Social Engineering Scams Rise During COVID-19

Businesses across the country have seen a spike in cyberattacks since the start of the COVID-19 pandemic. Cybercriminals are taking advantage of employees from small businesses who may be less vigilant while working remotely. They are using “social engineering” to commit their crimes – the act of deceiving or manipulating someone into divulging confidential or personal information that may be used for fraudulent purposes. Social engineering fraudsters use a variety of means to carry out their attacks, some of which include:

• Phishing – Sending out emails in an attempt to solicit private information.
• Spear Phishing – A phishing attempted targeted directly at a particular person.
• Baiting – Infecting a computer with malware after tricking someone into downloading free music or movies.
• Spoof Websites – Clones of the real websites of trusted organizations in which cybercriminals can obtain the victim's sensitive information.
• Caller ID Spoofing – A caller deliberately falsifies their caller ID display to disguise their identity; when a victim answers, they use scam scripts to try to steal personal information.

The idea behind social engineering is to take advantage of someone’s natural tendencies or to elicit an emotional reaction of “act first, think later.” COVID-19 has unfortunately provided ample opportunity for this, as people everywhere are anxious for information and updates about the virus, eager for interaction with others while being sheltered in place and less cautious while working away the office.



At the beginning of the pandemic, one of the most frequently utilized techniques by cybercriminals was the use of coronavirus infection rate maps with pre-loaded malware. They would send this to a victim hoping their desire to obtain the most up-to-date information caused them to willingly open the file without considering the risks. Once opened, the file would download malicious software, infect the unsuspecting recipient’s computer and allow a cybercriminal to obtain sensitive data. The distribution of the COVID stimulus checks provided another opportunity for fraudsters to take advantage of unsuspecting victims. Emails were sent out promising recipients they could receive their checks faster. Users were asked to register their email address or other personal information. The data was then harvested by cybercriminals to access personal, financial or business accounts of their victims.

A recent article from Forbes about cybercrime reports that phishing emails have gone up 700% in the last two months. Another source of cyberattacks has come from the popular video conference service Zoom. While working remotely, employees have utilized their services to conduct virtual meetings – to the tune 300 million users, a thirty-fold increase in four months. Zoom was not prepared for this dramatic increase in users and left them vulnerable to a significant security breach.

Fraudsters may pose as fellow employees, your company’s IT department or a trusted vendor. For example, your business might receive new wiring instructions from a vendor you frequently work with. On the surface, this may seem like a common request – but if it’s someone posing as your vendor instead, you’ve just opened yourself up to sharing sensitive financial information with a cybercriminal.

A majority of social engineering attacks are aimed at small and medium-sized organizations, so it’s important for your employees to keep cybersecurity top-of-mind at all times. Here are some tips to help protect your business.

How Businesses and Their Employees Can Protect Themselves from Social Engineering

The Federal Bureau of Investigation (FBI) advises that every organization should establish the following fraud prevention policies and procedures:

Procedures to verify any changes to customer or vendor details, independent of the requester of the change. Examples include:

• Direct call back to the customer or vendor using only the telephone number provided by the customer or vendor prior to the request being made.
• Confirm a change request was made with someone at the customer or vendor level, other than the individual who requested the change.
• Ask for a receipt by the company of a code known only to the customer to determine the identity.

Procedures to verify last-minute changes in wiring instructions or recipient account information.

• Use callback procedures to clients and vendors for all outgoing fund transfers to a previously established phone number or implement a verification system with similar dual verification properties.
• Verify vendor information via the recipient’s contact information on file; do not contact the vendor through the number provided in the email.

Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.

• Check the email address by hovering your mouse over the “from” address. Make sure no alterations (like additional numbers or letters) have been made.

If you discover you are the victim of a fraudulent incident:

• Immediately contact your financial institution to request a recall of funds.
• Contact your employer to report irregularities with payroll deposits.
• Learn more about the steps to take after a data breach.

Cyber Fraud Risks

Cyber fraudsters have targeted remote desktop sharing applications to compromise these systems and to gain access to other shared applications.

Teleworking Tips to Protect the Organization

• Restrict access to remote meetings, conference calls or virtual classrooms, including the use of passwords, if possible.
• Do not share links to remote meetings, conference calls or virtual classrooms on open websites or open social media profiles.
• Never open attachments or click links within emails from senders you do not recognize.

Other Cyber Fraud Prevention Recommendations

The FBI has provided the following additional tips that can help protect individuals and businesses from being victimized by cyber fraudsters:

• Do not open attachments or click links within emails received from senders you do not recognize – if you do, report it to your IT department immediately so they can make sure malware not been activated and released.
• Do not provide usernames, passwords, birth dates, social security numbers, financial data or other personal information in response to an email or phone call.
• Avoid using the same password for multiple accounts. Follow these tips to create a strong password.

Make sure your businesses takes time to review and update information security policies, business continuity plans and data breach response plans, and regularly communicates with employees about them.

AmTrust Helps Protect Your Small Business

AmTrust specializes in providing insurance solutions for small businesses across a wide variety of industries. We can offer you protection with our Cyber Liability coverage. Attacks can vary from malicious assaults on your physical servers to phishing scams that solicit sensitive data from individual users. Cyber Liability insurance can protect your company from a range of cyber attacks, and AmTrust is committed to evolving our coverage as new threats emerge for our customers.

Commercial Crime Coverage from AmTrust

Additionally, our newly formed AmTrust Exec division offers a full suite of management liability products, which includes our Commercial Crime coverage. Our monoline Commercial Crime product covers loss from employee and some third-party theft including social engineering fraud. 

This material is for informational purposes only. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.