As the threat from coronavirus increases, companies send employees to work from home and students are turning to online courses. But with social isolation comes a new threat – cyberattacks.
This graph shows the actual phishing emails and text messages that users have received in the past few weeks. Phishing is a technique used by hackers to obtain sensitive information by masquerading as a trustworthy entity. Attackers often use handcrafted emails or other types of messages in order to trick people into disclosing personal or confidential data such as passwords and bank account information. And these latest phishing campaigns are exploiting the uncertainty and fear that many of us are currently experiencing.
When it comes to COVID-19, hackers use this proven method to infect people's machines: manipulation and fear. In the past few days, researchers have discovered a malware attack that was attacking widespread panic and misinformation, sending emails that claimed to have preventive measures. The email indicates that there have been reports of coronavirus patients in a specific region of Japan and requests the reader to consult the attached document. Once the user opens the attachment, it allows the scammer to place malware on the recipient's device.
Here are some other examples of ongoing phishing attacks, some attacking the goodwill of people and others posing as the World Health Organization (WHO).
Recognize COVID-19 cyber scams:
According to the World Health Organization, there are certain things they will never do or never ask for. If you receive something that contradicts their statement, you are dealing with a cyber attack. WHO:
- Never ask for your username or password to access security information
- Never send attachments that you did not request
- Never ask yourself to visit a link outside of www.who.int
- Never charge money to apply for a job, register for a conference or book a hotel
- Never organize lotteries or offer prizes, grants, certificates or funding by email.
Other organizations have also talked about these scams and how you can tell the truth from the false. You can check it for yourself:
World Health Organization: “Beware of criminals pretending to be WHO”
Federal Trade Organization: “Coronavirus: scammers make the headlines”
Attorney General Mark Herring: “Attorney General Herring Urges Virginians To Be Coronavirus Scams”
Attorney General Brian Frosh: “Attorney General Fosh Warns Marylanders About 2019 Coronavirus Scams”
David Emm: Senior Security Researcher at Kaspersky
Sherrod Degrippo: Senior Director of Threat Research and Detection at Proof Point
Matt Lourens: head of security engineering at Check Point
Protect yourself from COVID-19 scams:
So what can you do to protect yourself?
- Be skeptical if you are unsure of a text or email. An example of one of these texts shows that hackers play on your emotions: it seems urgent, so you want to be aware. This could alert you to new cases of coronavirus in your neighborhood or city.
- Do not call any of the numbers or click on any links. Hackers will also use tactics such as “combosquatting” and “typosquatting” to create fake URLs that are easy to miss the typo, for example, by adding “-security” to a popular bank URL.
- Under no circumstances respond to these texts or e-mails. In many cases, these emails will ask you to confirm your email and password in a form.
- Report phishing messages to email@example.com and FTC.gov/complaint – and to the pretending organization so they can let people know what to watch for.
Businesses: Here's How To Secure Your Remote Workforce
Social engineering is another huge threat, especially in times of panic. Employees must be trained to recognize and avoid human error and deception. In social engineering attacks, the attacker will take advantage of the fact that the entire team is distant and has less communication. A call from another “employee” for help obtaining a customer's phone number – may not be a real employee. This scenario is unlikely to happen with a small business, but it is essential to have processes and procedures in place to verify who is on the phone.
Education will be the most important factor in ensuring the security of your remote team. Your team should understand the dangers of connecting to corporate systems when using public Wi-Fi. Their home Wi-Fi connection should also have a strong password.
Use a remote accessible digital workspace, such as a VPN. A good corporate VPN will allow you to implement multi-factor authentication (MFA) to restrict unauthorized access to your network. Also be sure to offer support and training on using a VPN. Employees need to know how to use it when accessing emails, documents, and billing applications.
VPNOnlineFree Access Server provides an enterprise VPN solution for businesses of all sizes. Access Server enables organizations to protect data communications, implement access control and network segmentation, and provide encrypted remote access resources to the enterprise. It is the perfect solution for businesses that have a new digital workspace accessible remotely.