Around the world, people are dealing with an endless volume of new information about the coronavirus outbreak. They are distracted, stressed and concerned about the wellbeing of family and friends. This can leave employees more susceptible to online schemes, and the “bad actors” who are attempting to take advantage of the situation. The email security firm, Proofpoint, reported in April 2020 that 80% of the emails they were intercepting had something to do with the coronavirus outbreak, a level the company called “unprecedented.”
Employers should remind employees of cybersecurity best practices to protect themselves and the organization. For example, the fact that employees are working from home should not change protocols for requests via email, particularly any involving money transfers. It is more important than ever for employees to slow down, review messages in detail, and pick up the phone to verify authenticity (using a phone number that can also be verified beyond the email in question).
During the pandemic and beyond, remind employees that they should always be wary of a message if it:
- plays on fear or urgency;
- includes spelling, grammar or formatting errors;
- asks for personal information, login credentials or financial details;
- encourages clicking on a link or opening a suspicious attachment;
- uses an unfamiliar, incorrect or vague greeting; or
- originates from a suspicious or abnormal email address.
Enterprises should also consider creating go-to destinations for employees to get the latest updates from their employer; information on any company policy changes and closures; official contact information for colleagues and supervisors; and links to reputable and objective sources for public safety, quarantine and medical guidance, such as the CDC, WHO, National Institutes of Health, and local government authorities.
Here are some common phishing scams to watch for and avoid.
- Credential Stealing: Threat actors are actively utilizing this pandemic to attempt to compromise individuals’ accounts and organizations’ networks.
- Government Authority Scams: Phishing scams can purport to be news from government authorities or public health organizations, directing recipients to click malicious links for updates on the spread of the COVID-19 pandemic, new containment measures or local advisories.
- Malicious Attachments: Other email scams spread malicious attachments, claiming to offer coronavirus protection tips or maps of the outbreak, but they actually contain malware.
- Financial Relief: Some scammers are using coronavirus-related financial relief measures as lures which give criminals a new set of compelling pretenses for contacting victims to request sensitive data like Social Security numbers, bank account information and credit card data.
- Fraudulent Payment Scams: The Federal Trade Commission has reported massive surges in consumer complaints about scams related to COVID-19, totaling more than 10,000 fraud cases by mid-April 2020. The top categories of coronavirus-related complaints included travel and vacation related reports about cancellations and refunds, reports about problems with online shopping, mobile texting scams, and government and business imposter scams.
Based on the tactics used thus far, the FTC advises consumers to only click on links from sources they know, visit the CDC and WHO websites directly for the most up-to-date information, and be alert for fraudulent online offers for non-existent treatments and vaccinations, phony charitable donation campaigns, or “investment opportunities” from companies purporting to offer coronavirus products and services.
Proofpoint – Six Tips to Avoid Becoming a Victim of Phishing Scams
- Be aware that you are at risk. Knowing that attackers are ready to trick you out of your money can help you take an appropriately skeptical stance about information you may see or hear.
- Be wary of any communications you receive that promise stimulus payments. To date, the U.S. government has never used email to collect information for payment programs of this type. The U.S. Postal Service is used to both distribute and collect information. This means that any email or other digital communication you may receive that asks for stimulus information is almost certainly a fraud.
- Do not provide personal information in response to any online requests and avoid clicking on email links. If you have any questions regarding payments, go directly to authorized institutions.
- Create unique usernames and passwords for each account. You can reduce your risk of extensive compromise by using different credentials across multiple accounts. These accounts can include your email, financial/banking websites, work and streaming services.
- Verify websites are legitimate. If you are visiting a website, you can verify the site is safe by clicking the padlock image on the left of the browser address. Be sure to check that the name of the server matches your desired destination.
- Avoid disinformation by using multiple sources. Get information from reputable news sources and double-check any reports with another reputable news source. Be wary of information that friends send you or post on social media. These messages could be spam that they did not actually send or simply misinformation.
For more information on how to protect against phishing scams, please contact your Sequoia Risk Advisor and/or visit the Proofpoint website.
Disclaimer: This content is intended for informational purposes only and should not be construed as legal, medical or tax advice. It provides general information and is not intended to encompass all compliance and legal obligations that may be applicable. This information and any questions as to your specific circumstances should be reviewed with your respective legal counsel and/or tax advisor as we do not provide legal or tax advice. Please note that this information may be subject to change based on legislative changes. © 2020 Sequoia Benefits & Insurance Services, LLC. All Rights Reserved