The FTC has recently issued guidance regarding a spike in scams related to the current healthcare crisis. Much of this guidance relates to common scams including robocall scams, fraudulent online sales, and malicious links. While the approach to these scams are not new, the volume and theme of these scams seek to take advantage of consumer fears.
I addition to the usual type of disaster-related frauds, a recent uptick in targeted phishing attacks (spear phishing an whaling) has been observed in the wild seeking to compromise business e-mail accounts. With a record number of employees working remotely due to the current crisis, the threat of compromised e-mail credentials is greater than ever.
Strained IT teams may receive multiple requests per day to support VPN access for employees. While savvy IT support personnel are likely to identify a spoofed e-mail, credential phishing scams could result in fraudulent requests being sent through a legitimate corporate e-mail account. While some organizations may have a directory with employee photos (i.e. from security badges) that can be utilized through video conferencing for such requests, other organization need a method of verifying the identity of individuals requesting such access or credential resets.
Businesses should rely on multiple factor verification for any request that would result in granting or elevating access to network or cloud -stored assets. The simplest factor to add for this use case is “something you have”. With a well organized (and updated) corporate directory, this could be as simple as verifying a phone through programmatic voice or SMS. For businesses without a complete directory of mobile phone numbers for staff, verifying the possession of a government issued ID can provide an easy method of verifying the identity of requesting staff members prior to providing access.
Sadly, criminals never miss an opportunity to capitalize on crises. With preparation and due diligence, businesses can ensure that fraudulent activity does not compound the effects of such events on their security.