The novel coronavirus isn’t the only plague affecting businesses. Cyberattacks are spreading, too, as malicious actors take advantage of interest in COVID-19 news and coronavirus fears to trick people into clicking on phony links and attachments in social engineering and phishing scams.
The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) warned of a surge in cybercrime attempts in an April 8 joint statement.
According to the agencies, these hackers’ phishing emails and social media posts purport to offer information about the virus—but the links and attachments they contain, when opened, install malware or ransomware. Malicious actors aim to gain access to systems and information or even to hold them hostage until a ransom is paid.
And Microsoft, too, warned that hackers were taking advantage of vulnerabilities in its Windows 10 operating system to gain access to devices and systems.
This kind of crisis-related cyberattack isn’t unique to the coronavirus pandemic. Threat actors often design phishing and social engineering campaigns around news events. Apparently, the tactic works.
To counteract these attempts to infiltrate organizational systems and sensitive data, best practices suggest increased security-awareness training for employees. Training, when coupled with reinforcements such as phishing simulations, can be effective. And yet, humans continue to be the weak link, clicking away and opening the door to intruders.
Constantly switching tactics
To cast the widest net possible, cyber thieves are using an ever-shifting array of tactics to intrude, disrupt, and defraud their victims. As of April 15, 18,235 Americans had reported losing a total of $13.4 million to COVID-19 scammers, according to the Federal Trade Commission. The fraudsters’ methods involved travel and vacations, online shopping, fake text messages, and imposter scams.
The Internal Revenue Service warned, too, about scammers’ sending text, email, and phone messages purporting to originate from a U.S. government agency, offering to help procure the recipients’ stimulus check intended to provide relief during the coronavirus outbreak.
The Federal Communications Commission warned against giving out any personal information to callers offering coronavirus test kits and soliciting personal health information, or claiming to be from the World Health Organization (WHO) or the Centers for Disease Control and Prevention (CDC) and asking for donations.
The Better Business Bureau warned about phony text messages from senders claiming to be the U.S. Department of Health and Human Services and demanding that recipients sign up for a “mandatory COVID-19 test” by clicking on a malicious link.
Student loan callback scams; phony links to websites for masks; fake COVID-19 cures; the list goes on and on.
What cybercriminals want:
- Personal information that they can sell on the black market
- Bank account and credit card information that they can use to steal their victims’ money
- Access to enterprise computer systems gained by tricking workers into clicking on false links and attachments in phishing attacks from their organization-issued laptop or mobile phone
- Ransom payments to release data and systems held hostage in ransomware attacks.
The best defense is a strong offense
For countering these scams and targeted cyberattacks, cybersecurity awareness is a good start. But numerous studies have demonstrated that workers will take security risks for the sake of convenience and productivity — for example, installing unauthorized applications—so-called “shadow IT”—on their work devices.
The best way to prevent these kinds of security workarounds and lapses is to hard-wire security into your systems, networks, and devices.
Identity authentication, access management, URL and attachment scanners, shadow IT blocking, and other strong security features can help with your cybersecurity risk management.
And to help you always know when risks arise and what to do about them, your best bet is to use an automated risk management and compliance solution.
ZenGRC provides visibility throughout your systems and those of your third-party vendors, alerts you in real-time when vulnerabilities emerge, tells you how to correct problems, and track workflows so you always know, in a glance, where things stand and who’s responsible every step of the way.
And at audit time, our “Single Source of Truth” repository has the documents you need to show compliance with a long list of regulatory and industry frameworks.
You’ve got enough to think about during COVID-19 and beyond. Why worry about security when you don’t have to? Worry-free risk management and compliance is the Zen way. Contact us today for your free consultation.