The recent passage of the pandemic relief act by Congress may provide much-needed protection from the economic impact of the coronavirus. But, when it comes to the likely epidemic of virus-related scams about to plague individuals, businesses and governments, we must protect ourselves. Hackers, con-artists, organized crime rings, and even state-sponsored actors are already exploiting this dark moment in history and seeking to make victims of us all. Security professionals must play a critical role in safeguarding their organizations and clients if those entities, and those of us who protect them, are to survive.
Never let a perfectly good crisis go to waste; that's the mantra of many a skilled con artist. Twenty-five years in the FBI has taught me we're about to see this fraudster philosophy run almost as rampant as the virus that inspires it. And just as we need to take preventive measures to "flatten the curve" of the coronavirus' growth, so too must we all work to contain the crooks and cons who will prey on the most vulnerable among us. As with the virus, our businesses, our government, and our families can act now to minimize the misery later.
Let the Scams Begin
From social media rumors to cable news science deniers to state-sponsored disinformation campaigns to opportunistic hackers, COVID-19, the disease caused by the coronavirus, will test the collective capacity of physical and cybersecurity professionals to detect and deter those with no real regard for our safety or who seek to profit from calamity. On an even grander scale, the passage of federal legislation to mitigate the economic impact of the virus with cash, loans and corporate relief will bring an inevitable feeding frenzy of fraudsters, corrupt officials, liars and cheats to the government trough. Already, we’re seeing our email inboxes fill with offers to process our relief money, request our bank account numbers to direct payments to and click on attachments promising to tell us how much cash is coming our way.
Even seemingly silly coronavirus cure-all claims can be dangerous when they delude people into thinking they are safe from infection. Despite efforts by the World Health Organization to debunk at least a dozen coronavirus myths, many of these falsehoods continue to circulate. The spectrum of scams runs the gamut from the nonsensical to the nefarious. Journalists have already uncovered a glut of unverified websites allegedly selling dodgy coronavirus test kits, for example, some going for outlandish sums. Scams involving fake Starbucks coupons are suddenly everywhere. We must all become smarter consumers of information during this crisis. This is a moment for security professionals to shine as we become the “go-to” trusted sources for solid data, fraud detection and warnings, and enhanced measures that save dollars, customers, and even entire businesses.
Like hyenas at a watering hole, hackers are silently stalking the surge of "work from home" employees. Many of us are voluntarily practicing social isolation by working from home, and many others have been mandated to do so, by either their employers or their government officials. But companies may be ill-prepared for the threat posed by large numbers of employees taking their devices home, accessing and transmitting sensitive corporate data, customer systems and personally identifiable information, without the benefit of cybersecurity measures such as two-factor authentication, encryption and virtual private networks.
Imagine the accounts payable clerk at your company innocently submitting payment to a hacker pretending to be a trusted customer. Deploy software filters that alert whenever a customer or vendor address or account is inconsistent with prior payments. Before launching enterprise-wide work from home plans, shape the thinking of your senior executives to ensure the strongest possible security is in place. Identify vulnerability gaps and identify critical functions and proprietary data that cannot be risked without enhancing IT security.
Revisiting History
Now that the House and the Senate have approved coronavirus aid bills and the Senate works on a third bill, vast sums of money in the forms of grants and loans will soon become available to entire industries including your firm. It's only a matter of time before corrupt cretins start pretending to be your company and submitting applications for relief funds in your name. We’ll also see corporate finance departments fall prey to scammers who claim to be the federal, state or county government.
We've seen this before. In the aftermath of 9/11, a single contractor for the Federal Emergency Management Agency working disaster relief efforts stole $2.5 million in government funds. Following the subprime mortgage crisis of 2008, Congress passed the Troubled Asset Relief Program (TARP) to purchase assets from financial institutions in danger of failing. Hundreds of criminal and civil investigations were opened, and an inspector general was appointed, to address the widespread fraud involving false statements by those institutions about how and why they were spending our money. Similar fraud followed in the path of Hurricane Katrina, with at least $2 billion worth of scams and schemes at taxpayer expense
But the 9/11, TARP and Katrina relief debacles will seem like a mere head cold compared to the virulence of the fraud that's about to plague the American taxpayer. Today's high-speed digital con men will bilk us before we even knew what hit us. As detailed in a recent article in Mother Jones, Stephen Kohn, a lawyer who is chairman of the National Whistleblower Center, believes a veritable storm of fraud is on the horizon. Kohn sent a letter to Attorney General William Barr requesting that the Justice Department establish a task force "to monitor and investigate violations of the False Claims Act" in cases of coronavirus-related fraud. Kohn is right.
This virus will bring out the best of American resilience and benevolence, and we will recover from this daunting challenge. Yet, the worst among us are already trying to deceive, damage and destroy. Security professionals don’t get paid to hope for the best and “wait it out.” We must act now to contain the flood of fraud that threatens those who depend on us for protection. They’re counting on us.
About the Author:
C. Frank Figliuzzi is the former FBI assistant director for counterintelligence, a previous chief inspector of the FBI and an analyst for NBC News/MSNBC.
