Avoid COVID-19 Themed Scams and Business Compromise Emails

As our nation, and the world, grapples with the COVID-19 pandemic, cyber criminals are seeking to take advantage of the situation to exploit businesses and individuals. This article provides some tips for working safely and securely as more people work remotely, and as cyber criminals deploy “COVID-19 related” scams/malware/business compromise emails. 

One of the methods that cyber criminals employ is social engineering to take advantage of situations such as the COVID-19 pandemic and our interest/fears associated with the issue.  Many incidents can be prevented by practicing safe and secure business habits. This section focuses on every-day activities you and your employees can do to help keep your business safe and secure. While criminals are becoming more sophisticated, most criminals still use well-known and easily avoidable methods. This section provides a list of recommended practices to help protect your business. Each employee should be trained to follow these basic practices.

Use a VPN. Virtual Private Networks protect your privacy and data as it flows through the internet. VPNs create a “data tunnel” through which your encrypted data can flow from your remote site to the data destination. Additionally, if your tunnel detects a penetration by a hacker, it will collapse and create a new secure tunnel.

Secure your home/business router. Change the WiFi router password from the original password that was set in the factory because the original passwords are easily available on the internet. Make sure that your router is secured with WPA2 encryption, and use a strong password for your home/work WiFi network.

Be careful of email attachments and web links. One of the more common means of distributing malware is via email attachments or links embedded in email. Usually the malware is attached to emails that pretend to be legitimate or from someone you know (“phishing” or “spear phishing” attacks). Links and attachments can be disguised to appear legitimate, but in reality they download malware onto your computer.

Do not click on a link or open an attachment that you were not expecting. If it appears important, call the sender to verify they sent the email and ask them to describe what the attachment or link is.

Before you click a link (in an email or on social media, instant messages, other web pages, or other means), hover over that link to see the actual web address it will take you to (usually shown at the bottom of the browser window). If you do not recognize or trust the address, try searching for relevant key terms in a web browser. This way you can find the article, video, or web page without directly clicking on the suspicious link. Train employees to recognize phishing attempts and who to notify when one occurs.

Use separate personal and business computers, mobile devices, and accounts. As much as possible, have separate devices and email accounts for personal and business use. This is especially important if other people such as children use your personal devices. Do not conduct business or any sensitive activities (e.g. online business banking) on a personal computer or device and do not engage in activities such as web surfing, gaming, downloading videos, etc., on business computers or devices. Do not send sensitive business information to your personal email address.

Personal or home computers and electronics may be less secure than business systems. Personal devices may be used for web surfing to untrustworthy sites and have untrustworthy applications installed such as games which are not required for work and which add vulnerabilities that a hacker could exploit.

Some businesses may want to consider using a separate computer that is not connected to any network for certain business functions or for extremely sensitive information. Because most cyber-attacks require network connectivity, disconnecting extremely sensitive information from the network prevents these kinds of attacks.

Do not connect personal or untrusted storage devices or hardware into your computer, mobile device, or network. Do not share USB drives or external hard drives between personal and business computers or devices. Do not connect any unknown / untrusted hardware into your system or network and do not insert any unknown CD, DVD, or USB drive. These devices may have malware on them. Criminals are known to place USB drives in public places where their target business’s employees gather, knowing that curious individuals will pick them up and plug them in. What is on them is generally malware which will spy on or take control of the computer.

Disable the AutoRun feature for the USB ports and optical drives like CD and DVD drives on your business computers to help prevent such malicious programs from installing on your systems.

Do not give out personal or business information. Social engineering is an attempt to obtain physical or electronic access to your business information by manipulating people. A very common type of attack involves a person, website, or email that pretends to be something it’s not. A social engineer will research your business to learn names, titles, responsibilities, and any personal information they can find. Afterwards, the social engineer usually calls or sends an email with a believable, but made-up, story designed to convince the person to give them certain information.

If you receive an unsolicited phone call asking for personal information from a company you recognize (such as from your bank or doctor’s office), ask for identifying information that only a person associated with the organization would know. If this is not possible, ask the person for their name and office or division and tell them you will call them right back. Call the company using the information from their website or on your contract or bill – do not use any phone number provided by the person who called you. Then ask for the representative who called you.

Never respond to an unsolicited phone call from a company you do not recognize that asks for sensitive personal or business information. Employees should notify their management whenever there is an attempt or request for sensitive business information.

Never give out your username or password. No company should ask you for this information for any reason.  Note:  This caution seems very obvious, but people are tricked into providing their username and password routinely.  Possible scenario: You receive a communication like this: “Someone with whom you have recently come into contact has tested positive for COVID-19.  Our company has been asked to map the distribution of people who could be infected and provide access to testing. Please enter your XXX username and password to access your free test kit.”

Also, beware of people asking what kind of operating system you use, what brand firewalls you have, what internet browser you use, or what applications you have installed. This is all information that can make it easier for a hacker to break in to your system.

Watch for harmful pop-ups. When connected to and using the Internet, do not respond to popup windows requesting that you click “OK” for anything.  For example, “click here to show the COVID-19 testing site nearest you” or “click here to be sent your free COVID-19 test kit.”

If a window pops up on your screen unexpectedly, DO NOT close the popup window, either by clicking “okay” or by selecting the X in the upper right corner of the popup window, especially if the pop up is informing you that your system has a virus and suggesting you download a program to fix it. Do not respond to popup windows informing you that you have to download a new codec, driver, or special program for the web page you are visiting. Some of these popup windows are actually trying to trick you into clicking on “OK” which will allow it to download and install spyware or other malware onto your computer. Be aware that some of these popup windows are programmed to interpret any mouse click anywhere on the window as an “OK” and act accordingly.

If you encounter this kind of pop-up window, disconnect from the network and force the browser to close (in Windows, hit “ctrl + alt + del” and delete the browser from running tasks. In OSX, right-click the application in the bar and select “force close”). You should save any files you have open and reboot the computer, then run your anti-virus software.

While there is no magic formula to prevent a person/employee from falling victim to a malicious email/pop-up/etc., training your employees on the above topics can reduce the likelihood of the introduction of malware to your network.

The source of this article is SMALL BUSINESS INFORMATION SECURITY: THE FUNDAMENTALS (NISTIR 7621, Chapter 4, pages 28-32) which is available free of charge from: https://doi.org/10.6028/NIST.IR.7621r1.