Insights

Fighting the wave of coronavirus phishing scams

 

Fighting the wave of coronavirus phishing scams

Mar 17, 2020

Cyber criminals are trying to play on coronavirus fears by sending out fake emails to trick people into downloading malicious software.

The phishing scams are impersonating the World Health Organization, the Centers for Disease Controls and Prevention, the Red Cross or government health agencies.

Cybercriminals "recognize that when there is a crisis, people are hungry for information — they are looking for whatever is new," Shawn Henry, who once headed the FBI's cyber division told NBCNews.

Since the beginning of this year, more than 4,000 websites have been created with words like corona and covid.

Hackers aren’t just trying to trick individuals, they are also launching a new level of attack at companies.

Phishing emails are often designed to look like COVID-19 alerts from C-suite individuals. With an increasing number of organizations asking employees to work from home, the risk is even higher as cybercriminals look for gaps in your cybersecurity.

Here are three steps you can take to try to minimize the risks.

1. Communicate the risk

Be proactive and tell your teams how you will distribute critical alerts and information, what information you will not request in emails and emphasize the importance of using approved company equipment and safety measures.

2. Communicate your security policies

Make sure your staff knows what security protocols you have in place and what rules you expect them to follow when working remotely. Explain how they can check to make sure they are using your VPN and that your endpoint security software (e.g. antimalware, Windows Firewall, etc.) are running. Ensure they understand the risks of using public Wi-Fi networks. Set expectations about using personal equipment.

3. Conduct phishing training

Train your employees on how to spot well-crafted spear-phishing attempts and how to verify all requests for sensitive information using an out-of-band verification method. Configure your systems to automatically identify external emails to help combat executive-impersonating emails. One effective tactic is to configure your email system to automatically flag external emails with a large, conspicuous banner at the top that labels the email as coming from an external sender.

Author(s)

Tom Wojcinski
Tom Wojcinski, CISA, CRISC
Director
View Profile

COVID-19 resource center | Wipfli