Fraud and cybercrime prevention during COVID-19 and beyond

The pandemic has had a major impact on the way we live and work. An unfortunate side effect has been a myriad of scams and cybercrimes that take advantage of individuals and their organizations during these uncertain times. This blog provides an overview of schemes to watch out for, and steps you can take to protect yourself and your organization.

Look out for COVID-19 scams

Authorities have seen an uptick in scams, both online and offline, since the onset of the pandemic. Some are new and COVID-19 related, while others have been around for quite a while.

Canadians – at work and at home – have been receiving unsolicited calls, texts, emails and even regular mail from scammers posing as employees of government, health, research resand other legitimate organizations to gain personal information, access computer systems and otherwise profit from these unusual times. The Canadian Anti-Fraud Centre has received almost 1000 complaints about fraud since the beginning of March, and Canadians have lost more than $1.2 million so far to scammers taking advantage of the COVID-19 pandemic.

Businesses are regularly targeted by scammers, and it’s important to remain vigilant at work.  During COVID-19, be on the lookout for the following:

• If your business is considering purchasing personal protective equipment (PPE) for employees, ensure you do your due diligence as numerous fraudulent PPE websites and distributors are preying on the urgency of the situation and organizations’ legitimate concerns.
• If your business is seeking support or relief, watch out for fraudulent links received via social media offering recovery supports for businesses. Do not engage with unfamiliar accounts or without verifying the legitimacy of the sender. Keep in mind that the government is highly unlikely to reach out to you to request that you apply for relief, so be leary about sharing your personal information.
• Human Resource Department scams have been on the rise. They can take the form of impersonation of an HR department staff communicating with an employee, requesting personal information in order to process paperwork or impersonation of an employee as an attempt to steal information or a paycheque. 

The Canadian Centre for Cybersecurity is seeing an increase in reports of COVID-19 phishing campaigns and malware scams online and by text message.

When fraudsters send phishing texts or emails, they often pose as an official from government, a health-related organization or another enterprise with an urgent COVID-19 update or proposition. The emails are written to trick recipients into confirming sensitive information, opening attachments or clicking on links that permit threat actors to obtain personal information, or gain unauthorized access to a computer system. In some cases, if malicious attachments are opened, they could encrypt files on your computer until a ransom is paid.

Here are some common COVID-19 phishing attempts you should look out for:

• You receive a text or email indicating you or your workplace has been exposed to the virus, and advising you to open a file infected with malware.
• You receive a text or email claiming to be from a government agency issuing a financial refund or government support benefit, such as the Canada Emergency Wage Subsidy  or Canada Emergency Support Benefit, asking you to fill out a form in order to harvest your personal or banking information.
• You receive a text or email offering free PPE, such as masks or gloves, or testing kits – sometimes offered in exchange for the completion of a survey.
• You receive a text or email asking for a donation to a fictitious fund that may sound similar to an official fund, such as the WHO’s COVID-19 Solidarity Response Fund.

For tips on how to protect yourself, and where to report scams, check the resources on our website.

Stay cybersafe

Cybercriminals aren’t just looking to take advantage of human behaviour online. They are also increasing their malicious attacks to take advantage of overlooked security vulnerabilities.

In addition to sensitive business and financial information, intellectual property is a valuable target for scammers and hackers. For example, Canada’s intelligence agencies have warned that COVID-19 work being done by Canadian researchers and organizations is at an elevated risk for foreign-backed hacking and other malicious activity.

In a recent CMA blog, we reminded Canadian organizations of their privacy and security responsibilities during the pandemic. The work from home environment has raised new security concerns for many organizations. Your organization should ensure its programs and practices are up to the task, including increased monitoring of network logs, securing remote work practices, and ensuring critical servers are not vulnerable to cyberthreats.

As an employee, you play an important role in protecting yourself, as well as your company, when working remotely. Here are some best practices:

• Keep your devices in a secure place and ensure they “auto log-out” when not in use. Use your devices only for work, and don’t let others use them.
• Make sure you’re using a secure network when accessing work accounts and shared drives, like a VPN issued by your employer.
• If you’re connecting to a home WiFi network, make sure you have that network locked down with a strong password. Separate your WiFi network by creating one for personal devices and one for work devices.
• Follow the advice of your IT department and contact them as soon as issues arise.
• If you receive a suspicious e-mail, do not open, engage with, or forward the e-mail. Instead, take a screenshot and flag it for your IT department.
• Be vigilant when using videoconferencing: With the sudden rise in popularity of videoconferencing apps, scammers and hackers have been attempting to access meetings, share malicious links, and access chat logs (particularly those stored on the cloud). Be sure to use privacy settings to lock down your meeting (including the “waiting room” feature). Avoid recording meetings and storing the logs unless it is necessary for you to have this type of record, and don’t share links to your meeting in an open forum. For more privacy and security tips when using videoconferencing, see tips from the Office of the Privacy Commissioner of Canada here, and information from the Canadian Centre for Cybersecurity here.
• Run software updates on all devices, and ensure firewalls and antivirus software are enabled. Back up your data and use strong and unique passwords for each account. Enable multi-factor authentication where possible.

Finally, in addition to sharing this information with your employees and networks, we encourage you to help your customers stay informed and alert during the pandemic by sharing the CMA’s new COVID-19 webpage for consumers. On this webpage, consumers can find key information and tips to help them avoid being a victim of fraud or misleading advertising, and to protect their privacy.

Authors:
Fiona Wilson | Director, Government Relations @CMA
Florentina Stancu-Soare | Senior Manager, Regulatory and Consumer Affairs @CMA