Ever since it first popped up in the Wuhan Province of China, COVID-19 (better known as the coronavirus) has created quite a stir—bordering on panic—around the world. Unfortunately, as has been the case many times before, cybercriminals have been using this near panic to support their attacks. Let’s review some of the ways they do so, and how you can protect yourself and your business from these efforts.
How are Cybercriminals Using Coronavirus?
“You can sit in a room and create anything you want on a laptop. That’s why the real con men are gone.”– Frank Abagnale
Reformed con man and FBI consultant Frank Abagnale is right, as the cybercrimes shaped around the coronavirus have proven. Due to the deep anxiety and trepidation that the media coverage of COVID-19 has encouraged, cybercriminals have been handed an opportunity to take advantage of the panicked populace through phishing attempts… an opportunity they have embraced since the end of January.
These themed attacks have been directed toward a variety of targets. For example:
- Healthcare providers have been targeted by phishing attacks that deliver keylogging malware, meant to look like emails from local hospitals or the World Health Organization.
- “Informational” emails referencing coronavirus have enabled hackers to introduce ransomware to the populace.
- Members of the supply chain have seen coronavirus emails that install information-extracting malware through malicious Microsoft Word documents.
Of course, this kind of activity has been going on for far longer than the Internet has been around… it’s just that the Internet makes these attacks much more efficient and effective.
How this Complicates Things
Unfortunately, the latest application of these attacks have proven effective. Much of this is likely due to the fact that they are leveraging a very visible and nerve-wracking event, which helps to boost the interest of a target. This same tactic is the reason that so many phishing attacks are launched right around tax time, and why fraudulent messages were shared via SMS claiming that the recipients needed to register for the draft… for a fee.
Whatever the approach, the tactics have remained the same: scare the recipient enough that they don’t consider that the message may be fraudulent, and give them a perceived “out” if they turn over their information.
Adding to the complexity, the situation with COVID-19 is just different enough from other events that cybercriminals typically take advantage of, for it to be uniquely dangerous. For instance, many of the other disasters that a cybercriminal will use to their advantage are over in a relatively short time frame. In comparison, COVID-19 has already spent weeks dominating the headlines, with no way to tell how many more weeks (or months) are yet to come.
In addition to this, coronavirus is largely unprecedented, unlike the foundation of many other phishing attacks (such as major sporting events and the like). This means that there is no real resource that is known to be trusted for people to turn to. For weather events, the National Weather Service and FEMA fill that role… no such resource is as commonly trusted for coronavirus.
What Can Be Done
In most cases, resisting these efforts will require a combination of basic cybersecurity measures and--perhaps more critically--user awareness and education. While your protections will ideally block the majority of phishing attacks and malicious messages, you need to be sure that your employees are aware of how such attacks should be handled:
- Train effectively - Rather than taking up half of one day on a dull and repetitive training seminar, split your training efforts into shorter pieces, focusing on assorted aspects of the threat at hand. Give your team the knowledge they need to recognize phishing attacks and understand the importance of mitigating them.
- Emphasize that phishing goes beyond email - Remind your staff that phishing is far from an email-exclusive threat. While email-based attempts are common (and perhaps the most well-known means of phishing someone), phishing can happen through text messaging or even a voice call.
- Report any and all suspicious attempts - This includes those that your staff may have fallen for. Without this collected knowledge, how can you expect to protect your business by avoiding future attacks or responding quickly and decisively? Resist any temptation to retaliate against a staff member who was bamboozled, as this will only encourage them and others to hide their mistakes… something you definitely don’t
Whether a cybercriminal uses coronavirus or some other story to try and phish your employees, it is important that they know how to spot them, and how to properly respond when they do. For more assistance in handling these threats, give Emerge a call at 859-746-1030.