As the novel coronavirus continues to spread, there has been an increase in the frequency of COVID-19 related scams. Please ensure you are taking proper measures to protect not only your corporate sensitive data, but also your personal devices and accounts. This is especially important for anyone who is using their own devices in the Bring Your Own Device (BYOD) model. Keep in mind that a compromise of your personal device could allow an attacker to access your corporate data. As such, it is important to secure ALL of your accounts/devices.
Below are some common attack methods and mitigations:
- Phishing Emails & Texts
- Be wary of any emails or text messages claiming to be from the government, or any other authority during this time. Avoid clicking on links, and especially avoid providing your personal information. Many of these scams will claim to provide access to your “stimulus check” or “vaccine” and ask for additional information. Delete these messages and reach out to your IT Helpdesk to help determine the legitimacy of these messages before replying.
- There are quite a few “miracle cure” scams going on right now to try and capitalize on COVID-19 fears. Relying on the CDC for the most up-to-date and accurate information regarding COVID-19 prevention & treatment can help avoid these false claims.
- Organizations can conduct internal phishing campaigns to help keep employees vigilant and train them on how to identify malicious emails.
- Remember that clicking on links/attachments or downloading software can compromise your workstations/devices. This risk is amplified when you are using your personal devices, as you may not have many of the safeguards your corporate devices have.
- Scam Calls
- Another tactic attackers are using is to call users directly. They will instruct you to either give them access to your machine (via TeamViewer, or some similar software) OR go to a malicious website. In either case, hang up and avoid following directions from an unsolicited source.
- Unrelated to COVID-19, you should always be wary of anyone asking to connect or make modifications to your computers, routers, etc.
- Check the URL’s you are being asked to visit but be warned that there are ways to spoof URL’s and make them seem legitimate. The best prevention is to avoid ANY unsolicited contact.
- Charity Scams
- Many attackers are exploiting public goodwill to collect fraudulent charitable contributions. Ensure that you are donating to a legitimate charity, if you chose to do so. The FTC has guidelines on how to avoid charity scams (https://www.consumer.ftc.gov/articles/0074-giving-charity).
- It is more important than ever to ensure that your passwords are secure and unique. Do not re-use passwords, particularly ones used with corporate resources, anywhere. If you re-use passwords, you make it easy for attackers to access your other accounts after a breach.
- You can check to see if any of your accounts have been a part of major breaches here (https://haveibeenpwned.com). Simply enter your email address(es) to see what breaches they may have been a part of. This is not a list of every breach, only ones that security researcher Troy Hunt has aggregated.
- Media Advertisements
- You may see malicious advertisements on popular websites which will initiate one of the scams referenced above. Remember that large companies do not have the resources to fully validate every advertisement they host. It is best to avoid clicking on these advertisements altogether.
As remote workforces start to mobilize, it is imperative that organizations provide additional training to their employees to cover work-from-home security & best practices. Many of these resources are freely available. The cost of security training & prevention is pale in comparison to the cost of a data breach (https://www.csoonline.com/article/3434601/what-is-the-cost-of-a-data-breach.html). ExponentHR has devoted resources to ensure its employees are adequately trained to identify phishing scams and protect corporate data.
Thank you and stay safe