UK businesses applying for government Covid-19 loans at increased risk of email fraud

(Image credit: Future)

An investigation released today from cybersecurity firm Proofpoint has found that 80% of banks currently accredited by the UK government for Coronavirus Business Interruption Loan Scheme (CBILS) loans could be putting loan applicants at risk of fraudulent email attacks during the application process.

Only 13 out of the 64 accredited banks have implemented the adequate level of protection, which stops cybercriminals from spoofing their identity to defraud victims (known as DMARC - Domain-based Message Authentication, Reporting & Conformance). This protocol stops cybercriminals spoofing an organisation’s identity and decreases the risk of email fraud for customers. 

Cybercriminals regularly use spoofing to pose as government bodies or respected institutions, such as banks or financial organisations, by sending an email from a supposedly legitimate sender address. This makes it almost impossible for an ordinary internet user to identify a fake sender from a real one.

Preventative measures

While the findings suggest 80% of accredited banks are not proactively blocking fraudulent emails from reaching targets, of the 64 accredited banks, 61% have no published DMARC record at all. This is leaving them wide open to impersonation attacks.

It comes at a time of heightened risk as the volume of cyberattacks utilising Covid-19 has increased dramatically. Initially, Proofpoint was seeing about one campaign a day worldwide but the team is now observing three to four each day across several languages.

“By not implementing simple, yet effective email authentication best practices, these accredited organisations are putting already vulnerable businesses at even greater risk, whilst Covid-19 related attacks are on the rise.” said Adenike Cosgrove, Cybersecurity Strategist, International at Proofpoint.

“In times of urgency and uncertainty, individuals are much more susceptible to these kinds of attacks, particularly if a fraudulent email looks like it has come from a genuine domain. In tandem with the fact that the UK government has mandated this email authentication standard for public sector organisations, having the recommended level of DMARC protection is essential for any organisation accredited for the CBILS.”

In light of the increased risks, businesses should be wary of any communication that instructs them to hand over personal information or financial details. People should also ignore all unexpected solicitations by email. Banks will not ask for highly sensitive information via these channels.

Business owners should also avoid clicking on unknown links, even from senders that appear official. If the information contained in an email looks legitimate, corroborate it with an official source. In addition, keep an eye out for spelling and grammatical errors. If an official-looking email includes spelling mistakes, it’s unlikely to be legitimate.

To assess the level of DMARC adoption among CBILS-accredited lenders, Proofpoint conducted an analysis of the corporate domains of the 64 organisations featured on British Business Bank’s list of current accredited lenders and partners as of May 11th 2020.

Rob Clymo

Rob Clymo has been a tech journalist for more years than he can actually remember, having started out in the wacky world of print magazines before discovering the power of the internet. Since he's been all-digital he has run the Innovation channel during a few years at Microsoft as well as turning out regular news, reviews, features and other content for the likes of TechRadar, TechRadar Pro, Tom's Guide, Fit&Well, Gizmodo, Shortlist, Automotive Interiors World, Automotive Testing Technology International, Future of Transportation and Electric & Hybrid Vehicle Technology International. In the rare moments he's not working he's usually out and about on one of numerous e-bikes in his collection.