Cybersecurity in a Time of Uncertainty

Even as the coronavirus pandemic thrusts the world into crisis, cybercriminals have been devising new scams to exploit a population increasingly worried about their health and financial security while spending more time online from home.

“We now essentially have a cybercrime pandemic, too,” says Rachel Wilson, Head of Cybersecurity for Wealth Management at Morgan Stanley. “We have seen a concerning uptick of activity by cybercriminals who are using the pandemic to launch attacks and obtain sensitive information to defraud consumers and steal their money.”

Protecting your personal data and financial assets during and after this crisis requires a renewed dedication to cybersecurity best practices, as well as a permanent, heightened sense of awareness. In other words, it demands a security mind shift. After all, some aspects of our "new normal"—such as a greater emphasis on working from home or relying on technology to remain connected with colleagues, family and friends—may be here to stay. This creates new vulnerabilities for cybercriminals to exploit.

Whether as an individual or a professional at a family office, understanding the threats, taking the necessary precautions and remaining vigilant can help reduce the risk of becoming a victim.

Most scams and attacks emerging during the crisis try to “exploit our heightened sense of urgency, hunger for information and desire for quick solutions,” says Wilson. Here are some of the common ones to look out for: 

• Phishing attacks: Fraudsters use emails designed to imitate legitimate authorities, such as the World Health Organization and the U.S. Centers for Disease Control and Prevention to get you to download malware or provide personal identifying information.
  
  
• Government scams: The $3 trillion government stimulus package has been a treasure chest for cybercriminals who have created numerous fake unemployment-insurance and loan-origination sites to rob unwary targets. Reports also cite the use of stolen Social Security numbers to file fraudulent unemployment claims.
  
  
• Treatment or supply scams: Phony websites or social media accounts attempt to trick you into paying for unproven COVID-19 treatments or fake items.
  
  
• Provider scams: Pretending to be a medical provider or a representative of a hospital that recently treated a family member or friend for COVID-19, criminals will demand payment from you in exchange for the treatment.
  
  
• App scams: Hackers embed malware into mobile apps purporting to track the spread of COVID-19 so that they can compromise your devices and harvest personal data, such as photos, locations, media files and more.
  
  
• Charity scams: Fraudulent charity sites prey on your compassion and prompt you to provide financial support for those impacted by COVID-19.
  
  
• Investment scams: Online scammers claiming to represent publicly traded organizations promote products or services that supposedly detect, prevent or even cure COVID-19. Their aim? To lure you into handing over your money, thinking you’re investing in the company.
  
  
• Tech support scams: Posing as an IT technician from a well-known company, cybercriminals either call you or use computer pop-up notifications to scare you into thinking that your computer has been compromised by a virus. Then they “fix” the issue by taking control of your computer and embedding malware.
  
  
• Business email correspondence scams: A hacker breaks into your business or personal email account and learns as much about you as possible—including your email contacts, types of correspondences and even your writing style. Closely emulating your persona builds credibility for the cybercriminal when executing the critical final step of the scam—which usually involves contacting your bank or Financial Advisor to request a wire transfer or other type of movement with your funds.
  
  
• Ransomware attacks: Basically, a cybercriminal finds a way to break into your network or computer, determines which data, asset or application holds the most value to you, seizes your possession by irrevocably encrypting it and then demands a payment or ransom to release it. Even if you pay the full ransom, you’ll likely only receive a portion of your data back, and get hit with another request for more money.

“Always keep your guard up,” says Wilson. “Never assume because you are working from the privacy of your own home that you won’t be targeted.” Cybercriminals thrive on a distracted audience. While you’re concentrating on finishing a project or homeschooling your children, it can be easy to let your guard down when it comes to security. Maybe you won’t notice your computer is acting oddly or, in a moment of distraction, you click on a suspicious link or answer a call from an unknown number. All of these actions can lead to trouble.

If you’re relying on collaborative software to facilitate calls, webinars or information-sharing, be mindful of the data you’re presenting—as well as the potential audience. Consider using a password to protect your virtual sessions and restricting access only to those you have verified.

Additionally, make sure to verify the sender when reviewing emails or other electronic correspondence that can be faked or spoofed, especially if they are requesting that you take some kind of action. A quick phone call to the sender using a phone number found through a trusted source (not in the email) can help you authenticate the email.

These and other cybersecurity best practices can help add a layer of defense against scams. 

Those responsible for cybersecurity at a business, foundation or family office should consider taking additional measures to shore up your defenses.

For example, it’s prudent to develop a cybersecurity training program that includes an annual session, along with quarterly refreshers. Additionally, set up a program to educate your staff so they can identify threats and respond correctly to the latest tactics used by hackers.

It may seem like old-fashioned advice for a high-tech world, but you should be mindful of your paper trail, too. That includes all types of financial documents—including account statements and tax returns—kept in an office or a home. Why? Just think about all the people who have physical access to these premises throughout the year. “Those paper documents can be as risky as any kind of digital record,” cautions Wilson. “Reducing your paper trail can go a long way in diminishing your risk of fraud.”

Other steps to consider implementing include the following:

• Create a detailed remote work policy and closely enforce it.

• Develop and practice an incident response plan that includes remote work scenarios.

• Keep a list of all third-party vendors you engage, and develop security standards for them to follow.

• Hire an external entity to conduct a security assessment and regularly test your defenses.

• Restrict remote access to your most sensitive data and systems.

• Implement a comprehensive monitoring system to detect intrusion or data loss.

• Keep a thorough inventory of your hardware, software and systems, as well as a record of who has access to them.

At Morgan Stanley, we continue to strengthen our commitment to protecting our clients. “We invest heavily in our technology,” says Wilson, “and take the necessary precautions to help ensure our system is as time-tested, battle-hardened and secure as possible.” Additionally, Morgan Stanley has built a suite of digital tools to help protect client accounts and personal information, such as eDelivery, layered authentication, alerts and notifications, and more.

Implementing these security best practices and maintaining a higher level of awareness, both during the pandemic and afterward, can help you stay one step ahead of bad actors and avoid becoming their victim.