Cybercriminals are Exploiting Coronavirus Fears

Amid the hysteria over coronavirus (COVID-19), many people know to seek out trusted third-parties for guidance in situations like these, such as the World Health Organization (WHO) or the Centers for Disease Control and Prevention (CDC). But lesser known is the fact that phishing scammers have started capitalizing on the wide-spread fear and uncertainty for their benefit by posing as these authoritative agencies.

You’ve probably been on the receiving end of numerous phishing attempts in your lifetime – think of the latest frantic email you received from a relative claiming they’re traveling abroad and lost their wallet. Or what about in the workplace, when you received that email from your CEO asking you to wire over money? Alarmingly, business email compromise (BEC), a more targeted form of phishing, has caused $26 billion in losses the last four years.

In January 2020, email scammers, disguised as virologists, started disseminating phishing emails with malicious links that claimed to have advice on protective safety measures. More recently, bad actors spoofed the WHO and targeted Italy, a country massively affected by this outbreak. Since January, more than 4,000 coronavirus-related domains have been registered, and research by Check Point suggests that these domains are “50 percent more likely to be malicious than other domains registered at the same period.”

Your organization can have stringent security measures in place to fend off even the most technologically complex hackers, but an employer’s lack of awareness can lead to accidental exposure. According to Proofpoint, accidental exposure was the third most common type of breach in 2018. The public is vulnerable to phishing, as evidenced by Retruster’s data showing phishing attempts have grown 65 percent in the last year.

But not to worry. Just like there are basic hygiene methods that will actually slow the spread of disease in communities, implementing cyber hygiene best practices for your organization can reduce the cybercrime risk. Just as most people are naturally wary of fear-inducing, unsolicited calls from the “IRS,” they should be cautious with any and all unsolicited emails concerning coronavirus.

Although some scams are more conspicuous than others, knowing the signs of suspicious activity can go a long way to safeguarding you and your network’s personal information. At first glance, an email may look genuine, but upon a further inspection, you may notice some glaring errors. Did the email contain typos? Did the email address look legitimate? Is there a call to action to click on an attachment or link?

If the email or website looks familiar, you might not think twice about sending over your personal information, but it is important to take a moment to assess the situation. If you are asked to enter personal or financial information, and you recognize the sender – whether it is your bank or a prominent health institute – call customer support to inquire about the questionable email. A legitimate message from a real organization or company wouldn’t email or call to ask you for this sort of sensitive information.

On an organizational level, if you haven’t already, implement mandatory workplace cybersecurity training with coronavirus phishing email examples and hope they might be used. It brings the training up to date with real world situations.

Additionally, it is no secret that bad actors will leverage breached data to steal credentials and ultimately initiate an account takeover. Coronavirus does not change this attack vector, but we may see an increase in activity due to the chaos that coronavirus is creating within organizations. Vigilance is important both at an individual level and corporate level and it is important for companies to implement tools that recognize which employees have compromised accounts that are circulating out in the deep and dark web that can be exploited.

We cannot, however, rely on technology alone to address this issue. In the wake of this pandemic, workflow will be disrupted and companies will be forced to implement new processes. New processes are rarely perfect, and organizations will be experiencing more exceptions than normal. Amid the chaos, even C-Suite executives may let their guards down. It is important that we as individuals make smart decisions to protect ourselves and our organizations.

Otherwise, phishing schemes will spread further and become as pervasive as the coronavirus itself. You can find more information about how to protect yourself from coronavirus phishing and cyber scams at the United States Secret Service or the DHS Cybersecurity and Infrastructure Security Agency (CISA).

Luke Wilson is Vice President of Intelligence at 4iQ, a Los Altos-based adversary intelligence company.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.