The Other Cyber Threat that Merits an FBI Warning Amid COVID-19

Ugly intrusions into video teleconferencing sessions are just one way the FBI warns cybercriminals are exploiting the novel coronavirus outbreak. The situation is also conducive to a practice the bureau has been combatting for years but which criminals are now deploying with more sophistication.     

“During this pandemic, [business email compromise] fraudsters have impersonated vendors and asked for payment outside the normal course of business due to COVID-19,” the FBI wrote in a public service announcement released Wednesday.

BEC was among the most costly complaints of 2019, according to the FBI’s annual internet crimes report.

The Wednesday PSA was highly publicized in relation to miscreants invading sessions conducted via the video teleconferencing software such as Zoom with pornography, hate speech and other objectionable interruptions.

In an earlier post by Boston-area officials, on the so-called “Zoombombing,” the FBI described individuals “hijacking” teachers’ virtual classrooms displaying swastika tattoos, yelling profanities and in one case revealing a teacher’s home address.

The FBI’s PSA provided steps consumers can take to protect their communications and detailed some subtler ways malicious actors might be exploiting the pandemic. 

While loud intruders are obnoxious and hurtful, potentially greater harm could come from cyber criminals silently listening in for valuable bits of information after compromising telework vulnerabilities.

“The COVID-19 pandemic has led to a spike in businesses teleworking to communicate and share information over the internet,” the PSA reads. “With this knowledge, malicious cyber actors are looking for ways to exploit telework software vulnerabilities in order to obtain sensitive information, eavesdrop on conference calls or virtual meetings, or conduct other malicious activities.”

The FBI warns hackers can exploit increased demand for telework in a number of ways, including by offering buggy but “legitimate-looking” software at free or reduced prices, targeting cloud-based communications systems and voice over internet protocol phones to overload services and take them offline, using remote desktop applications to access other shared applications, and relying on rentals of used laptops and other equipment from foreign sources that may carry preinstalled malware. 

In the case of business email compromise, malicious actors have been exercising patience to profit.

Instead of using one-shot phishing attempts, cyber criminals impersonate high-level personnel within an organization to develop an arsenal of information they can use to make the most compelling phishing email possible and bide their time for just the right moment to pull the trigger. 

The target is usually an employee with access to the organization’s finances. The criminal succeeds by getting them to make changes in fund transfer protocols citing extenuating circumstances, such as a global public health crisis.

BEC attacks resulted in more than $1.7 billion in losses in 2019 based on 23,775 complaints through the bureau’s internet crime complaint center.

During the course of the coronavirus pandemic, the FBI advises the public to be wary of “the use of urgency and last-minute changes in wire instructions or recipient account information, last-minute changes in established communication platforms or email account addresses, communications only in email and refusal to communicate via telephone, requests for advanced payment of services when not previously required, and requests from employees to change direct deposit information.”

The FBI also urges victims to file a report as soon as possible with its internet crime complaint center. The agency has a recovery asset team that salvaged $300 million of the total lost to BEC last year.

RELATED PODCAST