It is an unfortunate fact of life in the modern world that cybercriminals adopt social engineering schemes to exploit tragedies such as natural disasters or terror attacks. The understandable public concern over the health emergency created by COVID-19 presents the “perfect storm” for these fraudsters. Not surprisingly, as the COVID-19 crisis unfolded in the headlines, cybercriminals integrated COVID-19 themes into their tactics to exploit public fears connected to the burgeoning health crisis.
The problem has reached such proportions that the Federal Bureau of Investigation (“FBI”) has issued numerous warnings regarding these latest cyber threats. More and more people work from home, attend school online, and rely upon the internet for everything from news, emotional support, and shopping. Therefore, prudence demands that businesses, governments, and individual users remain aware of the risks and undertake mitigation efforts.
The FBI warning to the public focuses on bogus emails claiming to come the Centers for Disease Control and Prevention (“CDC”) or other organizations regarding updates on the current pandemic. Additionally, Cybercrooks embed links in these emails that embed malware or ransomware when recipients click on those links. Often, the malicious software masquerades as websites or apps purporting to track COVID-19 cases but install malware or ransomware instead, according to the FBI.
So-called phishing emails asking recipients to verify personal information to receive economic stimulus checks from the government have increased as well, according to the FBI. State or Federal agencies never send unsolicited emails. Even when making legitimate email contact with individual citizens, such agencies never request personal information as a condition of sending benefits checks. If an individual is eligible for benefits, the responsible State or Federal agency already possesses the identifying information for the recipient. They can get such information from either the recipient’s initial application or other means laid out in the statute. For example, the Treasury Department already possessed the necessary information to process the recent tax rebates authorized by the CARES Act from individual tax returns filed for 2018 or 2019, or from Social Security Records for the tax year 2019.
The FBI also warns of increased phishing emails related to charitable contribution scams, general financial relief scams, bogus airline ticket refunds, phony COVID-19 cures and vaccines, and fake COVID-19 testing kits. Users should delete any such emails, regardless of the purported source, unread. Official websites like coronavirus.gov or your state department of health website remain the best sources of legitimate information about benefits and other information related to the current public health emergency (PHE)
American and British authorities warn users to excise extreme caution as criminals, and hostile foreign state actors attempt to exploit the COVID-19 pandemic via social engineering attacks. These attacks, often posted on social media or disseminated via email, attempt to manipulate users into specific actions. Typically, the attack tempts the user to click on links to malware-infected websites, to download malware or ransomware apps, or to open email attachments containing malware or ransomware.
These social engineering attacks deceive users that they come from trustworthy sources, such as the World Health Organization (“WHO”), the CDC, the IRS, or other official sources. Often these attacks contain links to fake login pages to steal user credentials. Another common tactic fraudsters employ spoofs emails from the user’s human resources department. These emails ask users to open an infected attachment or direct them to a phony login page to steal their login credentials. Users can expect these types of social engineering schemes to increase in number and sophistication in the near term.
Typical indicia of fraud attacks include:
- Unsolicited emails with COVID-19 in the subject line;
- Unsolicited software (malware) with COVID-19-themes;
- Links directing users to non-government domain names containing COVID-19 keywords; and
- Attempts to compromise new and often rapidly deployed remote access infrastructure.
Emails with subject lines such as “2020 Coronavirus Updates” and “2019-nCov: New confirmed cases in your City” should raise user suspicion. Often such emails encourage the user to visit an infected website designed to steal user data, such as usernames, passwords, credit card credentials, and other personal information.
Criminals and hostile foreign state actors use many delivery methods for their phishing messages, not just email. “Vishing” (using voice communication) and “Smishing” (using text messaging) have risen in popularity by fraudsters during the current crisis. Users should expect such methods to increase in frequency going forward. These tactics exploit mistaken confidence in phone service security to socially engineer victims to call a fraudster’s boiler-room (often off-shore) and divulge sensitive or confidential information.
So what can you do?
Make yourself aware of the risk.
Remain vigilant of the increased risk of cyber and phone scams associated with the current COVID-19 crisis. Best practices include:
- do not open attachments from unrecognized senders (and even then, you should be cautious – confirm that your sender sent you an attachment before opening it)
- do not give out financial or personal information in response to an email or robocall ever. Neither your bank, credit card issuer nor any government agency ever asks for such information – they already have it.
- Do not click on any links contained in emails or text messages; if an email purports to be from the CDC, then type cdc.gov in your browser rather than clicking on an email link.
- Check for misspellings of domain names within a link (e.g., URLs that should end in “.gov,” but end in “.com” instead).
Practice Good Password Protection
Change your passwords often. Make sure passwords are at least eight (8) characters long, contain upper- and lower-case letters, at least one (1) numeral, and at least one (1) special character. Additionally, enable multi-factor password authentication. Doing so makes it more difficult to access your accounts even if a credential is compromised or stolen or if a device is lost or stolen.
Businesses Should Adopt User Access Restrictions and Controls
Businesses might consider adopting a policy of least privilege. This policy means employees have a minimum level of access necessary to carry out their job responsibilities. Doing so significantly limits the risk of a successful social engineering attack. It also limits the impact of any successful attack.
Review Your Business’ Incident Response
Although it’s a little late to prepare in advance for a crisis – businesses must anticipate that a certain percentage of successful social engineering attacks on their technical infrastructure. Every business should have a current and tested incident response and disaster recovery plan capable of immediate deployment in response to a successful social engineering attack.
Implement Business Continuity Plans
Everyone should understand that government resources at all levels remain stretched to the limit. Law enforcement and government regulatory agencies are operating with limited staff and resources and thus may be unable to provide the assistance they usually would.
Businesses should also have in place business continuity plans to whether situations such as the one in which we currently find ourselves. At the very least, business owners should review their disaster response plans with key personnel and ensure employees understand their roles and responsibilities.
Malicious actors work feverishly to exploit the public’s concern over the health crisis. These criminals seek to utilize social engineering methods to deliver malware and ransomware and to steal user credentials. We all must remain vigilant to minimize the risk of a catastrophic data security breach. Following best practices can limit the chances of becoming the victim of a major crime when law enforcement resources are as stretched as they currently are.