The COVID-19 global pandemic has businesses of all sizes and stripes grappling with how to adapt and succeed in these unprecedented times. On top of everything else, malicious cyber attackers are already capitalizing on the fear and confusion surrounding the coronavirus to extract personal, business, and financial information.
The surge in telecommuting and work from home (WFH) operations, in tandem with potent anxiety and confusion surrounding the current state of affairs, leaves businesses and individuals more vulnerable to phishing scams and cybersecurity risks.
Despite all of the challenges and uncertainties shrouding the path forward, businesses must be hyper-vigilant in protecting their digital assets and sensitive information from insidious actors.
Criminal Exploitation of COVID-19
Criminal fraudsters have already deployed sophisticated and malicious social engineering, email phishing, and online scam campaigns to exploit the COVID-19 crisis and manipulate users. Examples include attackers posing as the Center for Disease Control (CDC), World Health Organization (WHO), charitable organizations soliciting donations, and even as the government promising an economic stimulus check.
These attacks vary in sophistication and intent — from ransomware holding data hostage, to silent software installs (botnets) and fake login pages that steal credentials and personal information.
Attacks to both business and personal targets via phishing schemes and malware are expected to persist and grow in severity. Unfortunately, hospitals and healthcare facilities are likely and vulnerable targets during the coronavirus pandemic, however all businesses and individuals should be on alert and sharpening skills in how to detect and thwart these attacks.
COVID-19 scams and phishing content may include:
- Links to fake COVID-19 maps that look like the real Hopkins map but are actually infected with malware
- Impersonation of the Center for Disease Control (CDC), World Health Organization (WHO), an organization's HR department or another authoritative body with “alerts” or calls to action
- Fake offers of financial assistance and/or “economic stimulus”
- Fake charitable organization emails
- Fake product offers, including test kits and protective gear like masks, gloves and hand sanitizer
- Fake news headlines related to COVID-19
- Conspiracy theory emails that claim to “know the truth” about COVID-19
- Fake vendor/supplier emails related to COVID-19, with some kind of a call to action
- Fake Office 365 notification emails
- Fake FedEx, UPS, USPS, DHL, etc. emails
- Fake Amazon emails
- Fake voicemail messages embedded in email
- Fake CEO fraud targeting users related to wire transfers
Tips for Avoiding Phishing Scams and Cybersecurity Attacks in the COVID-19 Era (and Beyond)
- Exercise common “e-mail” sense. Don’t automatically trust any email message. The presence of familiar information can give you a false sense of security. Look for grammatical or typographical inaccuracies. If it seems too good to be true or it seems like “secret” information, it’s most likely a scam.
- Empower your employees with the skills and knowledge to stop an attack in its tracks. Use these steps to reduce exposure and strengthen your team’s security posture.
- Are you being called to act? If an email is asking you to do something or threatening you directly or indirectly, that is a red flag.
- Were you expecting this? Be suspicious of any email you weren’t expecting.
- Think before you click. Don’t assume emails from friends or co-workers have safe links or attachments.
- Bolster remote employee security. Here are strategies for securing employee remote access in your organization.
- Check with the sender. If in doubt, contact the sender of the email by phone to verify legitimacy.
- Review your sources. Only download software from trusted sources.
- Go to the source. If the email says it’s from CNN, go to the CNN site on your web browser. If the email says it’s from LinkedIn, go to the LinkedIn site.
Businesses have a lot to adapt to and keep up with as the complications from COVID-19 continue to unfold. However, this isn’t the time to deprioritize cybersecurity measures — personally, or in a business setting. Stay vigilant and alert in protecting your information.
