Cybercriminals never like to let a crisis go to waste. While people around the world are still mourning the passing of Queen Elizabeth II, threat actors are exploiting the vulnerability of unsuspecting users.
Researchers at Kaspersky Research discovered several investment programs, offering users crypto tokens and NFTs named after the monarch in exchange for "paying tribute to her Majesty."
Researchers noted that users could buy commemorative coins and t-shirts from newly created websites, which left consumers' usernames, addresses, and card data unprotected.
The rise of new frauds related to the passing of Queen Elizabeth II demonstrates that security awareness training is critical to preventing staff from being tricked into handing over personal information.
Fraudulent messages from Queen Elizabeth II are at an all-time high.
Kaspersky isn't the only company to anticipate a spike in scams following the Monarch's death.
The National Cyber Security Center (NCSC) in the United Kingdom warned that "criminals may wield Her Majesty the Queen's death for their own gain," and users to be wary of emails and SMS messages just last week.
Bitdefender reported that on September 12, a wave of fraudulent emails aimed at securing Microsoft login credentials by attempting to trick users into building an "AI memory board," in the Queen's honor. Clicking on the link would take the user to a fake Microsoft landing page to obtain their credentials.
It is important to note that these scams can arise at any time of crisis, with one of the most prominent examples occurring during the peak of the COVID-19 epidemic, when phishing incidents increased by 220%.
Kaspersky and Bitdefender's latest scams aim to exploit users' uncanny sympathy.
"Beware of extremely low prices when shopping from such websites because many of them are not secure, and the information entered on such pages is likely to be exposed," said Olga Svistunova, a security expert at Kaspersky.
Phishing: the real threat to businesses
While many of these scams are mostly consumer-oriented, they also pose significant difficulties for businesses.
If an employee attempts to purchase items on a phishing website via a personal account, they may hand over data and login credentials that the attacker may then use to breach their organization's internal systems.
The dangers of these scams are unavoidable when it only takes a single login credential to perpetrate a catastrophic breach.
Nowhere is the danger of phishing and social engineering more clearly illustrated than in the Uber data breach last week, when an 18-year-old hacker manipulated IT support personnel to trick an employee into giving them their login credentials to access the company's Slack and internal systems.
What can be done about social engineering by enterprises?
These types of phishing scams will not be the last, so security organizations must play an active role in continuously educating employees about emerging phishing scams.
In practice, this includes providing access to phishing simulation tests to test their ability to detect phishing emails, as well as distributing regular communications to notify them of newly created phishing scams, and recommending best strategies they can employ to protect themselves from threat actors.
It's a good idea to inform employees who use personal devices only to acquire physical goods and digital content from trusted vendors as part of these best practices.
In addition, Kaspersky advises that users double-check the URL of shops they visit to ensure that the connection is encrypted. Users may also enable a VPN to ensure their traffic is secure when visiting internet sites.
It's also a good idea to establish a phishing reporting system, which explains how employees may report suspected scam emails to the IT department and other external organizations, such as the Federal Trade Commission (FTC).