June 22, 2020 

Safe Cyber Hygiene is needed to protect oneself from the onslaught of COVID-19 Related Cybercrime

COVID-19 has fundamentally altered life in innumerable ways. The true extent of its impact remains unknown, but it will certainly reverberate in manners foreseen and unforeseen as we adapt to the new norm. One alarming adaptation that has occurred in the anti-money laundering context has been the rise of COVID-19 related cybercrime per the global anti-money laundering body, the FATF. COVID-19 related crimes have permeated the criminal underworld to the extent that it has become an entirely new source of illicit proceeds which generate substantial funds. More concerning, its intended victims are Americans with an internet connection, email address, and/or a smartphone. It is imperative to incorporate safe cyber hygiene into our daily routines while using our devices as it is the lone protective mechanism we can control in this fight against cybercrime.

            Problematically, fraud and cybercrime have already overtaken narcotics trafficking as the primary source of illicit proceeds generated globally thereby only further compounding the issue. An influx of additional, organized criminal actors has created a perfect storm scenario where cybercrime may become the new daily norm. Vulnerabilities present in the current remote, work from home environment present prime opportunities for these criminal actors to strike. It is critical for everyone to protect themselves from this ever-growing threat by proactively employing sound cyber hygiene practices.

            The FATF has warned about an exponential increase in social engineering attacks, particularly phishing and SMS text message spam campaigns. Criminals will impersonate legitimate financial institutions, credit card companies, government agencies, popular consumer sites (Netflix, Amazon), one’s employer, or even Microsoft or Google. They will replicate email addresses or websites where they will use embedded links or attachments to insert malware on one’s computer, tablet, or smartphone. Cybercriminals have become sophisticated to the extent that their phishing emails are nearly indistinguishable from legitimate emails. It is quite easy to fall victim if one is not paying close attention, which is difficult in modern life. Once malware is introduced, criminals can take control and accordingly attack any weakness in the device, its local network, the server, any connected application, and/or any other remote connection they are able to breach.

            Cybercriminals steal personal identifiable information (“PII”); such as legal name, date of birth, social security number, tax identification number, email, passwords, credit card and account information, or even biometric data in order to further effectuate various forms of financial fraud, which can drain an individual’s entire bank account.

Moreover, if one’s business details are unprotected on an infiltrated computer, then a cybercriminal can continue their attack by orchestrating a business email compromise scam. This scam, per FINCEN, is increasingly popular and occurs when the criminal actor impersonates an authorized corporate signer that has power to conduct financial affairs with its financial institution. Criminals infiltrate the corporate email account and learn the patterns and methods of communication between these authorized signers and the financial institution. They will then change the access rules to the account and send messages requesting fund transfers to accounts they control.

Even more nefarious, cybercriminals have inserted ransomware to effectively encrypt and block access to computers, tablets, or smartphones. Victims are then extorted to make payments to have access restored, which may or may not occur. Cybercriminals have even used malicious websites and mobile applications that appear to share COVID-19 related information to insert ransomware while impersonating health officials, hospitals, non-profits, and charities.

How to Stay Safe

Cybersecurity is the process of protecting one’s PII, consumer, and/or financial information by preventing, detecting, and responding to attacks. Individuals can protect themselves by physically securing important documents, shredding discarded documents that contain PII, or by taking various cyber related measures.

One can use Virtual Private Networks (“’VPNs”) when remotely accessing information on a computer, tablet, or mobile device. VPNs are encrypted tunnels that transmit data between the remote user and the network. Microsoft Office and other email providers also allow one to encrypt emails by establishing auto-rules according to various criteria.

The usage of firewalls is equally important to ensure only authorized connections can be established when setting up one’s network. Internet service providers: such as Comcast or Verizon offer firewalls and can assist with associated set up.

Another critical protection is using dual factor authentication when logging into websites or applications. Adding a PIN or text message verification to a unique username and password can prevent malicious access when one’s log in information may be compromised. Of course, anti-virus and anti-malware software should be installed on all devices, regularly run, and updated to patch any weakness.

Risky online behaviors should be avoided. Wi-fi and hotspots should be password protected because otherwise your connected device may become an open book to an enterprising criminal. Never click on any link or attachment from an untrusted source. Due to the pervasive threat of phishing, even unexpected emails or text messages from trusted sources should be verified. Independently call your financial institution, credit card company, or Amazon if you receive an unexpected, unusual, or strange communication. If legitimate, the company will be more than happy to verify as it is an opportunity to speak with their customer. Likewise, independently visit a website you may be urged to visit and do not click on any embedded link as these may be shortened URLs with hidden malicious code. Always be wary of urgency. It is a highly effective diversionary tool that can cause confusion. The rule of thumb is to err on the side of caution if you are ever unsure about potential phishing.

            Always use strong passwords (along with multi-factor authentication) and avoid using personal information or any information that can be learned from studying your social media profile. Cybercrime is a full-time job for many so they will put in the time to try and figure out one’s password. Long, complex passwords should be chosen that are a mix of letters, numbers, and special characters. It is possible to set this up in a way where it is easy to remember. For example, A! P@c!n@ !972 is a strong, complex password that’s easy to recall for movie buffs as Al Pacino appeared in The Godfather in 1972. Passwords should never be shared, stored in an easily identifiable place, nor used on multiple applications. Passwords should be periodically changed to remain effective and stay one step ahead of cybercriminals.

            The success of FSTC begins with a relationship of trust between us and our clients. We take confidentiality and privacy very seriously. We receive regular cybersecurity training and limit the collection of client information to the minimum requirements to deliver superior service while remaining compliant with applicable laws and regulations. We maintain physical, electronic, and procedural safeguards reasonably designed to protect your nonpublic personal information. We are committed to the protection of our client’s data.

FSTC conducts call backs to authenticate all client transactions regardless of amount. Common successful phishing tactics often result in testing small, nominal transactions prior to escalation when initially engaging with a financial institution. Authentication practices serve as a strong preventative mechanism. This option along with automatic account alerts is something one can also request from their financial institution or credit card company.

            Lastly, FSTC uses the KnowB4 software, which replicates real phishing emails one is likely to encounter within various categories. It is a highly effective learning tool that Compliance regularly tests at the highest difficulty level to ensure we remain diligent.

By: Michael McElwee, Esq.

           

The posts expressed are views of FSTC and are not intended as advice or recommendations. For informational purposes only. FSTC does not offer tax or legal advice, professional counsel should be sought for tax or legal advice.