It’s uncertain who coined the phrase, “Never let a good crisis go to waste.” But earlier this year, opportunistic crooks adopted the sentiment as their modus operandi, and have been using it ever since to fuel a flurry of virus-themed ploys:
- Early in the crisis, Microsoft detected a massive phishing campaign using 2,300 different Web pages attached to messages and disguised as COVID-19 financial compensation information.
- From January to February, researchers from Barracuda Networks reported a 667% spike in COVID-19 related email attacks.
- The Federal Trade Commission (FTC) recently tallied more than 15K COVID-related consumer complaints, totaling more than $12million in fraud loss.
Security solutions provider, Sophos, also issued a disturbing report. In mid-April, its security experts had identified more than 1,700 malicious domains using “corona” or “covid” in their names. See their ongoing GitHub list for the latest entries.
Same Endgame, Different Angle
It’s not that attackers have suddenly amassed more resources for tricking users, observes Rob Lefferts, corporate VP for Microsoft 365 Security. Instead, he says, “They're pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get people to click…[essentially] shifting their techniques to capitalize on fear."
An Added Security Twist
Compounding these concerns is a recent advisory from the government’s Cyber Infrastructure Security Agency (CISA) over new risks introduced by companies’ quick pivot to an at-home workforce.
"Many organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking," CISA says. "Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities.”
How to Allay Current & Future Risk
Below is a short list of widely used tricks tied to the coronavirus outbreak, along with tips for mitigating associated risks and keeping remote workers safe. Of course, it’s essential to remind employees that phony appeals to disclose sensitive data or take questionable actions usually manifest in an email, phone call, voice message or text.
Meanwhile, you can better safeguard your company by alerting staff, especially teleworkers, to watch for and avoid ongoing threats like these:
- Government check scams: The amount of relief money being distributed–and peoples’ eagerness to receive their share–have social engineers salivating at the chance to steal it.
- Business Email scams: The FTC has renewed its warning about this familiar old scheme, in part because the current upheaval has spawned many unusual and urgently expedited transaction links (orders, refunds, cancellations). Also, because at-home workers can’t conveniently confirm a questionable directive like they could at the office. “An emergency request that would have raised eyebrows in the past might not set off the same alarms now,” warns the commission. View the FTC’s comprehensive COVID-scam list here.
- New Public Health scams: These claim to come from a reputable health agency or public health organization and may ask users to provide personal information or click on a link. These tricks will surely come, especially if COVID-19 or a virus variant re-emerges in the fall or winter.
Precautionary Guidance from CISA
With the volume and velocity of virus-themed schemes accelerating, consider boosting your security awareness training and updating your work-from-home security policies. Using these best-practice tips issued by CISA, and endorsed by TeamLogic IT, regularly remind employees to:
- Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink.
- Be wary of social-media pleas, texts or calls related to COVID-19.
- Avoid clicking on links in unsolicited emails and never download unknown attachments.
- Never reveal personal or financial information in email or respond to solicitations for this type of data.
- Verify a charity’s authenticity before making donations.
These tips from security-and-threat intelligence company, Webroot, also provide some additional and actionable measures.
Remember: as you did before the pandemic, ensure that your company’s process for reporting and responding to potential scams is crystal clear to all employees, and that support for addressing any expressed concerns is readily available. Our Managed IT services or Supplemental IT services may be the answer in many cases.
Contact TeamLogic IT Today
If you’re not sure how to protect your business or keep at-home workers secure and productive during the current crisis (and beyond), contact TeamLogic IT today. We’re helping thousands of companies every day and would welcome the opportunity to do the same for you.