Advisory April 21, 2020
COVID-19 has forced many of us to rely heavily on various online tools to collaborate with others while maintaining a physical distance. Cybercriminals have taken advantage of this surge in online activities along with the fear that this pandemic presents to propagate malicious content aimed at stealing confidential and financial information belonging to employees and employers alike as well as to compromise devices and computer networks as well.
Some methods used by cybercriminals include:
1. Sending fraudulent and unsolicited emails which looks so real that they actually trick some recipients into believing that the email originated from a legitimate source. Often a malicious attachment or link would be included with the email which when accessed could result in device/network com- promise or leaked confidential information.
2. Embedding links, tracking tools or displaying pop up windows when visits are made to legitimate web- sites which when accessed could result in device/network compromise or leaked confidential information.
3. Barging in on online meetings that cybercriminals were not invited to and soliciting sensitive information.
4. Creating fake websites that look like the real website to trick persons into using the fake website.
Other scams that cyber attackers may use to target unsuspecting employees during this time:
- Vishing: the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft.
- Spear Phishing: the act of targeting selected users through fake emails, appearing to be from a trusted sender, with the aim of gathering personal information from users by prompting them to click on links that redirect to fake websites.
- Online Shopping Account Spoofing: informing unsuspecting users that their online shopping accounts (eBay, Amazon etc.) are compromised and you must click on a link to resolve the problems. The website that the link redirects to will then prompt users to enter their credentials, which will give attackers access to their accounts.
- Social Media Spoofing: Social media notifications or posts that you “must click to see”.
- Mobile App Malware: Attackers create fake mobile apps that pose as legitimate apps developed from reputable organizations, such as an app from the World Health Organization that will teach you how to cure the COVID-19 virus. However, the application may have a Trojan that steals sensitive information.
Ways to Stay Vigilant
Be careful when opening emails
- Make sure the address and/or attachment(s) are relevant to the content of the email.
- Make sure you verify the sender of an email.
- Look for typographical errors.
- Be very cautious if you are asked for personal or financial information.
- Be very cautious if the tone of the email is urgent. It is better to verify with the sender using another contact method such as a phone number.
Only go to trusted websites
- Double-check that a website is legitimate and trustworthy.
- Make sure web addresses are spelled correctly.
- Malicious actors usually make a minuscule change to a web address so that it resembles an authentic website, e.g. Facebook.com (legit) vs. Faceb0ok.com (untrust- worthy).
- Hover your mouse over a hyperlink so you can verify whether it will direct you to the correct website.
- Scan the website using the following web tool: https://www.urlvoid.com/ Use pop-up blockers when accessing websites.
A PDF version of his document can be downloaded by clicking the following link