Digital heists are playing off the global pandemic

Financial services is among the industries most targeted for digital attacks, so every financial services organization’s priority is to protect consumers and their financial information, which in turn protects their own revenue and reputation.

Public platforms like social media, websites and mobile apps are providing new vectors on which to host attacks. Attackers are preying on the panic surrounding the coronavirus using both new and time-honored techniques of fraud and impersonation.

Phishing – a method in which attackers try to electronically collect personal information using false emails or websites – has notably surged during the global pandemic. With unemployment and economic anxiety rising, criminals impersonating banks are offering false-hearted help with bills or credit card debt. By posing as an authorized institution, attackers trick victims into clicking on a malicious link or attachment, or willfully disclosing confidential information.

Our research at ZeroFOX identified more than 440,000 phishing domains in the last twelve months, almost twice the number identified last year, with more than 75 percent of those domains hosting live content. These false websites work to trick individuals into thinking they are entering a real banking site, but in reality, they are being redirected to an illegitimate website.

As cybercriminals continue to refine their techniques, it is imperative that financial institutions educate their workforce and customers on how to spot phishing attacks and how to prevent them especially during this time of uncertainty. Some signs of phishing include “too-good to be true” offers, emails threatening account shutdown, and emails with unexpected attachments. Implementing measures, such as email filtering and two-factor authentication, can also help protect against these attacks.

Fraudulent mobile apps

To comply with COVID-19 orders, financial institutions are encouraging customers not to visit branches and sending advisories via email telling them to use the bank’s mobile app. However, cybercriminals are creating malicious copycat applications that look like the banking and finance apps they are impersonating, in the hopes of deceiving victims into mistakenly downloading them. Recently, researchers from IBM Security reported a false Android app was imitating Brazilian banks with the sole purpose of stealing users’ login credentials and gain access to their money.

Just because an app is in Apple’s App Store or in the Google Play store does not mean it is legitimate. Organizations need to inform customers of how to avoid and spot fake apps to ensure their devices and data are safe.

Financial services companies and security teams can also monitor and track for fraudulent apps. Vigilance also falls on the consumer, who can check for misspellings in the name and description of an app, or look to see if the logo looks different from that of the official organization. Mobile users should also inspect reviews. Popular apps –especially those of financial institutions – have been around for a while, so an app that appears to be recently published should raise a red flag.

Financial fraud and scams

Cybercriminals are taking advantage of the coronavirus by promoting a variety of financial scams on social media. Our research indicates that such scams may be up fourfold compared to a year ago.

One of the most popular of these scams, called money flipping, involves scammers alleging that they can transfer supposedly unclaimed funds if a banking customer hands over their login information. Offers like these prey on financially vulnerable individuals by promising a portion of the fund and assuring them that there will be no legal repercussions since they are solely a temporary “middleman” in the transaction.

Another scam method, known as money muling, involves a scammer convincing a victim to act as a middleman for an illegal funds transfer. Scammers use their victims to launder ill-gotten gains by accessing individuals’ personal and financial information and then using them to move the money for them.

The FBI recently reported that scam artists are taking advantage of the coronavirus outbreak to create a new pool of potential victims – job seekers. With the pandemic dragging down the global economy, many who are out of work are turning to digital platforms to find jobs postings. Fake job listings are being used to convince victims to illegally transfer funds.

To help mitigate these scams, financial institutions should monitor and remediate money muling lures on social media channels. Social media platforms are frequently used in making first contact with potential victims. Additionally, organizations can develop education for employees on recognizing the signs of a money muling scam, like job postings that sound too good to be true or involve the transfer of funds.

The COVID-19 crisis and the reliance on social, mobile and digital channels by consumers and organizations have created a prime opportunity for cybercriminals. Financial institutions must take every measure possible to prevent and disrupt these attacks to protect themselves and their customers.

Zack Allen is director of threat operations at ZeroFOX.