Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Cybercriminals never like to let a crisis go to waste. While people across the world are still mourning the passing of Queen Elizabeth II, threat actors are seizing the opportunity to exploit the compassion of unsuspecting users.
Today, Kaspersky’s researchers warned about an uptick in scams related to the Queen’s passing, discovering several investment projects, offering users crypto tokens and even NFTs named after the monarch, in exchange for “paying tribute to her Majesty.”
The researchers also noted that users could purchase commemorative coins and t-shirts from newly created websites, which left consumers’ usernames, addresses, and card data unprotected.
The emergence of new scams surrounding the death of Queen Elizabeth II highlights that security awareness training is key for ensuring that employees can avoid being tricked into handing over personal information.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
The state of Queen Elizabeth II phishing scams
Kaspersky isn’t the only organization to anticipate a spike in scams around the Monarch’s passing.
Just last week, The U.K.’s National Cyber Security Center (NCSC) warned that “as with all major events, criminals may seek to exploit the death of Her Majesty the Queen for their own gain,” and warned users to be attentive to emails and SMS messages.
That same week, Bitdefender noted that on September 12, there was a wave of fraudulent messages aimed at sealing Microsoft login credentials by trying to trick users into building an “AI memory board,” in the Queen’s honor. Clicking on the link would take the user to a fake Microsoft landing page to harvest their credentials.
It’s important to note that these scams crop up around any time of tragedy, with one of the most prominent examples of this occurring during the height of the COVID-19 pandemic, where phishing incidents increased by 220%.
These latest scams discovered by Kaspersky and Bitdefender seek to exploit the compassion of unsuspecting users.
“When buying from such sites, remember that many of them are not secure and the data entered on such pages are likely to be at risk of leakage, so remember to use a robust, secure solution to protect yourselves,” said Olga Svistunova, a security expert at Kaspersky. “Also choose to buy only trusted stores and be suspicious of super low prices on goods — it can be used by cybercriminals as a lure to get your payment details.”
Phishing: the true risk to enterprises
While many of these scams are consumer-focused, they also create substantial risks for enterprises.
For instance, if an employee attempts to purchase goods on a phishing website via a personal account, they could hand over data and login credentials that the attacker could then reuse to breach their organization’s internal systems.
When it only takes a single login credential to cause a devastating breach, the dangers of these scams can’t afford to be overlooked.
Nowhere is the danger of phishing and social engineering more clearly illustrated than in the case of the Uber data breach last week, where an 18-year-old hacker impersonated IT support staff to trick an employee into sharing their login credentials to gain access to the organization’s Slack and internal systems.
How enterprises can stop social engineering
These types of phishing scams won’t be the last, which means security teams need to play an active role in continuously educating employees about emerging phishing scams.
In practice, that not only means providing access to phishing simulation tests, to test their ability to detect phishing emails, but sending out regular communication campaigns notifying them about newly created phishing scams, and listing best practices they can use to protect themselves from threat actors.
As part of these best practices, it’s a good idea to advise employees using personal devices to only purchase physical goods and digital content from trusted vendors.
In addition, Kaspersky recommends that users double-check the URL of stores they visit to check that the URL begins with HTTPS and HTTP, to indicate that the connection is encrypted. Users can also enable A VPN to ensure their traffic is encrypted when visiting sites online.
It’s also a good idea to create a phishing reporting process, making it clear how employees can report suspected scam emails to the IT department, and other external organizations like the Federal Trade Commission (FTC)