Criminals seldom let a good opportunity evade their pursuits to further their criminal enterprises. We are beginning to hear from a variety of our customers that the COVID-19 scams have begun. Please educate your staff that these scams are coming in and they will cause you problems. Feel free to share this email: It is critical that while we are preoccupied with COVID-19, we do not allow criminals to profit from others’ tragedies!
Here are a couple of examples;
- I received a call from the IRS and FBI (same call, one person) telling me that the US government cares about the success of my business; they wanted to give me money to help keep my business running. They needed my ACH information to send the money. Because it is such an emergency, they don’t even need an application.
- I received a call from a customer last night stating that “A very legit-sounding lady” is calling their staff, saying: “Hello, this is Nurse Jen calling to follow up on your tests from yesterday. Unfortunately, you DID test positive for coronavirus. No need to panic but call us back with your credit card handy so we can overnight you your antibiotics. It’s important that you and any family or roommates STAY HOME. Call us so we can get you your meds and give you further quarantine instructions.”
- There are also a ton of calls regarding the sale of test kits and other items that relate to this virus.
These scams are coming via email, text messages, online, and telephone calls. Please take the following precautions;
- Teach employees to avoid clicking links or attachments in email; they can use www.VirusTotal.com to test links and attachments.
- Calls, text messages, and emails that sound too good to be true; usually are;
- The government is not going to call you and ask you to provide account information so they can send money to you!
- You do not likely have relatives in countries you cannot pronounce. If you have a relative who is traveling; contact him, her, or them directly through a number you KNOW to be accurate.
- The government is not giving out free iPhones to help in communications.
- If you are ill and you went to the hospital for a test, please check with the hospital directly. If they call you, make an appointment to go in.
- Hospitals and real pharmacies are the only trustworthy source of anything medical.
- Be wary of any link that purports to tell you anything about the COVID-19 virus. Please visit proper news sites; CNN.com, foxnews.com, msn.com, etc.
- The Federal Trade Commission (FTC) says;
- “Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying they have information about the virus. For the most up-to-date information about the Coronavirus, visit the Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO).
- Ignore online offers for vaccinations. There currently are no vaccines, pills, potions, lotions, lozenges or other prescription or over-the-counter products available to treat or cure the Novel Coronavirus disease 2019 (COVID-19) — online or in stores.
- Do your homework when it comes to donations, whether through charities or crowdfunding sites. Don’t let anyone rush you into making a donation. If someone wants donations in cash, by gift card, or by wiring money, don’t do it. ”
- Employees should validate any emails they were not expecting by calling the person.
- Many of these emails have good indicators such as misspelled words, capital letters in places we do not usually place them, conflicting attachments (e.g. attachments that include an invoice and a contract. Shouldn’t the contract be in place prior to an invoice?), orders to immediately send money to someone who is higher up in the company than you, language problems (misuse of the English language), etc.
- Any email that directs a person to make a payment should be validated by calling the person (at a phone number you know, not the one in the email) and validating their request. We recommend a company policy against the use of email for ANY transactional events; the email could be easily spoofed.
- When in doubt, the users should have a known number to call for reporting the event; we recommend rewarding such reports. A simple $1 certificate and quarterly “Phish finder” award enables a positive reinforcement of good behavior.
- We also recommend that users be trained that anytime an email, an embedded web link, or any other factor of an email requesting a password, they immediately report it and that they not provide their username and password.
- Incident response is CRITICAL; if you receive a report of a phishing attempt of another security issue; you must respond quickly.
- While providing a complete Incident Response playbook is out of the scope for this alert, when dealing with these types of attacks, you should profile the attack and block anything that can be blocked. For example, I could block the domain the email came from, the website it is taking me to, the IP address range of the attacker(s), etc.
- The information gathered, should be used to alert the rest of your company and to search for users who fell for the scam. For example, if there is an embedded link in the email, you can search your web proxy and/or firewalls to see who went to the site. You can search email proxies for who sent email to the person.
- Any passwords that were shared with the criminals should be changed; many times, end users fail to tell us that they sent their password(s). You should ask them and ensure they know that they will not be in trouble if they tell you.
- Have solid, tested backups of everything that is important to you. Please ensure that these back-ups are kept isolated from production systems and that they use different credentials.
- Use web and email proxies to limit exposure to such attacks.
- Keep systems patched.
- Block VBA/Macro Code; preferably at the network level.
- Ensure you have antivirus software installed on all systems, including all servers. Ensure that the definitions are current.
- Do not have open shares set up. There should be no shared drives that allow “everyone” access. You should ensure that all folders allow only the people who need access to the folder have access.
- Ensure that system admins log in as their normal (non-administrative) user and elevate privileges as necessary. Admins should avoid logging in as their administrative accounts to only those situations that REQUIRE this type of access.
- Limit or block access to social media sites like Facebook; these sites are breeding grounds for such attacks.
- Enable the system firewall; to properly protect the system.
- Use application whitelisting; this methodology allows you to allow only approved applications. Allowing only approved applications ensures that users cannot run inappropriate programs.
- Remove local administrative rights from end users.
If you need assistance, please let us know; we have decades of experience in these situations and have a fully established incident response team with the tools to assist. We also know how to limit the effectiveness of such attacks. We are here to help you!