Hackers are Taking Advantage of Coronavirus Fears
As with any other large-scale event, scammers around the world are attempting to capitalize on fear, confusion, misinformation and desperation by using coronavirus/COVID-19 themes in many types of phishing email scams. The Secret Service issued a COVID-19 Phishing Alert press release on March 9 to warn the public about an opportunistic rise in malicious activity.
These scams include: phony information sites containing malware, solicitation of donations to causes related to the virus, miracle cures, or vaccinations (which do not yet exist) – pretty much anything you can imagine. Their goal: to get you to click on a hyperlink or open an attachment. Either of which can mean very bad things for your computer and possibly the rest of your computer network.
Now is the best time to alert your employees of the uptick in scams and train them on best practices to avoid becoming a victim of cybercrime.
What Your Employees Need to Know About Email:
- Never click on links or open attachments unless they were expecting them from known entities or it makes sense based on the particulars of receiving the email. Remember that the apparent sender name can be easily faked, so it is best to contact the sender to verify the legitimacy of any messages in question.
- Emails that are vague, contain misspellings, have incorrect grammar, blurry logos, or other flags should give them pause.
- Scammers can send phishing emails from compromised legitimate email accounts.
- Do not provide log-in information, passwords or other personal data.
- If in doubt, and the message appears to come from someone known such as a customer or a supplier, always call the sender directly to confirm the authenticity of the email.
- To verify links in the email, float the pointer over the link (don’t click). Most email clients display the URL to which their computer may be directed at the lower left. However, please be aware that this can also be faked with some effort.
More advanced users can check the email header, which is generally more reliable in indicating the true sender. Open source email header analyzers are available. One I use is MX Toolbox. Different email clients have different ways of viewing the header, but once you find it, copy the email header and paste it into an email header analyzer.
Be Cautious of Hyperlinks
Hyperlinks are just as dangerous as attachments as they connect your computer to an unknown server with unknown intent. It may be a fake or copied website attempting to obtain information from you. It may have permission pop-ups that trick you into clicking on them, which may allow the scammers to download a keylogger, ransomware or other malware to your computer.
It’s only natural for your employees to want to learn more about the COVID-19 outbreak status. Make sure they are going to reputable sites for their information versus unknown websites that appear in search results or in email messages. Reputable sites include:
- Centers for Disease Control and Prevention
- World Health Organization
- Websites for local newspapers or television news
- Local city and county websites
About 35% of employees will click on things they should not, even after training. So yes, you should definitely still train them, but also use other backstops as possible.
Data Security Measures You Need to Engage
- As most computer network intrusions start at the endpoint (~90%) and, with phishing in particular, it’s important to have multi-level defenses to help mitigate threats in this channel.
- Consider turning on threat protections that may be available from your email host – or even the DNS level. A secure email gateway may be an option.
- Configure additional Exchange filters based on specific attack trends that are discussed in data security forums. Yes, this usually entails someone on staff that works in data security but may also be done by your IT provider.
- Run a reputable anti-virus or endpoint security solution on every machine in your network and configure it to update automatically so that users cannot turn it off.
- Set spam and phishing filters at as aggressive of a level as tolerable to the individual business. This may take some experimentation.
- Train users what to look for in phishing emails (flags mentioned above). Consider “testing” users with internal phishing campaigns to get an idea of additional training needs, click rates, etc.
It’s a constant cat and mouse game with cybercriminals. This is one of the reasons why investing in data security at an appropriate level for your business has become a cost of doing business in our technology age. It’s unfortunate, but it’s better to be safe than vulnerable.