately’,” said Sherrod DeGrippo, the senior director of threat research and detection at cybersecurity firm Proofpoint in the US.

DeGrippo has seen an increase in email-related cyberthreats as fraudsters attempt to take advantage of the chaos, vulnerability, and anxiety of businesses and workers who are suddenly in the position of having to work from home, away from IT support.

In other common COVID-19 schemes, fraudsters impersonate the World Health Organization and send emails that include links to COVID-19 statistics, with malware embedded in the links or attachments. Cybersecurity experts have also recently seen fraudsters who impersonate a company’s HR personnel and then embed malicious code in a document attached to the email titled “Work From Home Policy”.

In any of these schemes, by taking the bait and clicking on the infected link or attachment, the victim downloads malicious software onto their computer.

“This is often easy to fix in a workplace setting, but now there is no IT desk to go over and get assistance, and workers are no longer behind the office firewall. The usual protections are gone,” said DeGrippo. “So the companies that were not already prepared to have secure remote users are now scrambling.”

Always demand multifactor authentication. Regardless of whether an email appears to be coming from an important client, a vendor, or the CFO, it’s vital that accountants use multifactor authentication (MFA) on all critical systems — for example, before changing payment details, shipping orders, or sharing sensitive information. One form of MFA can take place over email. In addition, there should be at least one other confirmation before any changes are made.

“You want to ask challenging questions that only that person would know, to verify that it’s really them,” said Hockey. “For example, you can ask them which accounts they used to use, or have them verify the last several transactions that they did with your company.”

DeGrippo recommended that companies also prioritise updating their vendor management system to ensure they have multiple points of contact, should they need it.

“You want your team to update their account details, shipping and warehouse addresses, and make sure you have at least three phone numbers for actual people that you can reach if you need to,” she said.

Train employees to practise good cyber hygiene. Financial professionals should also make sure they exclusively use their business email accounts, which are more protected than private email accounts, and should be extra vigilant and suspicious of any addresses that claim to be the “personal” email accounts of trusted vendors, clients, or co-workers. According to DeGrippo, some scammers have been trying to take advantage of the COVID-19 crisis by claiming to be clients or vendors temporarily unable to access their professional emails while working from home.

“In this particular time, it’s really important not to open attachments from people you don’t know,” she said. “Don’t click on links in emails you don’t recognise, and if you do happen to open attachments, and it says they need to enable content, absolutely do not give it permission.”

Make sure everyone is using updated software. Ideally, everyone should be using work laptops and computers that are encrypted. However, if for whatever reason employees working from home end up having to do work on personal laptops, it’s vital to make sure that the operating systems and programs are all up to date, according to DeGrippo.

“Right now, the anxiety levels are so much higher than they have ever been before in the workforce,” she said. “The social and psychological vulnerability is something that is ripe to exploit for social engineering, and criminals are really trying to take advantage of that.”

— Malia Politzer is a freelance writer based in Spain. To comment on this article or to suggest an idea for another article, contact Drew Adamek, an FM magazine senior editor, at Andrew.Adamek@aicpa-cima.com.