Being Cyber Aware in the Age of COVID-19
April 8, 2020
Category: Cybersecurity , COVID-19
Within the past two weeks, both the Washington State Office of Cybersecurity and the Federal Bureau of Investigation (FBI) have warned of a meteoric increase in COVID-19 cyber scams targeting local governments.
Cyber criminals are taking advantage of any opportunity to steal money, employee information, or both. Right now, they are using the uncertainty surrounding the COVID-19 pandemic to victimize staff who are performing their duties under very trying conditions. WaTech's Office of Cybersecurity Allocation is monitoring all COVID-19 scam activity and will share the latest news, updates, and resources via its COVID-19 support page.
It has become commonplace for local governments in Washington to receive scam emails that appear to be legitimate requests for funds transfers. In the current climate, these types of frauds have targeted public agencies purchasing personal protective equipment or other supplies needed in the fight against COVID-19. These crude schemes started popping up as the first cases of the virus were discovered in the state. As the COVID-19 crisis stretches on, we can expect more sophisticated, higher risk attacks that may be cloaked in COVID emails purporting to be from FEMA, the CDC, or other pandemic-related source of information for local governments.
Cybercriminals are ingeniously adaptable, morphing from one scam to another as targets become aware of and prepared for the prevailing fraud du jour. For local governments in Washington, the last months of 2018 brought an onslaught of CEO impersonation emails in the form of requests from a mayor, county manager, or other executive staff to buy gift cards or make urgent wire transfers. In 2019 this morphed into payroll diversion scams with seemingly legitimate emails from staff members requesting changes to the routing of their direct deposits.
Within the past few months the City of Ellensburg, Benton County, and several other mid- to large-size local governments in Washington have been hit by vendor email compromise (VEC). VEC is where the public agency receives an email invoice that looks exactly like one from a known vendor requesting that the invoice payment be routed to a new bank account. The successful fraudsters impersonate contractors who have been awarded large municipal construction contracts, resulting in fraudulent invoice payments of hundreds of thousands of dollars each. Fortunately for both Ellensburg and Benton County, fast action by the receiving banks to identify suspicious activity and freeze the accounts prevented the cyber thieves from withdrawing all of the transferred funds.
Not only do these cyber scams morph, but the targets do as well. A scam that may have targeted the City of Seattle three years ago will make its way to jurisdictions the size of Kent within another year, and then show up in Sultan or Goldbar the following year.
What You Can Do
Why do these types of attacks work? Well, the truth is that the success rate of the more commonplace email scams is 1-4%. Cybercriminals are persistent, and it doesn’t take much effort to broadcast fraudulent emails. As cybersecurity professionals well know, the weakest link in the security chain is the human who accepts a person or scenario at face value. In times of stress or crisis, any one of us could be that human who, while wading through dozens of emails in search of mission critical information, quickly clicks on a compromised link from what looks like a trusted source.
To protect yourself from COVID or other email compromise fraud, the FBI advises you to be on the lookout for the following red flags:
- Unexplained urgency.
- Last minute changes in wire instructions or recipient account information.
- Last minute changes in established communication platforms or email account addresses.
- A sender communicating only via email and refusing to communicate via telephone or online voice or video platforms.
- Requests for advanced payment of services when not previously required.
- Requests from employees to change direct deposit information.
Upcoming Training and Additional Resources
For firsthand, expert information on how to protect your agency from falling victim to the most current and potentially costly scams, including VEC and ransomware, register for MRSC’s webinar Best Practices to Prevent Cyber Fraud on Tuesday, April 21 from 11 AM to 12 PM. During this webinar, you’ll hear from FBI agent Kevin Brennan, nationally known cyber threat researcher Crane Hassold, and Ellensburg Finance Director Jerica Pascoe on how to prevent and respond to a growing cyber threat to local governments.
The webinar will also feature examples of internal control forms and third-party contract language that you can adapt for your agency’s use, and concrete suggestions for internal cybersecurity awareness training.
Additionally, here are some online resources from the Federal Trade Commission:
MRSC is a private nonprofit organization serving local governments in Washington State. Eligible government agencies in Washington State may use our free, one-on-one Ask MRSC service to get answers to legal, policy, or financial questions.