Morey Haber, Chief Security Advisor at BeyondTrustis an identity and technical identity evangelist with over 25 years of experience in the IT industry.
The 2024 hurricane season has once again tested the US Southeast, with Hurricanes Helene and Milton leaving widespread damage, stressing local populations and taxing the home insurance industry.
While the businesses and residents of these communities focus on recovery, cybercriminals see opportunity. Scammers use digital communications from email, text messages and social media to take advantage of those desperate for help after a natural disaster.
In times like these, vigilance becomes a vital tool to prevent digital fraud when businesses and people need it most.
Phishing messages masquerading as relief efforts
After natural disasters, scammers often launch email campaigns posing as aid agencies or government organizations with quick and easy help. These phishing attempts typically ask for sensitive information, such as social security numbers or banking routing information, under the guise of registering for disaster assistance.
These threat actors will impersonate well-known organizations such as FEMA, instructing recipients to click on fraudulent links to “expedite” their claims.
In fact, these links deliver malicious payloads, capture sensitive information through forms, redirect victims to fake websites, or deploy keyloggers or ransomware.
Business owners are click-prone without due diligence purely out of stress. For everyone in these situations, verify official URLs and contact agencies immediately is necessary to avoid falling victim to phishing attacks.
SMS Scams: “Urgent” Quick Fixes
In the wake of any natural disaster, many business owners and residents rely on mobile alerts for timely updates about the storm.
Imitating these text messages has become a weapon for threat actors. Scammers send texts claiming to represent repair contractors or insurers. They may offer to inspect damage or expedite payments, which may then lead to them asking for deposits in advance, information to file fraudulent claims, and possible physical access to commit theft.
Threat actors take advantage of the urgency of repairs after a natural disaster, knowing that business owners may skip basic verification like licensing when dealing with damaged assets. As a best practice, business owners should avoid engaging with unsolicited messages and always confirm appointments through official channels to mitigate the risk of sophisticated text message-based scams.
Charity Fraud and Crowdfunding Attacks
While charities, communities and local services rally around those affected by natural disasters, threat actors can take advantage of this generosity.
Businesses may receive electronic communications (email, text, voice, etc.) of promotion fake charity or crowdfunding pages or asking for contributions. Some messages claim to raise money for specific local victims, adding credibility by using well-known place names, animal shelters and personalized details from public records.
Unfortunately, clicking on a fraudulent donation link can lead to financial theft, compromised personal data, and the knowledge that you’ve been vulnerable to attacks based on compassion for a cause.
To support victims of natural disasters, donations should only be made through verified platforms. Additionally, watch out for telltale red flags, such as misspellings or non-standard web addresses, that distinguish scams from legitimate charities. Finally, note that scammers will insist that you pay for services or make donations via bank transfer, gift card, payment app, cryptocurrency or cash.
Insurance Claims Process
After natural disasters, threat actors send emails that they imitate insurerswhich often includes realistic claim numbers and logos, prompting recipients to update payment information or upload damage photos through fake portals.
These tactics aim to collect personal data or direct victims to pay discounts through bogus payment gateways. Business owners should contact their insurance companies directly using known contact information rather than clicking on links in unexpected emails.
Protection against digital fraud
The stress of recovery is an ideal scenario for cheaters. However, being proactive and adopting cybersecurity best practices in your business and training your employees can prevent digital fraud. Here are some steps that can help keep your business safe:
• Control all communications. Be wary of spam emails or messages that require an urgent response, especially those that ask for personal information or payment.
• Trust but verify before you act. Always contact organizations through official websites or phone numbers, avoiding any links or attachments in suspicious messages. Also, don’t use the internet to look up a company’s phone number. Threat actors are known to spoof pages with fake numbers.
• Monitor financial accounts diligently after a disaster. Closely monitor bank accounts and credit reports to quickly identify unauthorized transactions from lost or stolen account information.
• Education is key. Educate employees, partners and associates about these scams to ensure everyone is prepared and aware of these threats.
Natural disasters are a fact of nature. Human resilience means more than rebuilding houses. extends to the protection of digital assets. While recovery takes time, it doesn’t have to come with the added burden of cybercrime. Staying informed and vigilant allows all affected parties to avoid falling victim to digital fraud as they try to recover.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Am I eligible?
