One cannot go anywhere currently without Covid-19 being a part of the conversation. From retailers, restaurants, offices and places of worship, everyone has been affected. And, not surprisingly, the unscrupulous (hackers, phishing scams, and malware) on the Web have also found a way to take advantage of Covid-19.

Hackers, scammers, and others have become so prevalent that Cloudflare (based out of the UK) recently reported that that online security threats have increased by 37% in just four weeks. In fact, Cloudflare reported that on some days it was blocking between four and six times the number of attacks normally seen! It was also noted by Google that in mid-April that every day there were over 18 million malware and phishing emails related to the pandemic. In addition, the organization behind Trickbot sent out hundreds of emails claiming to be from volunteer and humanitarian groups who offered testing and to have information regarding testing and medical advice. The Trickbot emails contained an assortment of attachments all designed to install malware onto the computer of anyone who opened it.

Going beyond the damage these nefarious attacks have done to companies and individuals’ computers is the financial strain. The US Federal Trade Commission stated recently that Americans have lost more than $12 million Covid-19 related scams since January. Consumers have reported nearly 16,800 incidents of fraud.

The uptick in phishing and hacking is believed to be the result of cybercriminals having significantly more time on their hands for exploiting others. And while many hackers have targeted those entities within the medical profession, people and businesses of every type have been affected – especially with so many people working from home. These cybercriminals along with members of advanced persistent threat (APT) groups are using a wide range of ransomware and malware on their targets. 

Worldwide virus-related hacking issues include:

  • In Hong Kong, it is suspected that state-sponsored attackers used the virus to lure users into clicking on news links that were coded with booby-trapped IOS spyware.
  • Chinese firm QiAnXin identified Russian hackers who sent phishing emails coded with harmful document attachments from Ukraine’s Center for Public Health that, when combined with other disinformation, resulted in rioting.
  • VinCSS of Vietnam found a high percentage of dangerous emails claiming to be information from their prime minister about Covid-19.
  • A South Korean food company was targeted by hackers claiming to be CDC Health Info by way of a US diplomat with an assortment of phishing attacks.

But not all hacking and phishing expeditions have been done overseas. Americans have dealt with problems, too. One computer forensics expert, Gary Warner of the University of Alabama, stated that he had seen an increase of scams in his email inbox, with numerous “Coronavirus/Covid-19 fraud and spam messages. They ranged malware touted as product catalogs, fraudulent requests for Bitcoin donations from the WHO, and affiliate marketing scams selling immunity oil.

Like others who understand how malware, phishing, and hacking work, Warner strongly recommends being proactive in your cyber safety measures so you can minimize your risks of being a victim of a cybercrime.

How to Protect Yourself Against Hackers

Never think that you or your company is too unimportant to be attractive to a hacker. The simple truth is that hackers enjoy the process and the thrill of the hunt. Sure, larger companies and the wealthy are prime targets, but anyone is fair game to a hacker. As a result, it is vital that you do your part to minimize the risks. These actions should be taken for all your devices (phone, desktop, tablets) as applicable.

  • Install security updates for your operating system and programs. An out of date system is an easier target for hackers.
  • Use reputable browsers such as Chrome or Firefox as these entities do frequent updates.
  • Be suspicious of any official-looking email that asks for personal or financial information.
  • It is important to use unique passwords and be sure to change them often. If you are concerned about remembering your various passwords, consider using a password management program such as LastPass, Keeper,  or Logme.
  • Think before you click. If you are unfamiliar with a particular piece of software, don’t recognize the attachment as something you were expecting,  or if a website looks sketchy or outdated, then don’t click the link!
  • Install browser add-on features such as Click-to Play or NoScript that prevent the automatic download of plug-in content and scripts that can contain harmful coding.
  • Never leave your personal devices – phones, laptops, tablet, etc.- unattended. If you use an external hard drive or flash drive then be sure they are encrypted and locked up. If you are a desktop user then be sure to shut it down when you are not using it.
  • Do frequent backups of your data.
  • Install antivirus/anti-malware programs to your devices.
  • For mobile devices – Always lock them with a PIN or password, and never leave it unprotected in public. In addition, never download apps from untrustworthy sources. 

