-
""

Protect, prepare and mitigate

How to stop the cybercriminals exploiting a global crisis

04 May 2020

7 minute read

Uncertainty, unprecedented events and homeworking. Not just the outcome of the coronavirus pandemic, but the perfect conditions for opportunistic cybercrime to flourish. We look at the current risks facing you and your clients and how to mitigate them.

Adapting to life in the coronavirus pandemic, means an increasing reliance on digital technology to enable both our work and social lives. That opens doors for cyber-criminals and they’re on the hunt for high value targets. Europol report a rise in criminals using the crisis to distribute malware and the organisation anticipates “an increasing number of attack vectors as a greater number of employers institute telework and allow connections to their organisations’ systems,”1 Ensuring your cybersecurity policies remain robust enough to meet the challenges of the new ways of working is a business necessity.

“We’re all facing new challenges and for those of us in the banking and fiduciary sector, handling large sums of money, understanding the nature of the threat and how to deal with it is essential,” says Adele Bohlen, Head of Fiduciary Business, Barclays. “Whilst many of you will have well-established continuity plans, this situation falls outside even the most robust plans.”

Understanding the enhanced risk

It’s a distinction that Matt Charrett, Head of Cash & Liquidity Specialists, Barclays, thinks is key to understanding the enhanced level of risk fiduciaries are facing. “This is very much a contingent environment,” he says.

“Fiduciaries may not be moving to their disaster recovery sites; they’re having to move to their second or even third option, which is working from home, and they probably may not have planned for that in their disaster recovery process. That can create a lag in their ability to replicate the capability and controls of systems they use in their normal working environment – and that’s where we see enhanced business risk.”

Cybercriminals have been quick to exploit these vulnerabilities, says Phil Hancock, Barclays Fraud Team. “We’ve already seen various scams and cyber threats using COVID19 as a lure to encourage people to click on links that then install malware or spyware.” And, although these may be connected to a person’s personal account or device, the shift in the way we’re now working and the speed with which this has occurred, is enhancing the risk to business.

“Most fiduciaries will have invested in strong security systems and gateways to protect those systems. However, people working from home may be accessing those systems from their own devices. Spyware installed on a personal device, for example, can record keystrokes, which can then be used to compromise a secure location when the user remotely accesses it,” says Hancock.

The shift in the way we’re now working and the speed with which this has occurred, is enhancing the risk to business

Phil Hancock, Barclays Fraud Team

Identifying the threat

Hardware issues aside, Hancock says that the biggest cyber threat currently is business email compromise, where an email account is hacked, and payment details altered. “Increased reliance on email, with a reduction in personal interaction, is behind this growth. Picking up the phone to check an instruction might not be as easy – either because calls aren’t being diverted, you’re not sure whether someone’s available, or you might even be reluctant to use your home phone.”

Fiduciaries can make an especially tempting target for this type of cyber attack. Firstly, they have a large network of clients, many operating multiple accounts, and secondly, the payment instruction is a step removed from the banking industry’s rigorous processes.

“What we’re actually seeing is that attacks are occurring not on the fiduciary itself, but on its clients and their suppliers,” says Hancock. “So typically, your client receives an email payment instruction from a supplier who has been compromised. The most successful scams now are where genuine email invoices/requests are intercepted and amended rather than new emails created. This immediately provides false comfort as you, or your clients may be expecting the invoice.

“With your client instructing you to pay it, you then instruct the bank. Even if the bank follows its procedures to verify that instruction from you, it will check out. What we need fiduciaries to do is verify the instruction by following a similar call back process with their client to check the original payment instruction (amount and beneficiary) was genuine, not just that a payment request was sent.”

How to reduce your risk

In fact, using the bank’s experience of managing the threat and applying it to your own client interactions is one of the key ways of stopping this type of cyber attack, says Charrett: “Aligning your payment controls with the bank’s controls by checking any payment requests against your own client records and verifying them with your agreed client contacts using agreed contact details is crucial.”

However, with the unique challenges presented by COVID-19 leading to minimal staffing levels and increased absence rates for many businesses, maintaining these payment controls is also important.

