Avoiding Cybercriminal Exploitation of COVID-19

Who isn’t looking for some answers? Are the risks of the virus serious for me and the people I’m around? Which government leaders have it right? Am I being asked to go back to work in an unsafe environment? How will the economy impact me and those I care about?

This is the kind of uncertainty the unscrupulous prey on.

The Federal Trade Commission warned people to not respond to digital communications from those claiming to have information about checks from the government.

Filing an unemployment claim for the first time? Can you ignore the phone call from someone purporting to be an official? ¹

From the UK’s National Cyber Security Centre: “Cyber criminals are sending emails that claim to have a ‘cure’ for the virus, offer a financial reward, or encourage you to donate. These emails are preying on real-world concerns to try and trick you into clicking. These scam messages (or ‘phishes’) can be very hard to spot, and are designed to get you to react without thinking.” ²

What’s Happening

So you can be prepared to not fall victim, here are some of the tactics criminals are employing to get at your funds and valuable information:

A Trickbot trojan (malware to hijack your bank account or deploy ransomware) email disguised as official medical information about COVID-19 ³

Researchers at Proofpoint ⁴ have identified coronavirus-themed hacking campaigns that install malware. These are triggered by emails that link to fake Office 365, Adobe, and DocuSign sites meant to steal credentials. Proofpoint also shows an example of a convincing internal-looking email purported to be from the company’s president about the business’s coronavirus policies using an attached, malware-infected Word document. ⁵

Proofpoint has cataloged more than 300 official-looking websites — supposedly from the IRS, WHO, CDC, and several government bodies. These are often multi-page sites to more convincingly fool people and are made to harvest credentials. ⁶

The World Economic Forum (WEF) issued a COVID-19 report that outlines new cyberrisks and how they may be exploited ⁷ : working remotely has “increased the attack surface exponentially” — more devices, more business-asset-connected endpoints that need securing from cyberattacks through our newly-“heightened dependency on personal devices and residential networks.”

In the same report the WEF warns that the near-instant “deployment of new services, mostly cloud-based … may bypass important risk assurance steps” and create exposure to criminals. How secure are Zoom and its competitors anyway? Per Wired Magazine, Zoom’s “mixed messages [about its level of encryption] have frustrated cryptographers.” ⁸

And because of the surge in Zoom use, suddenly hundreds of domains a day containing the word “zoom” are being registered. Almost a third of these websites are attached to an email server often meaning they’re designed for phishing attacks to harvest login credentials. ⁹

With the greatest concentration on collaboration platforms like Office 365, Teams and Slack, during the pandemic the number of external threats targeting cloud services increased by 630%, per McAfee. Data show that traffic from unmanaged devices to enterprise cloud accounts doubled. And there’s no way for a business to recover data from an unmanaged device, exposing companies to more data loss events. ¹⁰

Before the coronavirus outbreak, it was typical for ransomware attackers to steal hacked organizations’s data and threaten to expose it online unless the victims paid ransom fees. Now attackers, aware of increased urgency, unleash encryption and make their ransom demands immediately. Hospitals and medical practices have seen an increase in these kinds of attacks. ¹¹

Like the Guide Book Said: Don’t Panic

As you can see from the above brief accounting, the general tactics of cybercriminals remain the same. Most of what’s changed are our circumstances and frames-of-mind. We’re more likely to click on things when in a panic. Instead take steps to make things better. Following are ways to shore up your cybersecurity position.

Businesses built their contingency plans in another age: when we were all in the same room. Now planning must reflect our remote reality. Key personnel must have reliable phone numbers and backup email addresses for senior executives on paper. ¹²

Businesses need to know what devices are connected to and running on their networks, aggressively manage administrative privileges and be vigilant about firewalls and patching vulnerabilities. ¹³

Don’t use business-networked devices for personal use, as non-work use needlessly exposes the company’s network. ¹⁴

Login to your router to verify it has a strong password.

It gets tempting working remotely for an extended period to grow lax about using one’s own tech tools, like computers, personal email accounts, texting apps. But your tech was probably not set up to protect your company’s network. So work only with company-provided devices, accounts and apps. ¹⁵

Check the website’s URL in the browser’s address bar. A fake site may look identical to an official site, but the domain name in the address bar is a giveaway. But you have to look closely. Check for spelling in the address bar. And look out for unusual domain names that end in “.ma” or “.co” instead of more often legitimate domains like “.com” or “.org.”

Now more than ever be wary of a call from an organization. If, for example, your bank calls with a fraud alert, hang up and call the customer service number on the back of your bank card and ask whether the bank really called you. ¹⁶

Phishing emails frequently contain links to websites asking for personal information, or contain attached malware-infected files. So double-check the sender — smartphone companies make it inconvenient in the interest of you-don’t-have-to-think-about-it ease-of-use; iPhone’s require more than one click before it shows the actual sender’s email address. Once you reveal it, spoofed email addresses will look like legitimate ones, but be just a little off.

Expect the Best, Prepare for a Cyberattack

Security is knowing what to do, planning to do it, enacting these precautions and throughout keeping a level head. So, try in these times to take steps to improve your business’s security. Measure your actions. Clear your head before you react to something or someone putting urgent pressure on you — go out for a walk or run. And check the validity of any uncertain communication with co-workers you trust, with people you trust.

Learn more on how Managed IT Services can help your business.
Discover the best IT Company suited for your business.