In addition to generating an unprecedented public health crisis, the novel coronavirus (“COVID-19”) has also created a range of noteworthy cyber risks that pose significant security threats to the networks, systems, and data of businesses across all sectors. Notably, in recent weeks a sharp rise has occurred in social engineering cyber scams targeting employees with malicious content tied to COVID-19. The ongoing uptick in social engineering attacks has been so drastic that it recently prompted both the Federal Bureau of Investigation (“FBI”) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) to issue alerts warning businesses of this markedly increased cyber threat. Accordingly, businesses must be aware of this burgeoning security threat and take proactive steps to mitigate risk, which will only increase as the COVID-19 crisis deepens further.
COVID-19: The Perfect Ingredient for Social Engineering Schemes
Cyber criminals are notorious for quickly adapting their social engineering schemes to take advantage of major events and flashpoints, such as natural disasters and terror attacks. The current public health emergency created by COVID-19—and the resulting fear, anxiety, and uncertainty that continues to grip the public, as well as our desire for information on the pandemic—presents the ideal opportunity for exploitation by fraudsters. As the COVID-19 crisis began to make headlines in January of this year, cyber criminals adapted their attacks to integrate more themes playing on the burgeoning health crisis.
FBI Alert Warns Against the Rise in COVID-19 Social Engineering Schemes
In recent weeks, there has been a sharp increase in the frequency of social engineering attacks seeking to exploit the growing health emergency. The spike has been so drastic that the FBI issued an alert cautioning against the heightened risk of social engineering schemes being carried out under the guise of the pandemic.
In particular, the FBI warns of the threat of e-mails claiming to be from the Centers for Disease Control and Prevention (“CDC”) or other organizations allegedly offering information on the virus, as fraudsters are using these links in e-mails to deliver malware or conduct ransomware attacks. The FBI also advises on the risk posed by websites and apps claiming to track COVID-19 cases, as criminals are also using malicious websites to carry out ransomware attacks as well.
The FBI also highlights the specific threat of phishing e-mails asking to verify personal information in order to receive an economic stimulus check from the government, and notes that government agencies will never send unsolicited e-mails seeking private information in order to send money. According to the FBI, it has also observed an influx of phishing e-mails claiming to be related to charitable contributions, general financial relief, airline ticket refunds, fake cures and vaccines, and fake testing kids.
CISA Joint Alert with UK Further Warns Against the Elevated Social Engineering Risk
The recent surge of cyber attacks tied to COVID-19 also prompted CISA to issue a joint alert with the United Kingdom’s National Cyber Security Centre (“NCSC”) warning against the continued exploitation of the COVID-19 pandemic by cyber criminals and nation-state hackers through the use of social engineering to entice users to carry out specific desired actions like clicking on links, downloading apps, or opening files (such as e-mail attachments) that lead to phishing websites or allow malware and ransomware to be deployed.
To create the impression of authenticity, cyber criminals are spoofing sender information in malicious e-mails to make it appear that these messages are originating from trustworthy sources, such as the World Health Organization (“WHO”) or an individual with “Dr.” in their title. Another common technique is for malicious actors to send phishing e-mails that contain links to fake e-mail login pages. Similarly, other e-mails will purport to be from an organization’s human resources department, advising an employee to open an attachment.
Importantly, CISA notes that both cyber criminals and nation-state actors are likely to continue using social engineering schemes to exploit the pandemic in the coming weeks and months through the use of a range of different types of cyber attacks, such as:
CISA notes that it has observed a large volume of phishing campaigns using the social engineering techniques described above, and which include e-mail subject lines such as “2020 Coronavirus Updates” and “2019-nCov: New confirmed cases in your City.” In most instances, these e-mails also contain a call to action, encouraging the victim to visit a website that malicious cyber actors use for stealing valuable data, such as usernames and passwords, credit card information, and other personal information.
At the same time, social engineering-related phishing attempts are also being carried out by other means, such as through “smishing”—social engineering through text messages (“SMS”). Similarly, “vishing”—social engineering that leverages voice communication—is also being deployed in current COVID-19 scams. This technique, which takes advantage of the public’s misplaced trust in the security of phone services, is often be combined with other forms of social engineering that entice a victim to call a certain number and divulge information.
To mitigate the elevated risk of social engineering scams tied to COVID-19, businesses should consider the following best practices:
Cyber criminals are continually adjusting their tactics to take advantage of new situations, and the current COVID-19 public health crisis is no exception. Malicious actors are working feverishly to take advantage of the public’s concern over the health crisis and its high appetite for COVID-19-related information, which presents a prime opportunity to utilize social engineering methods to deliver malware and ransomware, and to steal user credentials.
As such, both businesses and their workers must remain vigilant. In particular, it is critical that companies keep their workforces fully informed of all evolving cyber threats in order to minimize the risk of experiencing a potentially catastrophic security or data compromise event.
As part of its COVID-19 Task Force, Blank Rome’s Cybersecurity & Data Privacy team can assist with providing key counseling and guidance with respect to any issues or concerns relating to the increased threat of COVID-19 social engineering schemes, as well as other policies, procedures, and protocols that your organization should have in place to minimize the risk of social engineering scams to the greatest extent possible. And if your organization suffers a successful social engineering attack or other type of security incident during the ongoing public health crisis, Blank Rome’s data breach incident response team is available 24/7 and can provide immediate assistance with rapid response and crisis management following any type of breach or security event.