Especially for business owners:

  • Prioritize network or data center patches, or work with a managed services provider to see that this is done.
  • Require all employees to have the latest operating system patches for all devices used for company work.
  • Opt for managed network solutions and data centers which include cyber security protection, as well as services such as remote monitoring, AI, and tools that eliminate threats before they reach your inbox.
  • Require that your employees’ home networks are password protected.
  • Require that employee passwords are changed often – ideally every 90 days.
  • Enable two-factor authentication to key applications and for employee devices used for company work.
  • Be certain that employees all use anti-virus software on all their computer devices. 
  • Consider a managed security solution from a company or partner you trust to have your back.
  • Invest in secure software and collaboration tools.
  • Ask employees to use a secure file-sharing program to use when sending data.
  • Opt for a VPN (virtual private network) so that you and your employees can securely access your network from any device.
  • Invest in cybersecurity training. As the expression goes, a strong offense is the best defense.  In light of the current pandemic, this training is crucial. A report from Security Magazine found that only 22% of companies provide their employees with cybersecurity training.
  • Wipe devices of data before discarding or returning on a lease agreement. Many mobile devices have an option for secure resets.

Signs of a Phishing Expedition

When it comes to phishing scams, you can always expect them to follow the headlines. Whether it is a tsunami, a tornado, or in our current experience, Covid-19, email scams will be prevalent. With the Corona Virus, popular approaches by phishing entities include selling counterfeit versions of medical supplies, tricking people into purchasing fake cures and offering bogus investment opportunities in companies that supposedly have a cure for the virus.

As you work to stay alert phishing scams, there are several indicators to watch for.

  • Focusing on current events. Phishing expeditions often take current news stories and big events to make their scam appear more believable.
  • Increasing FOMO (fear of missing out) by making what they have a scarce commodity – toilet paper or sanitizer, anyone? An effective phishing approach will offer something that is in short supply and make you think that you cannot afford to miss out on their offer.
  • Positioning themselves as an authority on the topic. Often the author of a phishing scam will claim to be someone official – a bank manager, a lawyer, a government official, a doctor, etc. – so as to make their email seem safe and official.
  • Many phishing scams play on one’s emotions. The message is designed to make its recipient panic, fearful, hopeful, or curious. After all, if one’s emotions are at play it makes them more likely to open up their wallets or share vital information.
  • Asking for vital information such as banking account info, or personal information as a part of your response.
  • They have a short time-frame for accepting or being involved in the offer. For instance, a 24-hour window or even an immediate response being needed. Taking it a step further, many times scammers will go so far as to threaten you with fines or other negative repercussions if you fail to respond.

Types of Phishing Scams

There are many types of phishing scams out there, and not all of them are ones that will be seen in your inbox. Some of these include:

  • Domain Spoofing – This type of scam uses a real company’s domain and modifies it slightly. The lesson, pay attention to the actual sender of any missives that you don’t recognize!
  • Voice Phishing – When a scammer calls you and pretends to be someone else. Quite often they will redirect you from an automated message and mask their phone number.
  • Social Media Phishing – Posts or direct messages to entice you to purchase their product/services, sending you fake friend requests, or even giveaways that are designed to garner your information.
  • Clone Phishing – This phishing approach duplicates a real message with links or attachments that were sent to you, then replaces those links/attachments with malicious ones.
  • Watering Hole Phishing – When a popular website is targeted by a phishing scam that results in the website being exploited for any weakness.
  • Clickjacking – This is when a website’s vulnerabilities are exploited and hidden capture boxes are inserted. These boxes are then used to grab user login credentials and any other information you might enter.
  • HTTPS Phishing – This is an especially malicious phishing approach as it gives the illusion that a site is safe by having the padlock icon in the URL bar. This sign used to be only attainable if your site was verified as safe, but now anyone can get the symbol as a part of their URL.

What to Do if You Have Accidentally Opened a Fraudulent Link:

So, you have clicked a link and realized immediately it was a mistake. Don’t panic. There are actions you can take to minimize loss/damage.

  • If you are using a laptop or phone that contains work content and documents, immediately contact your company’s IT department and let them know.
  • If it was a link or document that involved questions regarding your banking accounts, contact your financial institution. It is likely that your cards and possibly your account will need to be replaced or numbers changed.
  • If you think you have lost money as a result of a hack, be sure to let your bank know immediately, so they can begin the process of recovering it- if it is doable. This also helps them take steps to keep it from happening again, to you or anyone else.
  • Open your antivirus (AV) software and run a full scan, allowing the program to clean up any problems it finds.
  • If you provided your password, change it- as well as any other accounts that would be accessible using that particular password. (Yes, one should use a different password for every account set up. But, we all know that most of us do not follow that ‘rule’ and have a handful of passwords that we use interchangeably!)

As long as there is an opportunity for the criminal element to prosper, it will be necessary to be proactive in protecting yourself. However, in knowing what to watch for, what to do if, and how to protect yourself you can sleep easier at night.

Don’t be a victim to Covid-19 related (or any other types of) phishing and hacking. Take proactive measures to protect yourself. If you are unsure as to what you need to do to your website or personal devices now would be a good time to talk to the pros at Page Progressive. We can answer your questions and help you decide what you want to do to keep yourself or your business from being a victim. Contact us with any questions!