Today the world is focusing on the health and economic repercussions of the COVID-19 outbreak. People are spending an increased amount of time working online due to social distancing. Meanwhile, cybercriminals are taking advantage of the rampant fear and uncertainty people are experiencing.
Many of the cybercriminals who are currently preying on people are after personal data such as credit card information; however, they also pose a severe threat to businesses that have sent their employees home to work remotely. These crooks have capitalized on the significant number of people working from home by deploying ransomware attacks to exploit vulnerabilities in organizational security systems. They are also utilizing social engineering campaigns to gain access to companies’ confidential data.
These social engineering campaigns in which malicious actors impersonate trusted organizations (banks, government agencies, hospitals) and individuals (friends, CEOs, IT workers) have proliferated as quickly as the disease. According to the FBI, instances of cybercrime have spiked by as much as 300 percent since the onset of the coronavirus.
Many of the social engineering campaigns that have emerged over the last several months target individual employees. Unfortunately, most companies that have been forced to close their offices have had little time to train their staff on how to recognize cyberattacks. Therefore, one of the most important steps business leaders can take to prevent cyber intrusions is to ensure their employees are aware of the COVID-19-related tactics fraudsters are using, including:
Emails that appear to come from government agencies
- There has been an increase in phishing scams where malicious actors send emails that appear to be government announcements. This deception can be easy to miss since many of these messages look credible. Many contain logos and imagery associated with organizations such as the Centers for Disease Control (CDC) and the World Health Organization. The sender’s email address can also seem legitimate. This is because cybercriminals can create domain names that are similar to the real sites. Although they may look reliable, they are often designed to steal email credentials.
- Some people are receiving emails that direct them to educational and health-related websites that contain malware. These attacks are designed to take advantage of peoples’ desire for information about the coronavirus. For example, coronavirus maps are created to compromise computers and steal passwords. They entice people to click on maps loaded from legitimate sources that run malware in the background.
- In an effort to appeal to peoples’ generosity, cybercriminals are creating fake charities to solicit donations to combat the spread of COVID-19. Some of these phishing campaigns even involve emails impersonating the CDC that urge people to make payments.
Industry and operational disruptions
- This new phishing campaign targets businesses with supply chain operations that could be disrupted by COVID-19, including manufacturing, finance, transportation, pharmaceuticals and healthcare companies. Cybercriminals will send employees malicious emails disguised to look like invoices, shipping receipts and job applications that include attachments containing malware.
Video conferencing vulnerabilities
- As the reliance on video conferencing has increased to comply with social distancing and remain connected with clients and coworkers, incidents of hijacking or “bombing” virtual meetings have surfaced. Hackers dial into meetings uninvited and exploit weaknesses in the software to display inappropriate images and threaten attendees.
Once employees are familiar with the common cyberattack techniques being utilized during the COVID-19 pandemic, business leaders should coach them to take the following safety measures to protect both themselves and the company:
- Exercise caution. Be skeptical of any email asking recipients to click on a link or open an attachment, especially those that come from unknown senders. Messages that appear to be sent by friends or official organizations also require scrutiny, as they could have been tricked or hacked.
- Check links before clicking. Hover over the link to preview the URL, and look carefully for irregularities. If anything seems suspicious, don’t click on the link.
- Avoid forwarding suspicious emails to coworkers. Instead, report them to the IT or security department.
- Don’t be fooled by the sender’s name. Crooks can put any name in the “from” field. Look for slight changes that can make the sender’s email address seem accurate. For example, cdc-gov.org and cdcgov.org are very close to the real CDC site, which is cdc.gov.
- Take heed of spelling and grammatical errors. They can be a sign of fraud.
- Use a variety of passwords. Once cybercriminals steal a password, they’ll try to use it on every website where employees might have accounts.
- Change your password. Those who suspect they’ve become a victim of cybercrime should create a new password as soon as possible.
- Never donate to charities via email links. Go directly to the charity’s website, and remember that as a federal agency under the Department of Health and Human Services, the CDC is taxpayer-funded and would not solicit donations.
- Establish a video conferencing policy. Upgrade conferencing software to the latest version, employ meeting passwords, avoid making meetings public, manage screen sharing options, make use of waiting room features, and lock the meetings once all participants have joined. Inform everyone if the meeting is being recorded, and store the recordings in a secure location.
- Be aware of app privacy policies. If you decide to use contact-tracing apps, be wary of privacy policies, as some applications may share your location data (and the social graph of all the people you physically meet) with third parties.
- Navigate to the CDC website for the latest information about the coronavirus. Other websites may not be as reliable or could even contain malware.
Employees are often the first line of defense against COVID-19-related cyberattacks. Business leaders must arm personnel with the knowledge and tools they need to fight these intrusions, because it only takes one email, one link and one unsuspecting employee for a cybercriminal to infiltrate your company.