Hackers may use coronavirus against you. Hackers and fraudsters recognize that coronavirus is a potent tool for cyber attacks. Some attacks can be delivered with a twist when staff are working from home. Here are some of the ways we see bad guys using this situation to trick you and get access to sensitive data, systems, and networks:
- Stealing your username and password. Attackers send phishing emails to try to trick you into giving up your work credentials. A message may claim to link to an ‘important’ online document (in a sharing service like Box, Dropbox, ShareFile, or SharePoint), but you’ll end up at a fake site that prompts for your username and password. (You may be sent to a legitimate site first then redirected to the bogus website.) You’ll probably see an error message at the end of the attack, but the attacker may use your just-stolen credentials to log you into your account.
- Using coronavirus news as bait. Attackers quickly adopt current events in their phishing. Fake coronavirus news with links to malicious websites appeared within days – almost as fast as real coverage – and the emails include copied logos and graphics to amp up the realism. Don’t use your work computer to read coronavirus news – use a personal device. When you do read the news, it’s safer to go directly to a trusted news source’s website than to click a link in your inbox.
- Using coronavirus resources as bait. Phishing emails pose as the CDC or WHO to trick you into clicking – bad guys have registered hundreds of coronavirus-themed domains to draw your clicks. Attackers have sent malicious files claiming to be maps of coronavirus spread – in fact, bad guys have added malware to legitimate coronavirus-related documents to trick victims. Don’t open unsolicited attachments or click on links that you didn’t request. If you need information, use your browser to go directly to trusted search engines and websites.
- Emailing as IT, HR, or management. Hackers know that organizations rely on email to share information, so they create phishing attacks that present as IT sharing updated VPN software, HR posting a new leave policy, or an executive discussing emergency plans. Look critically at ‘internal’ emails – check sender details, hover over links to make sure they lead to the right website, and look for clues in language and style that may tell you the message is a fake. If you aren’t sure, check another way – like your intranet, internal chat, or a phone call.
- Posing as vendors. Organizations are communicating with vendors regularly as they adapt to changes driven by media, government, customers, employees, and business partners. Watch for senders pretending to be trusted vendors requesting coronavirus-related changes – new processes, changed contact information, or payment updates could be a business email compromise (BEC) instead. Even harder to spot, attackers who take over a vendor’s email will send change requests directly from the victim’s account. Don’t break existing rules in a crisis – if you receive a change by email, use another method (like a phone call) to confirm. (If you get a phone call from a vendor, confirm the caller’s identity – or call back to a number on file to make sure the caller is legitimate.)
- Posing as employees. Phishers target HR and IT by pretending to be employees – for example, requesting a password reset or asking for a direct deposit update from a ‘personal account’. Follow established processes and verify identifies and requests – through a call-back or internal chat.
- Posing as IT. If you get a phone call from IT, confirm the caller’s identity – or call back on an official line to make sure the caller is for real. For example, hackers claiming to be from your IT department may ask you for remote access to your computer – Suspect unexpected calls and remember that your IT team should never ask for your password (don’t share it with anyone).
- Posing as Microsoft or Google. If you get a call, text, or email from Microsoft or Google, it’s probably not real – and coronavirus won’t change that. Automated account messages aside, Microsoft will not contact you because they’ve spotted a problem with your computer and want to help you fix it. Fraudsters will make that claim. If anyone calls you claiming to be from a technology vendor, or you see a message telling you to contact them directly, let your IT team or security officer know.
- Calling or texting. Phishing may be more common, but ‘social engineers’ use phone calls (called ‘vishing’) and text messages (called ‘smishing’ for the SMS protocol) to try to trick you into giving up sensitive information and login credentials, too. Be dubious of any unsolicited contact, and coronavirus is just another topic as they try to trick you into sharing too much – practice social distancing from social engineers.
Most coronavirus-related cyber threats are just variations on the way that bad guys target you every day – with phishing attacks, business email compromise, vishing, smishing, malware and ransomware, credential theft, and social engineering. (There’s even new ‘CoronaVirus’ ransomware, posing as legitimate WiseCleaner software, that installs a tool to steal your passwords before encrypting your files and demanding a small ransom.) Even if your work environment changes, stay alert to possible cyber attacks and let someone know if you spot something suspicious.