Cyber-criminals are opportunists.They will latch on to any current event or news story to attempt to take advantage of humans. So, it is no surprise this year we are seeing an amazing uptick in social engineering scams related to the COVID19 pandemic.
Google is blocking hundreds of millions of COVID19-related spam emails from cyber-criminals per day. However, some spam emails are still making their way through, and people are falling victim to a variety of attacks, including ransomware, malware, and other scams. That’s just in the case of Google; there are countless other email providers who are also doing their best to protect their users against the onslaught of COVID19 scams. Aside from email, cyber-criminals also target users with social engineering scams via phone calls and text messaging.
Here is a breakdown of the types of social engineering scams to watch out for:
- Medical-related scams. Currently, there are a lot of fake charities, fake medical supplies and vaccines, and fake virus tracking apps. There are a number of scams that look like they come from the CDC or WHO and claim to offer information on the virus. However, they have links or attachments that result in malware infections. Some users have also received fake medical leave forms over email. The bait is to offer the ability to take leave under the Family and Medical Leave Act (FMLA). When users open the attached form, it downloads malware, usually banking spyware.
- Contact tracing scams. There are several fake contact tracing apps that users are downloading, thinking they are the real app. These apps look just like the official government apps; however, they install malware on the phone to steal banking and other personal information.
- Unemployment scams. There are a lot of unemployment scams right now using emails asking users to identify their personal information in order to receive an economic stimulus check. Once the attacker gets the victim’s personal information, they file for unemployment in the victim’s name but use their own bank information for the checks.
- Service scams. A popular scam right now is airline carrier refunds. Cybercriminals know that millions of people canceled flights, and they hope to bait someone who is waiting on a response about their refund. Additionally, with people staying home, there are many phishing attacks for fake streaming services for TV and movies.
- Recruiting scams. Another interesting scam right now targets HR and recruiters by sending resumes that install malware when downloaded. This malware typically steals banking credentials or other personal information. The proportion of resumes infected with malware doubled over the last couple of months.
- Remote working scams. When employees work from home and connect back to their organization’s network, they typically do so over a VPN, which encrypts the communication. There are a lot of phishing emails that exploit this concept. Some look like an email from IT support from the user’s employer. The email has a link for a new VPN configuration for home access. Users click the link, and it asks them to enter their username and password like always. However, the link is really directing them to a fake page that looks the same as the real one, and the attacker now has the user’s username and password to log into the real system. Another scam exploits voicemail to email services. Many organizations have the ability to transcribe voicemails to emails, and a lot of remote workers are using this service right now. Some phishing emails look like they are voicemails with attachments or a link to a fake login page so they can get their usernames and passwords.
To protect yourself from these and other scams, make sure to do the following:
1. Take a pause when you receive an email, phone call, or text. This will help to recognize social engineering attacks and see through some of the cleverness of the cyber attacker.
2. If you receive a phone call from someone you don’t know, take a pause and write down information about the caller without offering any of your own information and tell them you will call back later. Then take some time to check into the matter or call the organization directly.
3. Use a separate method to verify the email or phone call. If an email looks like it’s from your bank, go directly to your bank’s website or give them a call directly. If the person on the phone says they are from a specific organization, take their information and call the organization directly. Don’t call the number the caller gives you because that is just part of the scam. Also, don’t always trust caller ID because that is easy to fake.
4. Do not give out your usernames, passwords, date of birth, SSN, or financial data to anyone in response to an unsolicited email, call, or text.
5. Protect your identity by freezing your credit. When your credit has a freeze, no one can get credit in your name or open any accounts in your name. This is a free service, but you need to call each of the credit agencies to do it. You can also easily unfreeze your credit when you need to open a new account.
6. Backup your data. Backups are extremely important right now both on personal devices and at the organizational level with the increased threat of ransomware. You can purchase a physical external backup drive or use online services to backup your data.
There are also all the old standbys, such as:
- Looking at the real link in the email by hovering your mouse over it.
- Generic wording that doesn’t include your name or it has misspellings and grammatical errors, these are clues to an unsophisticated cyber-attacker.
- Emails that encourage you to open an attachment should be scrutinized.
- If they are asking you to pay with a gift card or wire transfer, it is a scam.
The bottom line, slow down, take a pause. Being vigilant and a little skeptical will go a long way to protect yourself from social engineering scams.
Cyber disruptions are increasing in such frequency and severity that it’s no longer a matter of “if” but instead a matter of “when.” Organizations need to prepare. Vulnerabilities lead to erosion of confidentiality, integrity, or availability that may stem from malicious attacks, accidents, or natural occurrences.
SHINE Systems helps customers establish cyber resilience, enabling them to operate in the face of these threats through proactive prevention and detection, streamlined response, and rapid recovery.
For more information on our Cybersecurity services, please call Dr. Angela Orebaugh at 434-322-3000 Ext. 102 or email cyber@SHINESystems.com.
About the Author
Angela Orebaugh, Ph.D. is a technologist, educator, researcher, and author with a broad spectrum of expertise in information technology and security. She synergizes her 20 years of hands-on strategic and technical experiences within industry, academia, and government to advise clients on information technology and security strategy, management, and technologies.