Keypoint: Individuals and businesses should take steps to prevent against becoming victims of the rapid rise in Coronavirus-related hacking scams.
On March 20, 2020, the FBI issued an alert warning that cyber thieves are actively trying to exploit the Coronavirus pandemic to steal money, commit identity theft, and engage in other hacking-related activity. The Cybersecurity and Infrastructure Security Agency (CISA) issued a similar alert earlier this month.
According to the FBI and CISA, hackers are sending phishing emails purporting to come from the World Health Organization, the Centers for Disease Control and Prevention, and other organizations. Those emails claim to offer information on the virus and ask recipients to click on links or open attachments, which allow hackers to deploy malware. Hackers are also sending phishing emails purporting to come from charitable organizations or trying to entice recipients to click on links by claiming to offer airline refunds, testing kits, vaccines, and/or financial relief. The FBI also warns that hackers are using websites and apps that claim to track Coronavirus cases to deploy ransomware.
Verizon reports in its 2020 Mobile Security Index (MSI) that the number of businesses reporting a mobile-device related compromise rose 44% from its initial report in 2018. While the rise is not unexpected, the 2020 MSI also notes a reduction in the number of companies who acknowledged sacrificing some form of mobile security for the convenience of mobile devices, or due to a lack of financial or manpower resources.
Ultimately, while these malicious acts come in many different forms, their goal is the same – to trick the recipient into clicking on a link or take some action such as entering a user name or password, emailing confidential information, or transferring funds. According to the U.S. Secret Service, the average financial loss from a business e-mail compromise is almost $130,000.00. Given that millions of Americans have transitioned to work from home, the risks associated with exploits have grown substantially, and phishing attacks on mobile devices are launched through methods other than e-mail, such as gaming and social media sites that office IT systems have normally locked down.
In most cases, the companies that commit to allocating greater resources for data security are the companies that were victims of a data compromise incident. Verizon’s MSI indicates that companies who were prior victims of a self-described serious data compromise were three times more likely to increase their spending on mobile security compared to companies that had not (yet) been victimized.
What You Can Do
On an organizational level, if you have not done so already, you should alert your workforce that these malicious acts are occurring and that workers need to exercise vigilance in defending against them. The fact is that these exploits are deliberately designed to pray on people’s good nature. Sending an email to your workforce discussing these threats and reinforcing good cyber hygiene can go a long way to avoiding becoming a victim. (If you need a draft email to get you started, email us at firstname.lastname@example.org and email@example.com. We will be happy to send you a template.)
On an individual level, you should follow these tips taken from the FBI’s alert:
- Do not open attachments or click links within emails from senders you do not recognize.
- Do not provide your username, password, date of birth, social security number, financial data, or other personal information in response to an email or robocall.
- Always verify the web address of legitimate websites and manually type them into your browser.
- Check for misspellings or wrong domains within a link (for example, an address that should end in a “.gov” ends in “.com” instead).
Additionally, working from home creates new challenges for the workforce when it comes to data sharing and file transfers. Continue to remind your employees to resist the temptation to use their personal cloud sharing apps for company data or to save confidential information on their personal devices.
In the end, exercising vigilance in response to these malicious actions can go a long way to avoiding potentially catastrophic cyber events that could further cripple businesses already dealing with Coronavirus-related business disruptions.