Bad Actors in Bad Times: A Primer on COVID-19 Phishing Scams
Though email phishing campaigns and malware through emails are nothing new, when you layer them with a global event like the current COVID-19 pandemic, the risk can be even higher—adding significant digital risk on top of the physical risk of infection.
It’s common for phishing email and malware creators to capitalize on a current issue. After all, their job is to pique the interest of an end-user enough to get them to open the email.
At that point, they might use a few different angles, depending on the campaign. During times like this, it’s critical you ensure your customers and their end-users are aware of the types of scams going on. Make sure you have a communication plan to supply valid information to prevent your users from seeking other sources.
For many years bad actors have employed spam, phishing, and spear-phishing techniques for several end goals:
- Trick a user into clicking on a malware-laden attachment to infect the system. This allows an attacker to gain a foothold in a network to perform more reconnaissance and follow-on actions (including data exfiltration and ransomware deployment) within the environment.
- Convince a user to go to a website that will execute scripts to install malware for the same reasons as above.
- Masquerade as a charity and convince the user to donate funds or give their credit card number.
- Impersonate the company the user works for and trick them into giving up their credentials (such as creating a look-alike Office 365 login page to give access to a document).
- Craft the email to look like an invoice from a vendor or a message from an internal higher-up, convincing someone in accounting to pay the fraudulent invoice.
Something as front and center as COVID-19 presents opportunities for widespread attacks anywhere in the world. As the actual virus spreads to more countries and cities, the population will be looking for up-to-date information, and a well-timed email or text message might be all it takes for someone to fall for a scam and put their information (or the business they work for) at risk.
According to an article by the Wall Street Journal, these scams started in January in heavily affected areas, and are likely to gain even more steam as the pandemic escalates.
Here are a few methods to look out for, as discussed in the article:
- Emails from state and local authorities with purported guidance on the situation in your region with attachments or links to other documents
- Communication from HR, internal officials, or even you (as the service provider to the company) that ask users to log in to view a document or has suspicious attachments
- Fake news notifications about someone infected in your area
- Emails regarding outstanding invoices from a vendor of medical supplies
Also, since the publishing of that article, and on the heels of more medical institutions shifting to e-Visits for non-urgent consultations, we are even seeing text messages that resemble legitimate communications from doctors, asking patients to confirm their appointments.
As companies begin to institute work-from-home policies, employees who are not used to being in a home environment might be more tempted to click on an email or text or engage in risky behavior, because they are in a different setting.
There are a few things you can do to help ensure your users practice safer email and online habits during these times:
Establish an official communication channel early and ensure that all users know the email address and format of the communications.
Early on, when an event or issue arises that affects the entire organization or one or more regions your users are in, send out an email stating you’re monitoring the situation and will send regular updates to the organization. State the timing of these notifications, and then ensure you follow that schedule so users aren’t tempted to seek information elsewhere.
Recommend a few “vetted” sites or resources that can supply them with legitimate information, and supply links to them in your communications as well. Most of these also offer guidance for staying safe in public as well as online. For coronavirus, a few of these are:
- The World Health Organization
- U.S. Centers for Disease Control and Prevention
- CNN, Fox News, MSNBC, and other major news outlets have a dedicated section on the coronavirus
- A local news website
Regardless of what you supply, make sure you give this advice to your users:
- Only visit recommended sites or view the official communication emails.
- Do not click on links in other emails or open attachments from emails that reference the coronavirus outbreak, unless you can verify the sender.
- Carefully inspect the “From,” “Reply To,” and signatures or text for misspellings and errors. Hint: if you click “Reply” to an email, you can see the actual “Reply To” email address at that point.
- Hover over links in emails to view the address the link will take you to. Shortened links and jumbled URLs are a risk as they can hide the actual website you’re taken to.
- Never supply credentials to a site you accessed from an email, unless you are 100 percent sure the site is legitimate.
- Supply IT with any emails you receive that may be suspicious.
Give your users a way to report suspicious emails, communications, and potential compromise
Supplying a mechanism to allow users to forward emails to you will help you train them on what is legitimate and what isn’t. It may add a little overhead to your time during events like this, but it will also help you spot trends in your customers’ environments. If you see the same email delivered to multiple users and they report it, you can then send out a screenshot with examples to tell other users to avoid that type of email, since it’s likely bad actors are targeting your domain. Additionally, if a user feels like they may have made a mistake, they can report this to you immediately so you can assess the risk based on their actions and give the proper advice—like changing supplied credentials or looking for suspicious behavior on their laptop or device.
Ensure that endpoint security, email protection, and security controls are up-to-date and functioning across the environment
If you’re considering allowing employees to work from home to prevent risk of additional spread of the infection, it’s doubly important that you secure the assets the users are taking home. This means ensuring your email security solution is configured with proper settings. You’ll want to prevent malicious emails from making it to inboxes and ensure all devices taken home have up-to-date endpoint security agents and definitions. It’s also important to ensure users can access the work environment safely with VPNs or other remote access tools that are protected with two-factor authentication (2FA).
Finally, make sure your technicians have the capability to remotely support these users securely, as they’ll likely need assistance getting set up in a home environment.
As the virus continues to spread, we can expect more opportunistic actors to engage in email campaigns and attempt to infiltrate or defraud users and the companies they work for.
Taking just a few minutes to keep your teams, customers, and end-users updated from a trusted advisor can make a big difference and demonstrate your value as a service provider.
If we at CTI can help to protect your distributed workforce from these types of scams, please complete the form below to contact us.