Fighting Coronavirus Phishing Scams

This post first appeared on Risk Management Magazine. Read the original article.

Around the
world, people are dealing with an endless volume of new information about the
coronavirus outbreak. They are distracted, stressed and concerned about the
well-being of family and friends, and many are making the disorienting shift to
working remote, some increasing the use of personal devices to do so. This can
all leave employees more susceptible to online schemes, and there is no dearth
of attempts to take advantage. Indeed, as of April 1, email security firm
Proofpoint reported that 80% of the emails they were intercepting had something
to do with the coronavirus outbreak, a level the company’s researchers called
“unprecedented.”

Some of these phishing emails take advantage of employees
working from home to launch credential-stealing attacks. “We see that threat
actors are keeping up with the daily developments concerning the coronavirus,”
reported the threat intelligence team at email security firm Mimecast. “As the
pandemic continues to spread and more and more people are made to work from
home, we are seeing more phishing emails that are trying to trick users into
giving their credentials through a faked login page. Threat actors are actively
utilizing this pandemic to attempt to compromise individuals’ accounts and
organizations’ networks. The potential for human error will inevitably increase
in the coming weeks and we expect to see more of these phishing attempts.”

Other phishing scams purport to be news from government
authorities or public health organizations, directing recipients to click
malicious links for updates on the spread of the COVID-19 pandemic, new
containment measures or local advisories. In February, the World Health
Organization warned that some criminals were spoofing WHO officials to send
fraudulent emails, and Kaspersky Labs reportedly found emails spoofing the CDC
that asked for bitcoin donations to help fund a coronavirus vaccine. Other
email scams spread malicious attachments, claiming to offer coronavirus
protection tips or maps of the outbreak but actually containing malware.

At the end of March, Mimecast reported detecting three
million COVID-19 emails a day, the vast majority of which were believed to be
malicious. Among the phishing campaigns targeting consumers, the firm found new
approaches including many “taking advantage of their fears and curiosity as
they head to the web for quick answers about cures, quarantine practices,
economic changes and where toilet paper is still in-stock.” Indeed, with people
observing stay-at-home orders and panic-buying making some critical supplies
hard to find, cybercriminals have even created websites impersonating big-box
retailers like Costco and Walmart to target people searching online for
essentials.

“It is vital that individuals are aware of the widespread
attempts at fraud that are inevitably exploding at this time due to the fear
and uncertainty around the coronavirus,” said Carl Wearn, Mimecast’s head of
e-crime. “One key focus of this is the widespread spoofing, copying and setting
up of apparently legitimate websites that appear to offer a cure to the virus,
and a range of equipment such as masks and testing kits. Criminals are aware
that this unique situation is prompting people to search for these items and
that people will also likely pay a premium for them. This is ripe for criminals
to take advantage of, and they are. There are literally thousands of domains
active to take advantage of this right now.”

Wearn advised, “Please ensure you use only known, reputable
suppliers for any of these items, should you want them. It is almost certain
that any purchase from the array of criminal sites set up to take advantage of
this human suffering will merely lead to the significant loss of funds, and
even if equipment is provided, it is likely to be counterfeit and ineffective.”

In regular bulletins, the Federal Trade Commission has
reported massive surges in consumer complaints about scams related to COVID-19,
totaling more than 10,000 fraud cases by mid-April. Unfortunately, these scams
have proven successful: As of April 14, U.S. consumers had lost over $13.4 million
in reported incidents alone, with a median loss of $558 per incident. The top
categories of coronavirus-related complaints included “travel- and
vacation-related reports about cancellations and refunds, reports about
problems with online shopping, mobile texting scams, and government and
business imposter scams.”

Based on the tactics used thus far, the FTC advised
consumers to only click on links from sources they know, visit the CDC and WHO
websites directly for the most up-to-date information, and be alert for
fraudulent online offers for non-existent treatments and vaccinations, phony
charitable donation campaigns, or “investment opportunities” from companies
purporting to offer coronavirus products and services.

Other scammers are using coronavirus-related financial
relief measures as lures. With governments like the United States, Canada,
Australia and the United Kingdom exploring options like issuing direct stimulus
payments to residents or extending tax filing deadlines, criminals have a new set
of compelling pretenses for contacting victims to request sensitive data like
Social Security numbers, bank account information and credit card data.

Many financial institutions are also implementing measures
to help clients impacted by the coronavirus, leading some criminals to
impersonate banks and credit card companies. Cybersecurity analysts report
seeing such emails claiming to offer waived late fees and, in some cases, even
a cash credit for the account holder. The links in these messages direct recipients
to spoofed credit card login pages that attempt to steal information including
user ID, password, email and credit card number. Such scams are likely to
increase in the coming months as the U.S. government and others start
dispersing funds.

Anticipating a continued increase in coronavirus payment
fraud attempts, Proofpoint offered six tips to avoid becoming a victim:

1. Be aware that you are at risk. Knowing that
attackers are ready to trick you out of your money can help you take an
appropriately skeptical stance with regard to information you may see or hear.
You can also warn others of the potential danger.

2. Be wary of any communications you receive that promise
stimulus payments.
To date, the U.S. government has never used email to
collect information for payment programs of this type. The U.S. Postal Service
is used to both distribute and collect information. This means that any email
or other digital communication, you may receive that asks for stimulus
information is almost certainly a fraud.

3. Do not provide personal information in response to any
online requests and avoid clicking on email links.
If you have any
questions regarding payments, go directly to authorized institutions.

4. Create unique usernames and passwords for each
account.
If your username and/or password is stolen, you can reduce your
risk of extensive compromise by using different credentials across multiple
accounts. These accounts can include your email, financial/banking websites,
work and streaming services.

5. Verify websites are legitimate. If you are
visiting a website, you can verify the site is safe by clicking the padlock
image on the left of the browser address. Be sure to check that the name of the
server matches your desired destination.

6. Avoid disinformation by using multiple sources.
Get information from reputable news sources and double-check any reports with
another reputable news source. In particular, be wary of information that
friends send you or post on social media. These messages could be spam that
they did not actually send or simply misinformation.

Employers should also remind employees of cybersecurity best
practices to protect themselves and the organization. For example, the fact
that employees are working from home should not change protocols for requests
via email, particularly any involving money transfers. It is more important
than ever for employees to slow down, review messages in detail, and pick up
the phone to verify authenticity (using a phone number that can also be
verified beyond the email in question). Enterprises should also consider
creating go-to destinations for employees to get the latest updates from their
employer; information on any company policy changes and closures; official
contact information for colleagues and supervisors; and links to reputable and
objective sources for public safety, quarantine and medical guidance, such as
the CDC, WHO, National Institutes of Health, and local government authorities.

During the pandemic and beyond, remind employees that they
should always be wary of a message if it: plays on fear or urgency; includes
spelling, grammar or formatting errors; asks for personal information, login
credentials or financial details; encourages clicking on a link or opening a
suspicious attachment; uses an unfamiliar, incorrect or vague greeting; or
originates from a suspicious or abnormal email address.

Leave a Reply

Your email address will not be published. Required fields are marked *