“Ensuring your online banking systems are up to date and that mandates have been reviewed and, if necessary, updated, so that we can verify instructions with the right people, is something we communicated very quickly,” says Hancock. “Having the same conversations with your own clients can help your business and theirs function as safely and smoothly as possible.”

Protecting yourself and your clients

It’s about us all being extra vigilant. That may mean introducing extra controls or an extra layer of authorisation

Matt Charrett, Head of Cash & Liquidity Specialists, Barclays

So, what other ways can fiduciaries protect themselves and their clients from the growing cyber risk?

“The first and obvious way is to refresh and update staff on your homeworking and cyber security policies,” says Hancock. “We’re providing support for our clients to do that either through video-conferencing, webinars, or sending out literature. The next thing is to ensure you have a call back process in place, make sure it’s being followed and review whether that needs to be amended or updated.

“Being aware of the enhanced threat, you might also want to reassess thresholds for verification. The new confirmation of payee regulation launching this year will also help to firm up processes. From a banking perspective, we’re continually monitoring the threat and enhancing our systems to meet the changing nature of cybercrime, so, for example, we’re not just looking at individual payments or values, we’re also considering that as part of a pattern, making it easier to spot any divergence.”

“It’s about us all being extra vigilant,” says Charrett. “That may mean introducing extra controls or an extra layer of authorisation. Although it may slow things down, it could also mitigate your own and your clients’ risk.”

In response to the increased threat from cyber criminals exploiting the coronavirus crisis and the need for people to work from home, the National Cyber Security Centre published updated guidance on homeworking and managing the cyber challenge this presents. This includes:

  • Setting up strong passwords for user accounts and using two-factor authentication if possible.
  • Reviews of popular Software as a Service (SaaS) applications that you might be considering, such as Office 365 and Mailchimp.
  • Ensure encryption is turned on and configured and that devices encrypt data at rest.
  • Install mobile device management software so that data can be backed up, locked or erased remotely if necessary.
  • Use a VPN and ensure it is adequate for an increased number of users.
  • Consider disabling removable media such as USB drives.
  • Review and update your ‘bring your own device’ policy, for example, creating minimum hardware and software requirements, and requiring strong multi-factor user authentication2.

Managing cyber-security

Although the current rise in cyber criminal activity is exploiting circumstances beyond our control, managing today’s risks could lead to opportunities for better business in the future. Better ways of managing cyber-security can also provide multiple other benefits for businesses,  and include: removing a degree of human error through increased automation of processes and  systems making it easier to spot suspicious activity; greater use of VPN technology to create more secure system access and host to host connections providing direct communications.

“We all have a chance to reflect on how we can be smarter, more efficient, increase control and mitigate risk to enhance our operations and do things better in the future,” says Charrett. “Taking the experiences of different businesses across different sectors can help us learn what works in these situations. “In this way, we can reduce our risk of becoming a victim of cybercrime and turn it into an opportunity, ensuring something positive comes out of these dark times.”

Top 10 tips for reducing your exposure to cybercrime

  1. Don’t click on links or open email attachments without verifying, even if they appear to be from a genuine source.
  2. Install anti-virus/anti-spyware software and firewalls and keep them updated.
  3. Create strong passwords for your home WIFI, devices and accounts, update them regularly and don’t allow your web browser to remember them.
  4. Verify any requests to amend payment instructions by calling a known contact on a known number.
  5. Ensure your mandates and payment controls are up to date.
  6. Consider enhancing your payment controls and authorisation in response to the increased threat.
  7. Refresh training on homeworking and cyber security and consider a policy of not permitting the use of home devices for work.
  8. Provide enhanced protection, such as VPN for devices connecting to your systems.
  9. Consider requiring multi-factor authentication for remote access.
  10. Take five – if something doesn’t seem right, act on your instincts. Check, verify, and ask for a second opinion if necessary.

Our experts are on hand to support your cyber-training needs through online seminars across a range of platforms. You can also find more information and guides covering cyber-security on our Fraud awareness pages. Speak to your relationship team today to find out more.

""

Dedicated to helping you

We're always on hand to support you. Find out more about our fiduciary services and how we can help you.