The Covid-19 pandemic has wreaked havoc on many lives and businesses as well as brought the global economy to a near halt. But for criminals preying on people’s fear and anxiety, the uncertainty spells opportunity. To combat their ruses, individuals need to take steps to beef up their digital security and protect their personal information, say experts.
The pandemic has made us even more dependent on our internet connection to work, communicate and go about our daily lives. As a result, it has become easier for many to fall prey to cybercrimes, including fake news and pranks.
Endless emails and forwarded messages promising free Netflix subscriptions, a plot to sell the world’s largest statue — the Statue of Unity — for US$4 billion, phishing attacks impersonating health officials and face masks scams are just the tip of the iceberg.
“As more people stay indoors and work from their digital devices, there are greater opportunities for offenders to scam people into parting with their money by exploiting the fear and uncertainty caused by the Covid-19 pandemic,” says Wong Sue Wan, financial services partner at Wong & Partners.
Social engineering attacks have become easier in the global chaos, with more people falling for simple tricks, and cybercriminals are well aware of this. Cybercriminals are banking on the Covid-19 situation with tactics such as phishing, malicious software (malware) and ransomware, says Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky, a multinational cybersecurity and anti-virus service provider.
As these criminals are well aware of the panic surrounding the pandemic, they leverage those fears to exploit users, says Jason Yuen, partner and cybersecurity leader at Ernst & Young Advisory Services Sdn Bhd. “Viruses and other malware have existed since the beginning of computer technology. While trends have changed over time and different malware has had significant impact over the years, the most common continues to be Trojan malware such as Zeus and its variants, bitcoin and other crypto-mining malware such as CoinMiner as well as ransomware such as Cerber.
“Malspam or malware spam, which is transmitted via email, continues to be the most significant source of infections. Malspam can include specific malware embedded directly in the email or contains links that trick users into visiting malicious websites or downloading malicious software. These may include emails that contain special offers or discounts and other specifically crafted emails with links to fake banking or government websites.”
Cybercriminals have spent a lot of time and effort creating software and tools to exploit computer users, says Yuen. “Keyloggers is one such software, which is used and heavily featured in the Zeus malware. What keyloggers does is stay in the memory and record the actual keystrokes, which are the keys you press on the keyboard, to capture sensitive information such as your account login details and passwords. Keyloggers can be designed to only record your keystrokes upon certain conditions such as when you go to your internet banking website or access your email account.”
Last month, a hospital consultant in Kuantan, Pahang, lost RM63,465 from his savings account after sharing his personal banking information on a fake Bank Negara Malaysia website, purportedly acting on the instruction of an individual supposedly with the Malaysian Anti-Corruption Commission and the police. In another case, two people in Penang lost RM41,920 in a scam when they tried to buy 700 boxes of face masks after seeing an advertisement on Facebook.
“Two years ago, our analysts discovered malware that read and stole messages from apps such as WhatsApp. The malware allowed the hackers to connect the device to WiFi networks, take control of the device and collect and analyse traffic, which includes sites visited as well as logins, passwords and credit card details,” says Yeo.
In another instance last year, Kaspersky found spyware FinSpy installed on devices through a message sent to phones, especially if the phone is using an outdated version of Google Android. The attack allowed access to unsuspecting victims’ locations and messages, among other things, says Yeo. “While these discoveries are from the past, attackers are actively looking for the next opportunity to strike. It is better to stay safe than sorry.”
He says these scams mainly spawn from legitimate concerns and information such as government orders, cash reimbursements from the government or employer, promise of a vaccine, offerings for home test-kits, impersonation of medical institutions and staff, charity and donations, virus infection-tracking apps for mobile, investment offerings, medical supplies that are in high demand such as face masks and sanitisers and government financial support initiatives.
“Phishing is especially dangerous for employees of companies that sell goods because emails with delivery requests or orders are run-of-the-mill. Even someone trained to spot a fake can sometimes struggle to determine whether a message is a phishing attempt or a legitimate order from a client,” says Yeo.
“Therefore, the number of convincing yet fake emails keeps growing. They are not encountered as often as traditional malicious spam because they are designed for a specific purpose and are sent to targeted addresses.
