COVID-19 Crimes of Fraud Part One: Target – Companies
By TorchStone Vice President, Bill Whiteside
As COVID-19 (coronavirus) continues to impact the health of the world, we need to be vigilant to the continuing and increasing risk of scams and frauds like identity theft that are adding to our current health and economic fears.
With the United States and most of the world in an unprecedented public health emergency, white-collar crime has increased considerably. The COVID-19 pandemic and resulting economic fallout have created a wave of overt criminal activities such as price-gouging and insider trading and has stretched the already overburdened resources of state and federal law enforcement.
Over the past few months, federal and state prosecutors have launched numerous criminal cases accusing people of taking advantage of the COVID-19 pandemic. Under the Defense Production Act and other relevant laws, prosecutors have stepped up efforts to combat price-gouging and hoarding of key supplies such as masks and other personal protective equipment, and a number of criminal cases have been brought against individuals as part of the nationwide crackdown. Healthcare and Payroll Protection Program frauds, offenses under the False Claims Act, have also seen a dramatic increase during this time.
Securities fraud, insider trading and other white-collar crime have also been on the rise, and senators in both parties have been the focus of federal insider trading investigations under the 2012 Stock Act (Stop Trading on Congressional Knowledge Act). The U.S. Securities and Exchange Commission’s Enforcement Division warned that given the current situation with COVID-19, there has been an increase of corporate insiders illegally profiting from nonpublic information as well.
While most law-abiding citizens have been focusing on staying healthy, others have seen the coronavirus as a criminal opportunity. Criminals have been busy exploiting the said health and economic situations by defrauding government agencies and corporations through price-gouging, insider trading and stealing the identity and personal information of individuals through scams such as social engineering. While this covert theft is not well publicized, flashy, or exciting, identity theft is now among the biggest concerns related to cybercrime.
The Federal Trade Commission (FTC) recorded more than 3.2 million fraud cases in 2019; identity theft accounted for 20.33% of the cases and was the most-common type of fraud. The Equifax data breach in 2017 exposed the sensitive personal information of approximately 147 million U.S. consumers, making it one of the largest data breaches in history, and the 2019 Capital One data breach affected approximately 100 million U.S. consumers. The individual identity thefts that resulted from these two breaches are still not fully known.
Examples of High-Profile Criminal Activity:
- A New Jersey car salesman who sold price-gouged masks and a New York City man who tried to get millions in COVID-19 relief loans were arrested.
- A Georgia man was charged with wire fraud after allegedly lying to his employer about testing positive for COVID-19, which cost the Fortune 500 Company about $100,000 after it needlessly stopped business.
- Manhattan federal prosecutors brought charges against a Chinese national who allegedly tried to obtain $20 million in government-backed loans that were earmarked for small businesses affected by coronavirus.
- On June 08, 2020, the 3M Company filed its latest trademark lawsuit over price-gouging on N95 masks during the COVID-19 pandemic, suing an Amazon vendor in Los Angeles federal court for selling fake masks at more than 20 times the list price. 3M also accused Mao Yu and several affiliated companies of using “bait-and-switch tactics” and other deceptive behavior to sell more than $350,000 worth of the questionable masks to unsuspecting Amazon users. The case against Yu is a more traditional trademark case, accusing him of using 3M’s name and logo to sell outright counterfeit masks. The lawsuit was the result of collaboration between 3M and Amazon.
Most States now have some kind of Coronavirus Fraud Working Group made-up of members of the U.S. Attorney’s Office, the State’s Attorney General’s Office, the U.S. Department of Labor Office of Inspector General, the United States Secret Service, the U.S. Postal Inspection Service, the Federal Bureau of Investigation, the Social Security Administration Office of Inspector General, and in some states a dozen other federal law enforcement agencies.
Proactive Security Tips to Protect Companies:
Criminals design new attack scams every day that take advantage of the COVID-19 pandemic. Phishing is still one of the most effective methods that attackers use to compromise accounts and gain access to company data and resources. Phishing attacks use email or malicious web sites to solicit personal data that often contains valuable financial and medical information. A popular ruse by these attackers may be to send an email from a seemingly legitimate credit card company or financial institution that requests account information while you are at a business office or working from home, often suggesting that there is a problem they need to rectify. This scam catches victims off-guard, especially during this troubling economic period when potential victims have other things on their minds.
