KUALA LUMPUR: Malaysians have been urged to be wary of suspicious financial aid requests and unsolicited information.
Fortinet, a global leader in cybersecurity solutions, has warned that ‘social engineering’ attacks are the easiest and fastest way to exploit an individual or organisation in Malaysia amidst Covid-19 pandemic fears.
It said that as the world is fixated on the global health emergency, cybercriminals are taking advantage of the fear and uncertainty to deploy social engineering scams and attacks unsuspecting targets.
It added that during this current pandemic, cybercriminals typically try to manipulate those who attempt to provide financial support by creating fake charity websites in order to get donors to transfer money to help victims. And with so many major events being cancelled, cybercriminals may also try to take advantage of the situation by luring them with phishing scams on refunds and fake news to get victims to reveal their credit card information.
“Keep your cyber distance by staying wary of suspicious requests, unknown attempts at contact, and unsolicited information. Malaysians have been practicing social distancing over the last few weeks to protect against viruses and illness. Likewise, we should consider cyber social distancing ourselves from attackers.
“Be the protector of your information, your networks, and your health,” advises Fortinet Malaysia Country Manager, Alex Loh.
Fortinet says six ways attackers are exploiting the Covid-19 crisis for financial gain – in the form of digital attacks and phone-based attacks – include:
- Phishing/Spearphishing: Email-based attacks that target everyone or a specific person or role within an organisation in order to entice individuals to click on malicious links or enter credentials or other personal information;
- Social Media Deception: Scammers create fake profiles to befriend victims while posing as a current or former co-worker, job recruiter, or someone with a shared interest on social media, especially LinkedIn. Their goal is to trick the victim into providing sensitive information or downloading malware to their device;
- Pretexting: Attackers focus on creating a good pretext, or a false but believable fabricated story, so that they can use it to pretend to need certain information from their target in order to confirm their identity;
- WaterHoling: An attack strategy where attackers gather information about a targeted group of individuals within a certain organisation, industry, or region as to what legitimate websites they often visit. Attackers look for vulnerabilities in these sites in order to infect them with malware. Eventually individuals in the targeted group will visit those sites and then become infected;
- Smishing: A text-based message attack that impersonates a legitimate source in order to lure a victim into downloading viruses and malware onto their mobile device; and,
- Vishing (voice phishing): Phone-based attack in which scammers call a mobile phone pretending to be from a legitimate source, such as a bank, as a means to try and convince the target into divulging sensitive information such as credit card information or social security numbers. Tactics used by these scammers often rely on “caller ID spoofing.” ID spoofing allows them to generate phone calls that appear to be from a legitimate or local source.
Fortinet advocates the following simple steps to protect personal and proprietary information:
- Be suspicious of any email or text message requesting sensitive information or financial transactions, especially third-party sources spreading information about Covid-19;
- Hover over and review all hyperlinks prior to clicking to confirm they are from legitimate sources;
- Use multi-factor authentication for gaining secure access to sensitive systems and databases;
- Ensure your browser, mobile devices, and computer systems are updated with the most recent protections; and,
- Never reuse passwords across multiple accounts and devices. Password uniqueness and complexity are paramount to safeguarding against additional risk to our networks.
Loh said social engineering constantly preys on humans, the only vulnerability that cannot be patched.
“Nobody is safe from these efforts – administrative employees, contractors, and even business partners can be targets to obtain access to their networks and sensitive information. And for those who are connecting to the office through home networks, even children are potential targets. It is a perpetual bombardment, every day, every minute of the day,” he said.