“In these past few weeks, scammers have been exploiting the coronavirus outbreak to give their missives extra credibility. The emails often cite virus-related delivery problems, prompting the recipients to wonder what delivery they are talking about.
“In other cases, attackers use the pandemic to press the need to process a request urgently because their usual partners cannot deliver goods in time. Whatever the case may be, the goal is to get the victim to open a malicious attachment. Standard tricks are used as a pretext, usually involving a request to check shipping details, payment data, an order or product availability.”
Fake news is another problem compounding the issue of cybercrimes. Lies and tall tales have been a problem since the beginning of time, but the internet and the speed and channels of distribution available have made this a global concern, says Yuen.
“The motivations behind the creation and spreading of such news are complex. For example, we have seen feel good-type messages in circulation that have been falsely attributed to famous people. While people may like the message, the information provided is false. I think a good example in our Malaysian context would be the famous Lin Dan and Lee Chong Wei letter,” he adds.
Other motivations include fun or just the desire to perform a prank, says Yuen, while the more serious motivations could include attacks against specific individuals, groups, organisations or even countries. “Fake news has been used to influence public opinion. This has been seen when politics and general elections come into play.”
Steps to take
There are several things people can do to avoid falling victim to such scams, say experts. Yeo points out that it is particularly important to pay attention to the source and validity of information before sharing or acting upon it.
Kaspersky researchers have detected a seven-year-old malware in Vietnam and some Asia-Pacific countries that has been resurrected through automated behaviour and made relatable just by adding “hot phrases” related to Covid-19, he says. “We have already seen incidences of incorrect health advice on anti-inflammatory drugs circulating on various media, including WhatsApp and social networks as well as on valid online news sites, which have only added to the panic and chaos. The proliferation of fake news will only slow and confuse government efforts to disseminate helpful and essential information or advice.”
Yeo also highlights the importance of having reliable security solutions. “Ensure that [the security software] is regularly updated and uses up-to-speed databases. If not, it can be difficult to determine whether an email attachment is harmful, especially Microsoft Office documents.
Wong says it is essential to be vigilant at all times and consider practising good cyber hygiene such as carrying out basic due diligence on the sellers or providers of goods or services before making a purchase and avoid clicking on links or attachments in unexpected or suspicious emails or messages. She also warns against responding to unsolicited requests, messages or phone calls that ask for personal data and encourages people to keep their devices and passwords secure, including reviewing the privacy and security settings on social media networks and checking their account statements regularly to spot any unauthorised transactions.
Engaging in a healthy amount of scepticism and practising discernment are some of the best ways to prevent falling for scams, says Yuen. “Law enforcement will not deal with you via email. Your bank will not suddenly ask you to handle suspicious transactions over email. For example, if you receive an email saying that your account has been compromised and you need to reset your password, the first thing you should do is verify the email address from which you received the email.
“Cybercriminals often conceal the email address in similar emails that are not authentic. For example, you may receive an email from Google saying that your email has been compromised. If you check the source, instead of coming from Google.com or Gmail.com, it could be something like [email protected]. Another tip is to look at the reset password link. In general, it is safer for you to directly type in the link, such as going to Gmail directly, than to use the link provided in the email.
“For financial and banking-related transactions, my advice is that if it is an emergency or anything important such as a fraudulent transfer of funds, go to your bank physically. If you need to call the bank, use its official number, which you can obtain from its website. Never call the number that the email provides as scammers often set up call centres to pretend to be the bank or another organisation, including law enforcement.”
Prevention is certainly better than cure in these circumstances as there is no clear legal recourse for victims of phishing scams, says Wong. “Ultimately, it will hinge on how the deception or fraud may have occurred and whether it is possible for the authorities to trace the perpetrators and act, if applicable.”
All is not lost though. There are some immediate measures that one can take to avoid exacerbating the problem, she says. “Victims may lodge a report with the relevant authorities, which could allow for the offender to be traced, contact the financial institution to request a halt to transactions and change their passwords if their devices or accounts have been hacked or infected with a virus.”
Citing data provided by Kaspersky Security Network, Yeo says there were fewer threats reported in the first quarter of this year compared with last year. “While there has been a decline in detected cases, the threats are still there. The upside is that, as we become more dependent on the internet, we are also becoming more aware of the dangers. This shows that Malaysians are becoming more aware of the need for cybersecurity.”