One should not accept email requests to donate money to the international organizations such as the World Health Organization (WHO) or the International Red Cross. Accepting an online request by clicking on “Give” could infect your computer with malware by downloading files that can install backdoors to your company’s system.
Verify a charitable organization’s authenticity before you donate. Visit the Federal Trade Commission’s (FTC) website to learn how to verify a charity.
Software prevention program controls help block these emails, but companies need the knowledge of their employees to be on the lookout for crafty criminal attacks designed to steal information. Companies must know the necessity of email authentication of domains to improve security and prevent fraudulent emails from reaching employees.
With employees working from home, there is the vulnerability of increased phishing attempts. These attempts target organizations impacted by stay-at-home orders. Phishing and malware are not new; they have just been updated to exploit the changing business environment during COVID-19. Criminals know there will be more casual internet browsing during these slow business days at home. Security software programs can identify known dangerous sites by flashing a warning banner on your screen before you download dangerous files, so let’s quarantine the criminals with programs that can identify unusual attachments, malicious scripts/codes and fraudulent sites and reroute them to quarantine or spam folders before they can enter your inbox.
These security controls can:
- Scan linked images and identify links behind shortened URLs
- Protect against messages where the sender’s name is a name in your company directory, but the email is not from your company domain… a method of fraud used in social engineering
Official software program security solutions are very good, but companies must continue to educate their employees on the ways of the hacker and to report any inclination of a suspicious contact. Have your employees sign monthly IT department training notices and advisories to reinforce the seriousness of protecting company data while reminding them that their personal data is also in company files and it is their combined responsibility to protect company, and employee data.
Social engineering is an old reliable form of stealing information that uses lying, misrepresenting facts, impersonating authorized personnel or third-party personnel, conning, etc., to get the intelligence needed to launch a cyber-attack or commit some cyber fraud. These attacks usually start as a low level seemingly innocent form of an email, phone call or face to face meeting with a supposed salesman.
Example: Email notice received on your office, or home office computer: please temporarily change your password to ‘RGh67V8&K@4’ so that we can judge the severity of an identified system intrusion. We will notify you when the problem has been taken care of. Thank you for your help in this matter… signed “System Administrator.”
- Intelligence that hackers gain from such attacks often leads to big losses for companies
- Technology cannot always prevent social engineering attacks. Firewalls, encryption, intrusion detection may all be helpless against it. Only the employee stands between the hacker and the information they are looking for in a social engineering attack
If someone says they need your password, they are lying. Do not give it to them. It is that simple, but people are conned every day and provide damaging corporate information to criminals. There are other kinds of information that are so sensitive that you should know not to give them to anybody you do not know––for example, executive contacts, financial information, strategic plans, etc.
Tell-tale signs to help alert you to the possibility of a social engineering attempt:
- Reluctance to provide contact information: Verify the identity of the person asking for information. Ask for a number to call them. The person on the other end of the line may be in a rush. Do they also push you too hard for information?
- Name-dropping: Remember, a social engineer might have a copy of your organization’s executive directory that they obtained from another employee. They might not use something as obvious as the name of a manager; instead, they might use an executive’s spouse’s name to add validity and importance to the request
- Intimidation: Is the caller bullying you? Has your job been threatened? They might say, “I’ve been transferred four times, let me have your name, if you don’t help me, I will report you”
- Small mistakes: listen for mispronunciations of business terms or employee names, misnomers, odd questions, and other blunders
Combat Social Engineering:
- Do not give out information about other employees–for example, names, staff positions, travel data, locations, or telephone numbers–particularly if they are company Directors, or information systems personnel. Instead, take a message and route it to the appropriate persons in both the IT and security departments.
- Don’t discuss computers, software, communications equipment with those identifying themselves as vendor support for hardware or software, or as representatives of survey companies, personnel agencies or other outside services unless you know them or can verify their identities and their need to know.
- If you feel you have thwarted an attempt at social engineering, report the incident to the appropriate persons in both the IT and security departments.
- If you feel you have been tricked (even in the past), do not hope that the problem will just go away. Report the incident immediately to the appropriate persons again in the IT and security departments. Do not wait to see if anything bad happens before you report the incident.
- Do not accept free memory chips (flash, thumb drives) as they may have an embedded program to steal or harm your computer files or whole system. This dangerous scam of sending free memory devices still goes on and is very successful.