The sudden onset of new work-from-home procedures and heightened anxiety prompted the spike, with Google recently reporting it had stopped 18 million COVID-19 themed malware and phishing emails a day, as well as more than 240 million COVID-related daily spam messages.
While many asset owners have bolstered their cybersecurity in recent years, the sudden outflow of money driven by the early release super scheme has raised the stakes.
Australians whose livelihoods were threatened by coronavirus had withdrawn more than $17.1 billion from their super funds by 21 June, according to APRA. Meanwhile, police are investigating a case of ID fraud that reportedly netted criminals up to $120,000 from the scheme according to the Australian Federal Police.
Common attacks now include impersonating academic or government organisations to request personal data under the guise of COVID-19, soliciting donations to fake charities to help battle the pandemic, or directing targets to fake websites with health information.
It provides a stark warning to all about the ongoing risks of cybercrime and the importance of maintaining operating procedures even when facing difficult market and economic conditions.
New COVID-19 themes mask familiar cyberattack methods
The widespread lifestyle and workplace disruption—and the quick shift to working from home—has created new vulnerabilities for criminals to attack.
Cyber criminals have been sending emails or making phone calls to find out more about remote working arrangements to use in future attacks.
Many employees have had their attention drained and productivity challenged by the escalating health crisis, and for many, the unexpected impact of home schooling. Cyber criminals exploit people’s natural tendency to take procedural shortcuts in such an environment.
Business email compromise (BEC)—where cyber criminals obtain personal or financial information through email—remains a dominant method of attack. Criminals may mask a message so it appears to come from a legitimate sender or obtain control of an account owned by an employee or third-party vendor.
COVID-19 themed malicious software, such as viruses, ransomware, and spyware, is also on the rise. Within businesses, malware is often used to modify payment instructions, so money is sent to criminals.
A recent UK scam occurred shortly after the country went into lockdown. Cyber criminals sent text messages to people threatening them with immediate fines if they didn’t explain why they had left their house – the link instead installed malware on their phones. Applying such time pressure is a common approach.
Another frequent strategy is to leverage social media to find personal information that can be used to initiate unauthorised payments or commit other types of fraud. This can be used to impersonate an employee on the phone and request system access or a company payment.
Provide greater cybersecurity support to employees
While people are slowly returning to their offices, it appears that more flexible working arrangements will become a far more entrenched part of corporate Australia. This may create ongoing cyber-risks, which cyber-criminals will look to exploit.
Organisations need to regularly remind employees of basic cybersecurity best practices when working remotely, for example:
- making sure home wi-fi networks are secure
- only using company-approved communications tools
- never sending work documents to personal email accounts
- keeping personal device operating systems and applications up to date
- avoid working in public spaces where others can see your work
- never conducting business over public wi-fi.
It’s all too easy to sidestep control procedures under time pressure or in a flexible environment. Leaders should reiterate the point that tasks need to be done right rather than fast, and model good digital hygiene in their own behaviour.
Employees should also be reminded to remain vigilant when dealing with personal information and:
- continue following procedures for authenticating callers
- report suspicious activity
- approve changes to account details or transactions.
10 ways asset owners can protect their organisation
Asset owners face many of the same cyber risks as other organisations. The difference is, you present a particularly alluring target with almost $3 trillion in assets, particularly as outflows continue to grow as a result of the early access scheme and a growing cohort of retirees. Here’s how you can best protect your organisation:
- Assess how money leaves the organisation
This is crucial given billions of dollars of outflows are still occurring under the early release scheme. What controls and thresholds can protect money movement assuming criminals get around other controls? Have you considered conducting a secondary ID check even though the ATO has approved release? - Get an independent assessment
Engage an experienced specialist engineering firm (not a general consultant) that understands the technical risks of enterprise architecture to complete an independent assessment of your firm’s infrastructure. - Engage with government and law enforcement bodies
Don’t wait until issues arise to know who your key contacts are, build a relationship, and document engagement protocols. - Join an industry-based cyber-security sharing forum
Too few asset owners are members of the Financial Services Information Sharing and Analysis Center (FS-ISAC fsisac.com), where peers can learn from each other. - Attack yourself
Create a red team and have them regularly attack your systems using the same techniques as cyber criminals. Consider establishing a program to harvest underground credentials and account numbers related to your organisation. - Mandatory employee training and testing
Establish a baseline training program for all employees and actively test them, such as how they response to targeted phishing emails. Those who fail should repeat training. - Enforce third party standards
Upgrade contract provisions to ensure third parties follow the same security standards as your organisation. - Run simulations and drills to assess capability
Use a combination of tabletop scenario exercises and live injection of events into your security operations centre to see how it responds. Conduct regular resiliency tests to build staff preparedness. - Implement controls for maximum effect
Using your web filtering software is a hugely important mitigation technique. DMARC technology allows others to validate emails are really coming from you. - Training
Undertake ongoing training with cyber security specialists to stay across the latest developments.
As asset owners, you have built your reputation on helping Australians secure their financial futures. Ensuring your own security has the rigour to withstand the increased cyber threats emerging from the pandemic is imperative to retain trust and membership.