How hackers are using COVID-19 to find new phishing victims

Hackers will always exploit a crisis, and the coronavirus outbreak is no different. Since January, cybercriminals have leveraged the COVID-19 pandemic to stage all manner of cyberattacks, from ransomware take-overs of hospital systems to private network hacking. But the latest cybercrime scheme exploits the greatest cybersecurity vulnerability of all: human emotion. A slew of recent phishing attacks are targeting consumer trust in big name videoconferencing platforms to steal personal information and harm lives.

As a genre of cybercrime, phishing attacks are nothing new. In a phishing scam, cybercriminals try to get an individual to download malware or give away personal information via email or phone by exploiting their fear, anxiety, curiosity or trust. Often, cybercriminals pose as a trusted friend, official government agency or a well-known business. In fact, there have already been numerous phishing scams related to COVID-19 since the start of the outbreak, most of which have involved hackers impersonating health organizations and delivering fake coronavirus-related news.

But this time around, hackers have adapted to the realities of remote work and telecommuting by impersonating trusted tech platforms. Skype, Zoom and Google Meet users are now the targets of manipulative cybercrime.

Recent Check Point research uncovered that more than 1,700 Zoom-related domains have been registered in the last three weeks alone, and 4% of them are suspicious or possibly malicious. Hackers are using these false domains to fabricate Zoom meeting notifications and create fake COVID-19 themed email alerts. Individuals who respond to these alerts usually end up downloading malware or otherwise compromising their data security. In another iteration of this kind of scam, hackers are impersonating a Skype login page and tricking Skype users into relinquishing their password information.

It’s a devilishly smart tactic. Hackers know that over 90% of data breaches are the result of human error. And with so many people working from home, cut off from regular contact with IT security and generally on edge with anxiety or stress, now is the perfect time for hackers to test the limits of individual vigilance.

The extent of this new phishing threat is huge. Google’s Threat Analysis Group reported in mid-April that they blocked 18 million COVID-19 themed malware and phishing emails per day. At ID Experts, we’ve seen a 50% increase in the number of our ID Experts members who report being targeted by scams and phishing attacks since stay-at-home orders were first put into effect.

While spam blockers go a long way toward limiting the impact of scammers, no technology can fully protect an individual from the trickery behind phishing attacks. That’s because hackers rely on a form of psychological manipulation known as social engineering to entice and deceive individual users. The only surefire way to fight back against phishing scams is to educate employees on the signs and help them improve their personal cybersecurity hygiene.

To protect their privacy, individuals in all levels of management have to be extremely cautious before opening emails or alerts that appear to come from health experts, government agencies or businesses. And as we now know, consumers should be equally cautious when responding to videoconferencing meeting invitations. As a general rule, if you aren’t expecting the email, then don’t open it! When in doubt, check the email address against the senders’ website before clicking or reach out to the sender directly.

Additionally, employees must keep in frequent communication with their coworkers and peers.

Hackers like to exploit our isolation and confusion, but they can’t trick everyone at once. In one example of a recent phishing scam, hackers are sending around fake job termination meeting alerts through Zoom. If you receive an email or meeting notification that makes you panic, reach out to other trustworthy people like coworkers and supervisors to confirm the content of the suspicious email. Similarly, companies’ IT departments must ensure that the same centralized precautions that are in place in an office environment are in place to protect remote workers. These should include multiple levels of detection to help employees defend against phishing scams or other kinds of cyberattacks.

Finally, never download suspicious files! This may go without saying, but you’d be surprised how many people unsuspectingly download malware files just because the original email looks legitimate at first glance. Always check and double-check strange download requests. If it seems weird that a service you’ve used for years suddenly wants you to download a new app or update through a special link, chances are it’s a scam.

Phishing is a serious threat that can cost individuals and companies both money and peace of mind. Hackers are always changing tactics to exploit our greatest vulnerabilities. To stay ahead of these criminals, we have to be vigilant, especially during the pandemic.

Tom Kelly is president and CEO of IDX. He is a Silicon Valley serial entrepreneur having led both public and private technology companies through all stages of growth. He has led companies through IPOs as well as other successful exits via acquisition. With decades of experience as CEO in enterprise software companies, Tom most recently was CEO at security software company AccelOps and Moxie Software. Tom has a BS from Santa Clara University and operates out of Portland and Silicon Valley.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.