COVID-19: Remote Access Scams on the Rise

Self-isolation and social distancing have unearthed a whole new range of challenges for Australians who are trying to rapidly adjust remote working as the new normal.  Organisational upheaval, technology disruption and new ways of working is providing a perfect environment for cyber criminals to strike.  Now more than ever, employees and businesses alike must prioritise cyber security hyper-care to protect themselves from increasing threats.  With a few extra checks and balances to defend against attackers, everyone can remain secure and protected as they focus on getting on with their job.

Remote Access Requests

The Australian Cyber Security Centre (ACSC) warns of businesses falling foul to remote access scams during this time of crisis. Cyber criminals are posing as the people and organisations we trust most: government agencies, federal and state health departments, telecommunications companies, banks, and even brazenly, the ACSC itself, to gain access to systems.

The ruse is straightforward.  Attackers pretend to be from the organisation’s IT or Customer Support or Service Desk team, claiming the need to perform routine maintenance or account support because of something to do with the COVID-19 crisis.

Most users are savvy enough and will not divulge usernames and/or passwords, no matter who asks, but in this scam, attackers ask permission to take over remote control of the user’s desktop to fix the issue.  As soon as they are granted access by the user, the attacker quickly changes the user’s password, locking them out, and then proceeds to steal information, launch attacks against the business, accesses their bank accounts or personal information, and generally causes all sorts of trouble. This situation could be devastating for both users and their organisations.

What Can You Do?

Authentication is crucial. Support teams must authenticate users based on something that only the user has or knows.  This is known as multifactor authentication. It’s also important that users can authenticate the support person on the end of the phone and check the source of an email request or SMS message prior to relinquishing control.

Users should be prepared with the contact information for support that they need as the transition to remote working. If the support team needs to place an unsolicited call to a user, the protocol should demand the user calls back on the correct number, then identifies themselves.

Once the user is authenticated by the service centre, they can agree how the support call will proceed, and user can either accept the remote access request or follow instructions to fix the issue.

A few things users can consider:

1. Scammers will not email from the address used by the company’s support team, so always check the source address of the email.
2. Always check URLs before clicking them – again, if it looks suspect consider it a scam.
3. Support teams never ask for passwords. Never!
4. Support teams rarely cold call or email, and if they do you should call them back.
5. Always tread carefully: authenticate, authenticate, authenticate.

For businesses introducing new remote support capabilities or assessing current arrangements:

1. Use authentication services like Google Authenticator or Microsoft Authenticator.
2. Users should identify themselves using a minimum of three pieces of information: manager’s name, department, work phone number, etc. Challenges should be random and taken from a list of five to eight items.
3. If it permits, use the telephony system to determine the caller’s location – a local call can be more trusted than an international call, for example, when the user says they are from the Perth or Melbourne office.
4. Consider insisting on call backs for unsolicited support calls. Users are asked to return the call to the Service Desk using an official number. The official number should be easy for users to validate, based on official communications from the Service Desk.
5. Consider looking at self-service technology platforms for simple tasks like password resets, whereby the systems using multifactor authentication, or an out of band authenticator like Google or Microsoft, can verify the user’s ID.