By Graeme Zwart, Head of Security 

Covid-19 has caused both legitimate and illegitimate businesses to pivot. Criminals are tweaking their scams for the times. At their core, however, the scams, their delivery and pay-out methods remain similar, if not the same. We explain how to avoid falling for them.

So, so many scams involve impersonation. Criminals will pretend to be someone else, usually someone official or in authority, to trick or cheat their victims. This could be a bank, government agency or service provider. Or a colleague in a trusted department, such as HR or finance.

How?

Delivery methods for such scams vary. They could come via e-mail, SMS or voice call. When criminals send scam e-mails, it’s known as phishing. The SMS equivalent is smishing. And the voice call equivalent is, you’ve guessed it, vishing.

Why?

Regardless of the attack vector, the aim is the same. Criminals want to steal personal and financial information to commit identity theft, make fraudulent claims or to sell to others. There are a number of ways in which this can happen.

Scammers want you to click on links or open documents that contain viruses. These viruses — or malware, literally ‘bad software’ — allows criminals to read, copy and export data from your computer. They can then use and/or sell this to impersonate you. This can happen at work as well as at home.

Alternatively, criminals may want you to click on a link, which takes you to a genuine-looking website. You’re asked to enter or update your username or password, or confirm financial or personal details. Really, the criminals are harvesting your data so they can monetise it later.

Covid cover stories

These impersonation scams are the electronic or remote versions of old-fashioned con tricks performed face-to-face. So, they need a convincing cover story.

Con artists are good at being convincing. They’re good at adapting their cover stories, including to Covid-19. And to play on basic human emotions: fear, uncertainty and doubt. This may be fear of missing out or displeasing the boss. Or uncertainty around particular requests. Or doubt about how company policies apply during the pandemic.

Criminals are sending fake government e-mails purporting to come from government departments, offering Covid grants, council tax reductions, access to furlough funds and so on.

Criminals impersonate tax authorities. Phishing e-mails reported to HM Revenue & Customs in the UK in mid-2020 were up nearly 75 percent on the start of last year.

Scammers are conducting Covid track-and-trace frauds, claiming that you’ve been in contact with someone diagnosed with Covid-19 to phish personal information.

In a variation of office supply or procurement fraud, they’re tricking employees into ordering and paying for hand sanitiser, face masks and other PPE.

Pay-out

There are three main ways that criminals cash out a scam. Firstly, there’s the theft of personal or financial information for monetary gain. Secondly, there’s advanced fee fraud, where victims are asked to pay a fee upfront before receiving refunds, rebates or government assistance. Thirdly, there’s requesting a money transfer to an account controlled by the criminal, which is common in bogus boss or CEO fraud.

Tips to prevent being scammed

Be sceptical. If it sounds too good to be true, it probably is. Approach documents, transactions and deals with a questioning mind. Be wary of unsolicited approaches by phone, text or e-mail.

Criminals may already have basic information about your organisation (e.g. name, address, account details, name of senior executives). Do not assume that contact is genuine, even if they have knowledge about you and your organisation. If you are suspicious, don’t be afraid to terminate the call or say no to requests for information.

Know your business. That’s how it operates, its products and services, target markets, customers and suppliers. A thorough understanding of your business will help you detect when something doesn’t look or feel right.

Stay humble. There’s no such thing as perfect security. Fraud can still happen to you. If you’re unsure about anything, take five minutes to check.

Take time to imagine how a scammer may target your business. Test the systems you currently have in place to reduce your risk. Are they adequate and up-to-date? Review them regularly. Finally, ensure that your staff are familiar with systems and have somewhere they can easily check policies.