Criminal acts take many forms and normally involve a violation of someone’s privacy, property, possessions or in more serious cases one’s physical well-being. Crime involving direct confrontation usually involves a threat, where an act of violence is insinuated; The criminal forces you to co-operate. Increasing consumer anxiety coupled with the shift to ecommerce, fraudsters are taking advantage of these unprecedented times. Now that crime has evolved online, criminals still need the victim’s co-operation, but violence is no longer the tool. In a world where panic is rife and the need for information is high, the digital space provides cybercriminals a massive platform of unsuspecting victims.
Between February 25 and March 25, 2020, Menlo Security identified a 25 per cent increase in the number of people clicking on malicious URLs with domain names referencing either COVID-19 or Coronavirus. From mid-March this year, more than 10,000 COVID-19 domains were being registered worldwide on a daily basis, with 35,000 being created on March 16 alone.
Of course, not all of these websites will be malicious, however Law Enforcement Agencies around the world are highly concerned that a significant number will be, and with 43 per cent of computer breaches last year being directly related to Social Engineering attacks (as shown inThe Verizon Data Breach Investigation Report), the surge in domains registered with direct links to the pandemic is likely going to see this figure significantly increase this year.
So why this sudden upsurge? The issue is that COVID-19 presents a perfect environment for cybercriminals to exploit the online world. This is where human behaviour comes into play. Unlike criminal acts in the physical world – which may employ violence to enforce co-operation, cybercriminals use social engineering to help them achieve their goals.
Social engineering is defined as the science of using social interaction as a means to persuade an individual or an organization to comply with a specific request from an attacker either through social interaction, persuasion or a computer related request.
Often a cyberattack requires a level of human co-operation to help achieve the criminal goal. This usually involves getting someone to open an attachment in an email, click onto a Web link in order to either install or download malicious code on the computer being targeted or surrender sensitive information over the phone – such as account and pin numbers. To do this the cybercriminal uses psychological methods that target parts of the human psyche that are deeply embedded across much of the population.
Social engineering-based attacks are commonplace in Kenya. Almost all Kenyans can say they have received messages from inmates trying to swindle them. But there are more sophisticated attacks being executed as well. With the prevalence of mobile money transactions and the growth of cashless payments, there are individuals who make phone calls to those they have identified as vulnerable.
They claim to be from a trusted source (Bank & Mobile network operator names are commonly used) and engage the target in conversation to get personal information such as mobile wallet pin numbers or debit card CVV code – the card’s security code, which they then use to access the victim’s finances.
The COVID-19 pandemic aka “The great pause “has presented cybercriminals with un-precedented Social Engineering exploit. Global cybercrime has not had to do much more than repurpose their normal attack techniques, by repackaging them as slick, professional looking COVID-19 related emails or websites and release them into the online world to reap revenue.
Phishing is probably the number one item that has seen a massive rise during these trying times. Society is hungry for information, or even relief, making phishing much more successful. Cybercriminals are now using fraudulent emails or websites to advertise fake Coronavirus charities or suggest they can supply anything from cures, tests or Personal Protective Equipment that will never arrive after payment. They could claim to offer Government Grants or Loans to affected businesses for a nominal arrangement fee, or suggest they are an investor wishing to engage a company in a COVID-19 related business opportunity.
Social engineering also preys on the fact the many forget that legitimate companies will never ask for their personal information, such as pins and passwords. This is information that should always be kept secret. Additionally, all legitimate entities contact customers using verified phone numbers and emails.
Striking the right balance between enabling ecommerce to control the spread of COVID-19 and managing the risk of cybercrime is critical for the sustainable growth of businesses. The actions that businesses and consumers will take to stem the prevalence of cyberattacks will determine the consumer perception of digital commerce.
Small businesses worldwide now find themselves quickly having to adapt to support customers online – and a key part of the transformation is enabling the right ecommerce tools while maintaining a safe, secure experience.
Savvy fraudsters are aware that some small businesses are inclined to relax fraud strategies as sales and risk teams may be under capacity. The weeks ahead will be critical as cybercriminals continue to attempt to exploit this window of opportunity, and businesses should create a comprehensive risk strategy now.
Stay informed. Subscribe to our newsletter
The way forward
While the massive shift to ecommerce payments continue to deliver tangible benefits to consumers, cybercriminals have also increased their focus on digital payments ecosystems. Businesses must therefore continuously evaluate the security defences in place and ensure their detection and alerting capabilities are functional always. Below are a few areas to consider in the proactive management of security in the current crisis and beyond:
1. Be Proactive About Dual Authentication: There has been a surge of multiple new accounts tied to the same underlying user profile opening concurrently. This creates an opportunity for origination fraud where an account looks legitimate after it remains dormant for some time. Ask customers to share a secondary email or mobile phone to help confirm account creation and purchases. In addition, consider reviewing the purchase history on the account.
2. Defend Against Card Testing: For fraudsters, card testing can be an effective method to verify stolen card credentials are valid – and small and medium businesses are often the target of card testing attacks. Sophisticated fraudsters now use computer-generated scripts to test thousands upon thousands of credentials at a time. Ensure your checkout and card addition pages (or any other pages where cards are validated) include technologies to detect and prevent automated scripts from submitting transactions. Some of these preventative technologies include firewalls for basic botnet detection and CAPTCHAs, a visual challenge designed to distinguish humans from automated scripts.
3. Active fraud & security monitoring: Remaining vigilant to new vectors and securing the payment infrastructure is key to supporting the transition and growth of digital payments securely. e.g. Regular scan of networks to identify gaps and potential threats, fake sites and anomalous activities outside of the normal transactions. Fraudsters will also target card-on-file models and take over both newly created and dormant accounts on file to use for fraudulent orders. A few traits to look for include multiple recent shipping address changes or a rise in older, dormant accounts placing orders.
4. Check Shipping Details: Fraudsters have started to manipulate their shipping address on the checkout page or ship goods to unoccupied houses or new buildings allowing them to pick up packages that have been left outside. Be aware of details in the 2nd or 3rd lines of the shipping addresses that might be used to reroute packages, bypassing your risk strategies or velocity rules that only look at the first line of the address.
5. Enable Contactless Deliveries: Most delivery partners now support contactless deliveries to protect both their couriers and their customers, which can lead to ‘goods not received' disputes. If you deliver your own goods, take a photo for proof of delivery to help defend against goods not received claims.
6. Customer Education: Proactive consumer education campaigns to ensure your customers are aware of the novel of social engineering schemes that fraudsters are attempting against them, from stimulus-related scams to leveraging professional networking sites for phishing purposes.
For the individual consumer – if it’s too good to be true, then it probably is and if you don’t know the source email address, then take extra care. The key is... Don't just click that link... Think!
The writer, Irene Auma, is the Director of Risk Management at Visa Kenya.