In our new normal, we need to be even more vigilant against Cyber Attacks. Especially as it relates to Social Engineering — which is defined as the psychological manipulation of people into performing actions or divulging confidential information. Due to COVID-19, reports indicate that Social Engineering–related cyber attacks have risen over 1000% in the last three weeks. Bad people are going to take advantage of this chaos to instill fear in people who are already panicking and who will want to do what they can to protect themselves and their families. In addition to e-mail scams we’ve seen before and need to be wary of, there are some new ones out there due to COVID-19:
1. Emails Masquerading as Government Announcements: Threat actors are sending phishing and BEC emails disguised as government announcements. Fraudulent emails have included logos and other imagery associated with the Centers for Disease Control (CDC) and the World Health Organization (WHO). Emails include links to items of interest, such as “updated cases of the coronavirus near you.” Landing pages for these false links may look legitimate, but the sites are often malicious and may be designed to steal email credentials.
2. Operational and Industry Disruption: The spread of COVID-19 is disrupting temporary supplies and revenue in some industries. Cyber criminals hope victims will mistake their malicious emails for legitimate ones. For example, emails with subject lines like “Coronavirus – Brief note for the shipping industry,” have been sent to employees of companies in industries being disrupted by the virus. Some campaigns have been disguised to look like invoices, shipping receipts and job applications. BEC campaigns are targeting manufacturing, finance, pharmaceuticals, healthcare and transportation companies. False emails typically include attachments that contain malware designed to harvest sensitive data, or harmful ransomware that could disrupt access to, or availability of, information systems.
3. HIdden Malware: There has been a rise in malicious emails directing recipients to educational and health-related websites riddled with malware. One email, masquerading as a notice from a virologist, read: “Go through the attached document on safety measures regarding the spreading of coronavirus. This little measure can save you.” Recently, coronavirus maps have enticed users to click on maps loaded from legitimate sources that run malware in the background.
4. False Advice and Cures: Emails purporting to hail from regional medical providers, sent to people in Japan in January and February, were among the first coronavirus-related phishing attacks. Some phishing emails invite recipients to download attachments containing “secret cures” for the virus. The attachments instead contain malware designed to steal the personal and financial information of the victim. Some emails include conspiratorial and false claims that COVID-19 was manufactured to reduce the world population.
5. False Charity: Another phishing campaign involves emails designed to mimic the CDC, soliciting donations to fight the spread of the virus. The emails appeal to recipients’ altruism, urging victims to donate into a Bitcoin wallet or to make other types of payments. The CDC, a federal agency under the Department of Health and Human Services, is taxpayer-funded and would not solicit donations. Other malicious actors may create fraudulent charities. Never donate to charities via links in emails. Instead, give at the charity’s website. Follow fundraising platforms’ guidance on how to recognize and report fraudulent charities. Never donate to charities via links included in and email. Instead, go directly to the charity website to donate.
In all cases, we advise employers to notify their employees of these potential attacks and confirm that they not click on suspicious emails or provide information to unknown organizations. This is especially true in our new “work from home” world.
It only takes one. One click, one failed alert, one unsuspecting employee and the cyber-criminal can proclaim victory over a network. As Threat-Aware Employees, we cannot let this happen! Be skeptical, be vigilant and most importantly – BE AWARE!