In recent months, a large number of news outlets have reported that cybercriminals have intensified their activity, using the COVID-19 pandemic to rob, exploit and disrupt organizations. Their preferred instruments are phishing emails, malicious apps, and websites. Crimefighters assume that a company’s vulnerability increases when its employees work from home, and the ability to detect and respond to intrusion is more difficult than usual.
If you want to understand how home-office work can facilitate cyberattacks, I advise you to read the McKinsey article ‘Cybersecurity’s dual mission during the coronavirus crisis’ I specifically thought the higher success rates of phishing emails and fake call center agents in home office environments to be pertinent. There’s basic ‘social control’ in an office setting, with coworkers acting like a ‘human protection shield’ when they talk to colleagues about suspicious emails.
Over the last 12 months, I was asked to review the controls of several finance departments who fell victim to business email compromise, a form of email fraud that has become one of the most frequent tools for social engineering.
Those investigations reveal a clear pattern of action: the attacker had falsified the contact details of the supplier and made a specific request to an accounts payable accountant to modify the bank account details to pay open invoices. The request appeared genuine (company logo and information etc.) as the attacker had previously hacked the supplier database to obtain precise customer details and contact.
It is widely known that cybercriminals use publicly available information (your company websites, Linkedin, etc..) to target specific employees and trick them into providing credentials and passwords.
Impersonation of external audit companies
Another scheme affecting finance departments is the impersonation of external audit companies. In that case, an employee of a company receives an email request from the lawyer of the external audit firm (the email address is usually spoofed) requesting a fund transfer. That email is subsequently followed by an email (also a falsification) of a senior executive of that company (CEO, etc..) confirming the urgency and confidential nature of the lawyer’s request.