Navigating the Latest COVID-19 Security Threats
As security technology improves year after year, many cybercriminals have switched to tactics that target fear and exploit human vulnerabilities. Fear doesn’t work on machines, so they depend on human error to gain access to finances, compromise corporate servers, email and even social media accounts.
When an opportunity arises for a scammer to take advantage of an existing fear, we see more phishing attacks, social media dangers, and other scams related to it. Right now, we see businesses and government organizations building authentic campaigns surrounding COVID-19, and we will most definitely see an increasing number of malicious campaigns coming out of the woodwork. The fear surrounding COVID-19 (or Coronavirus) is the perfect cocktail for the common cybercriminal.
How do they fool us?
People who fall for phishing scams are often intelligent people like you and me. So how do cybercriminals trick us into falling for their scams?
SentinelOne defines Business Email Compromise (BEC) as “convincing the recipient of an email that a sender is a person of authority and that a particular action (like transferring hundreds of thousands of dollars) should be done.”
These malicious campaigns are designed to allow primal fear to trump a person’s common sense. They aim to trigger an emotional response that will cause you to take fast action. We’ve seen it before a thousand times, “Urgent! You owe money, click this link to prevent us from taking over your assets,” or “Your Netflix account has been compromised, click this link to reset your password.” Even, “You’ve authorized a payment for $1500. If you did not authorize this payment click this link to cancel the order.”
Cybercriminals have become craftier as we continue to educate ourselves about their schemes.
What trends are security experts seeing right now?
Sophos has noticed 42,578 newly-registered domains as of midnight on March 24 that utilize the words COVID or Corona in some way. While many of these domain names are likely intended for humanitarian purposes (such as spreading helpful information and assisting people in various ways) Sophos has identified over 60 domains that are actively participating in malicious activities. They are using domains with words like COVID, corona, virus, health, and gov to create a false sense of authority for the individual who will be receiving the scam.
Whether we have fears of contracting the virus, dwindling levels of essential supplies or a desire to stay up-to-date on the latest news, they are using our feelings of unrest to trick us into opening their email.
COVID-19 security threats in emails, texts, and Facebook messages might appear as:
- “Official” updates that provoke you to download an information package or health advice.
- Informing you of financial benefits or relief from the government.
- Advertising face masks, hand sanitizer, and cleaning supplies for sale.
- Publicizing cures, vaccines, miracle drugs, at-home tests, etc. that don’t exist.
- Prompting you to click links or download apps to see updates on virus spread in your area.
- Asking you to contribute to a Coronavirus Response Fund.
- Information (usually misinformation) about the virus that encourages you to forward it to your friends and family to make sure they know.
One malicious application going around is actually a map that shows where the number of cases around the world from Johns Hopkins University. Cybercriminals have created their own version of this map with malicious malware embedded within the diagram itself.
All of these campaigns will lead to the cybercriminal getting something from you: whether it’s remote access to your computer, money/bitcoin, login credentials, access to accounts, contact lists, and more.
How do we adjust to these new COVID-19 Security Threats?
Some of the communication you receive might be from official sources, and others may not. So before you click, download or forward take a second to breathe.
- If it’s too good to be true, it probably is. If they appear to be “pushy” in their message, that is a red flag. Head over to our “Phishing Emails – Do you know the signs?” blog to brush up on how to detect fraudulent emails.
- Use tools like Snopes.com to fact check things you see in your email or on social media. BuzzFeed also created an article debunking The Latest Hoaxes Spreading About The Coronavirus
- When in doubt, bypass the message and go directly to your local government’s website; use online resources you know and trust.
- Make sure you are continuing to run updates on all company devices, even if those devices are now work-from-home devices.
- Get educated on the different types of malware out there and how to protect yourself from it.
- Send this article to your employees to help them stay up-to-date on phishing tactics and trends.
- Consult a managed services company to talk about a multi-tiered, proactive security plan for your business.
Preventing an attack is easier to deal with than recovering from one. There is already so much going on right now for you to worry about, you should not also have to deal with the burden of hackers getting access to your most important resources. We can help.