KPMG: Hackers exploiting global uncertainty during Covid-19 pandemic

Photo by Soumil Kumar from Pexels

With the increasing use of technology, especially access to the internet and social media, and employees working from home, cybercriminals are taking advantage of the global uncertainty during the Covid-19 outbreak.

Globally, the outbreak of Covid-19 poses a challenge to many businesses, also impacting information security as ill-wishing threat actors actively seek to exploit the situation.

Tan Kim Chuan, Head of Forensic, KPMG Malaysia

Tan Kim Chuan, Head of Forensic at KPMG Malaysia, said at present everyone is heavily reliant on their laptops or mobile phones to conduct their everyday needs such as online banking, shopping or donating to causes and charities, which is an opportunity for cybercriminals to take advantage of.

“Those with ill intent are playing on the uncertainty of the situation coupled with isolation from social distancing to spread fake news and trick people into divulging their online banking details,” he pointed out, adding that with just one careless step someone can become a victim of fraud and lose more in what is already a difficult situation.

An increase in COVID-19 themed phishing lures, high-risk fake domains and scams prove that cybercriminals are changing their modus operandi in order to manipulate fear and target individuals and businesses in a variety of ways.

According to CyberSecurity Malaysia, an estimated 838 incidents were reported from the start of the Movement Control Order on March 18 up till April 7, with most of the incidents involving fraud, intrusion and cyberharassment.

In March 2020, it was reported that the authorities had opened 393 investigation papers (IPs) involving online sales of face masks as well as fraudulent withdrawals of Employees Provident Fund (EPF) savings with total losses incurred reaching RM3 million.

And, on April 2, Malaysia’s National Cyber Security Agency (NACSA) were informed of a malicious Android mobile app and a fraudulent website claiming to be from the Perdana Menteri’s Office to trick victims into submitting their internet banking details.

The app also had the capability to read mobile phone SMSes, which could be used to steal victim online banking credentials and TAC codes.

According to Tan, cybercrimes and scams have been successful because of its simplicity and it doesn’t require complicated countermeasures to prevent cyber incidents.

Some practical and logical preventive steps include:

  • Don’t install applications from untrusted sources. Look out for official announcements and only install apps from the Google Play or Apple App Store.
  • Beware of freeware video conferencing apps. Some of these apps were developed for ease of use, rather than with security and privacy features enabled by default. Require passwords for all meetings, never share your meeting IDs and enable waiting rooms to prevent any unwanted ‘bombers’.
  • Never click on unverified links in emails or text messages.
  • Do not open untrusted attachments.
  • Verify the legitimacy of sources before responding to any text message or voice calls asking for personal or sensitive information.
  • Report any related incident to the proper authorities via https://www.mycert.org.my/.

Organisations and individuals need to be remain vigilant to protect themselves from these types of crisis must ensure the preventive steps are in placed.

“With the abrupt transition to remote working as a result of the enforced Movement Control Order (MCO), companies are rolling out new remote working and cloud infrastructure at pace and forced to implement ad-hoc security models and approaches to secure that infrastructure.

“Yet on the other side, we also observe how organised crime have responded rapidly to the crisis by orchestrating large scale campaigns to defraud customers and businesses,” Tan explained.

Hence, as an immediate measure, companies should focus on embedding pragmatic remote working security controls to deal with COVID-19 themed threats.

In order to protect their business and remain resilient, educate and provide a mechanism for employees and third-party contractors, and also deploy cloud-based solutions to prevent and detect phishing attempts.

For more insights, visit the KPMG microsite Embedding Resilience: The Business Implications of Coronavirus.

LEAVE A REPLY

Please enter your comment!
Please enter your name here