The news about the coronavirus pandemic gets a little more frightening with each passing day. The death toll in China has risen to the thousands and a growing number of countries are closing their borders to travelers from at-risk areas. There’s suddenly a global shortage of surgical masks. And as with almost every worldwide news event these days – whether it’s as trivial as the finale of a popular TV show or as dire as a steadily-spreading, potentially-lethal pathogen – the scammers have come out to take advantage of the situation and your fear.
In the case of the coronavirus, we’re already seeing phishing emails that claim to have information on how to protect yourself from the disease, but in fact contain malware-bearing web links or attachments.
Furthermore, researchers discovered a series of phishing attempts aimed at businesses in sectors that are particularly vulnerable to a disruption in trade because of the coronavirus, such as manufacturing, transportation and finance.
The messages feature subject lines like “Coronavirus – Brief note for the shipping industry,” then direct recipients to download a Microsoft Word document promising more information. That Word file activates a strain of malicious software, AZORult, which allows attackers to make off with sensitive data.
When an email or text message hits your mobile phone or laptop with promises of information, video clips, or photos about such a significant, attention-grabbing topic, you may relax your usual wariness long enough to click. The next thing you know, a ransomware infection has encrypted all your data, applications, and systems and is spreading throughout your company.
This cynical exploitation of a global health emergency provides a useful reminder that there are vultures everywhere, and they’re always scanning the horizon for the guileless to feast on.
Here are a few best practices to help avoid becoming a victim yourself.
How to avoid phishing scams in three steps
Be wary of communications from people you don’t trust
That’s increasingly challenging these days. Many of us have to process thousands of messages daily in the course of our jobs, and both time pressures and fatigue can lower our security antennae. What’s worse, phishing scammers are getting better at crafting trustworthy-looking emails, increasingly with the help of artificial intelligence, often targeting specific individuals with details gleaned from social media and other online sources. As a general rule, if an email’s subject line touches on an issue that excites or troubles you, beware. Cybercriminals know that pushing your emotional buttons increases their chances of a successful phishing expedition.
Implement a cybersecurity awareness-training program
If you have a risk management role in your organization, whether in legal, IT, security, or compliance, consider implementing a cybersecurity awareness-training program. A typical component of this is the regular distribution of harmless phishing emails to employees. Anybody that falls for them gets follow-up emails showing the phishing telltales they missed and reminding them to be more vigilant. Other planks in such a program include refreshers on company IT security and compliance policies, tips on safer online browsing behaviors, and so on. These can be valuable for everyone, as almost everyone needs an occasional reminder of basic security do’s and don’ts.