The COVID-19 crisis has been an extremely challenging time for most businesses. Business owners have struggled to cope with the rapid transition to remote work, fluctuating stay-at-home orders and potential damage of a struggling economy. Employees are doing their best to work in the midst of uncertainty, stress and distractions at home.
Unfortunately, there will always be someone trying to profit off of a disaster, and that’s certainly true of threat actors behind cyber security attacks. Hackers are exploiting the public’s stress, fear and confusion in order to steal money, financial information and other data.
Most employees and managers are occupied with the challenges directly in front of them; they’re not thinking about being targeted for an attack. Meanwhile, many employees are working remotely, which means that they may not be covered by traditional security protections like firewalls.
Techniques that hackers are using include:
- Phishing and spear phishing emails designed to get a user to click on a malicious link or download an attachment.
- Social media deception, where threat actors use information posted to social channels to steal the poster’s identity or create targeted attacks posing as a trusted person or organization.
- Pretexting, or impersonating a coworker or other trusted individual, and requesting financial information, passwords or the transfer of funds.
- Smishing, a phishing attack perpetrated through text, chat, or SMS.
- Vishing, where a threat actor calls or leaves a voicemail claiming to be a representative of a legitimate organization, such as the IRS. Hackers may use ID spoofing to make numbers appear genuine in caller ID.
Below, you’ll find a few specific examples of how threat actors are using these tactics to take advantage of COVID-19.
Impersonating Health Professionals
One way that threat actors have attempted to catch targets off guard is by pretending to represent a legitimate health organization, such as the CDC or WHO. The perpetrators of these attacks typically use social engineering tactics and phishing — that is, manipulating targets so that they give up passwords, financial information or network access, or tricking them into downloading malware. These emails usually claim to contain news or updates about the virus, with external links or attachments with more information.
For instance, in one known attack, an email claiming to be from an individual at Johns Hopkins contained a false Excel spreadsheet with information about “deaths from Covid-19.” Once downloaded, malware was installed on the user’s computer, allowing hackers to take complete control of their machine.
Requests for Donations
This scam preys on people’s emotions. COVID-19 has hit many populations hard, and people understandably want to help wherever they can. Requests for false donations are usually distributed as phishing emails with a link to enter information. These attacks are often used to gain access to the victim’s banking information.
Employees should be wary of any emails they receive asking for donations and should research the organization before they give — and then, only do so from the organization’s official website, not a link in those emails.
False COVID-19 Relief Programs
This attack takes the opposite approach, targeting individuals and businesses looking for COVID-19 relief. The Department of Homeland Security describes an example where a targeted individual received a text message with a link to a supposed UK government relief program.
As this example illustrates, recipients should also be suspicious of links coming from other channels, such as text or messaging applications. Look for spelling errors and other indicators that it is not a real government website (notice how relief is spelled “relieve” in the instance linked above).
Promising Cures and Supplies
If you’ve been reading the news, you’re probably all too aware of the struggles healthcare providers have had securing personal protection equipment for workers. After this need was publicized in the media, malicious emails began circulating, claiming to have access to masks, respirators and other equipment.
Employees should be trained to watch out for these types of emails, texts and other communications and to report them to the appropriate team members right away.
Shipping Receipts and Invoices
Disruptions and delays in shipping and mail have created another opportunity for attacks. In this scam, employees may receive an email with attachments to supposed receipts, invoices, and other shipping documents. Of course, these are not receipts, but links to download malicious software.
Many of us have been closely tracking infection rates and other metrics as the pandemic progresses. Health authorities and media outlets, like Johns Hopkins and the New York Times, have created interactive maps to help users stay up to date.
Unfortunately, hackers have tapped into the need for information, using fake versions of these maps to try to deceive targets into downloading malware. This attack usually relies on phishing emails, which contain a link to a map. When the recipient clicks on the link, they’re prompted to open an applet that installs malware on their computer.
Kits containing tools to launch this attack have been sold on the dark web, meaning it could potentially become a very widespread technique. Employees should only use trusted websites for COVID-19 information and should be trained to never click on a link directly from an email.
Preventing Attacks During COVID-19 — and After
All of these attacks exploit human error, and your staff’s likelihood of making mistakes may be higher in the midst of a stressful event like the pandemic. Additionally, with teams working outside the office, your ability to prevent these kinds of errors using cyber security technology may be limited.
That’s why it’s more important than ever to train users to spot and report attempted attacks. The most effective way to do so is through thorough, ongoing cyber security awareness training and testing. CoreTech offers comprehensive cyber security training programs to help employees get up to speed and ensure that cyber security stays in the forefront of their minds. Our training is easy to implement with a remote workforce and is carefully managed by our IT security team. Contact us today to learn more.