COVID-19 Fraud Alert
13 Common Tricks Cyber Criminals Use & 7 Cybersecurity Tips To Defend Yourself
As some of the country starts re-opening this month, it’s important to remember the cyber risks associated with COVID-19 aren’t going away anytime soon. Since the beginning of the COVID-19 crisis, cyber risks have increased drastically, and according to new data released by the Federal Trade Commission, more than 15,000 Americans have reported COVID-19-related frauds, totaling almost $12M in losses. As a panelist on a webinar recently opined, “it’s just like the bad guys to take advantage of bad times.”
On March 20, 2020, the FBI’s Internet Crime Complaint Center issued a public service announcement alerting the public to a rise in “fraud schemes related to the Coronavirus (COVID-19) pandemic.” Cybercriminals are utilizing phishing e-mail scams and malware to take advantage of the current uncertainty. Phishing is a type of fraud in which a hacker attempts to gather personal information or credentials by impersonating a legitimate brand and sending users to a malicious website. According to Google, almost 1/5th of the roughly 18 million email messages rejected per day on Gmail now feature phishing scams or malware tied to COVID-19. These types of scams are not new, but as a large portion of the workforce moved to remote work in March and April, it’s more important than ever to be on alert for these threat vectors.
Among the scams to look out for are emails purporting to contain helpful information from the Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO), and other medical sources, and any emails that ask recipients to provide personal information in order to supposedly receive an economic stimulus check or a PPP loan. According to the WHO Chief Information Security Officer, hacking attempts against the agency and its partners have soared as they battle to contain the COVID-19 pandemic. In February, the WHO warned about an increase in phishing emails that use the organization’s logo and name during this crisis. The IRS issued its own warning related to the distribution of stimulus checks, and reminded people to take extra care during this time. Remember, these agencies will not ask for sensitive personal information via e-mail or phone call in order for individuals to obtain their stimulus checks.
Making sure your employees are aware of these types of malicious acts is vital. Employees are the front line of defense as it relates to cybersecurity, so remind them to remain vigilant.
Here are some tips to follow:
- Do not open attachments or click links within emails from senders you do not recognize
- Do not provide your username, password, date of birth, social security number, financial data, or other personal information in response to an email, robocall, or text message
- Always verify the web address of legitimate websites and manually type them into your browser
- Check for misspellings or wrong domains within a link (for example, an address that should end in a “.gov” ends in “.com” instead)
- Always double check the e-mail address. Never trust an e-mail based simply on the purported sender
- Do not rush or feel pressure to respond immediately. Always take time to think about a request for your personal information, and whether the request is appropriate
- If you do give sensitive information, don’t panic. Reach out to the appropriate individuals at your organization and alert them immediately
Practicing good cyber hygiene is paramount (you can read about our tips for staying cyber-safe while working remotely here)! Hackers are exploiting weaknesses in at-home networks, among other things, and show no signs of stopping.
Here are some tricks that the cybercriminals have been utilizing related to the pandemic:
- Phishing emails related to airline flight refunds that include a link to a refund form asking for the target’s name and credit card details
- Text messages and robocalls alleging the target has been in contact with someone who recently tested positive for COVID-19 and encouraging the target to provide personal information
- Malware hidden behind a website claiming to show a global heatmap of Coronavirus reports
- Emails purported to be from an organization’s IT department with subject lines such as “COVID-19 Alert” and “ALL STAFF CORONAVIRUS AWARENESS” that include links to register for internal seminars on the topic
- Phishing emails impersonating the World Health Organization that include links containing malware
- The sale of fraudulent COVID-19-related ‘miracle’ health products
- Malware hidden in online meeting invites
- Fake charities claiming to be a government program raising funds for the development of a vaccine
- Scam websites claiming to sell face masks
- Emails claiming to be from vendors about COVID-19 tools and strategies that include links to PDFs and Word documents and invite the recipient to click and open the attachment
- Text messages closely resembling the employer’s phone number, indicating the recipient needs to “click here” to find out about modified firm operations
- Fraudulent domain names containing words related to COVID-19
- Phishing emails purporting to be from human resources asking the target to login to a Zoom meeting regarding their termination
Because no cybersecurity solution can guarantee a company’s systems or network will not be hacked, understanding what to look for to protect your networks from phishing attacks is the first step to increasing cyber defenses. Remember to stay alert during this time of uncertainty!