Cybersecurity in the Era of COVID-19

Cybercriminals are constantly changing their attack strategies to take advantage of new situations, and the COVID-19 pandemic is no exception.

They capitalize on our fears and concerns relating to the pandemic to carry out cyberattacks. And, as a result of more people working remotely, more communication and information sharing is happening electronically, which gives cybercriminals more opportunities to attack.

Recent reports by the cybersecurity company Proofpoint describe how cybercriminals are taking advantage of coronavirus fears and using online scams to steal personal and financial information.

Cybercriminals may try to play on your emotions — such as curiosity, fear, worry, and compassion for others — to trick you into clicking on a link, downloading an app, or opening an email attachment. Before you know it, you’ve visited a phishing website or downloaded malware onto your phone or computer.

Scam messages appealing to your emotions can be sent through email, texts, or social media and they can be hard to detect because cybercriminals are doing all that they can to deceive you.

They may be promoting COVID-19 awareness and prevention tips, trying to sell virus-prevention products, asking for donations to a charity, scheduling the “delivery of a package”, or offering advice on unproven treatments.

To add insult to injury, these messages often appear to come from a legitimate business, government organization, online retailer, or even a business partner or friend — making them all the more difficult for you to spot.

Recent COVID-19 related phishing email subject lines that you should be on the lookout for, include:

  • 2020 Coronavirus Updates
  • 2019-nCov: New confirmed cases in your City (Emergency)
  • Tax Relief Fund
  • Global Covid-19 Update
  • Important Guidance for organizations and workers to plan and respond to the COVID-19 outbreak
  • Work Remotely Enrollment (Action Required)
  • URGENT COVID-19 Vaccine
  • Early reimbursement due to COVID-19

Stealing Credentials

Some cybercriminals have used COVID-19-related phishing emails to steal user credentials. These emails tend to use urgent language which takes advantage of the tendency that many of of us have to “click first, and ask questions later.”

In cyberattacks like these, when you click on a hyperlink in an email, a spoofed login webpage appears that includes a form for you to enter your password. The fake login page may look like it comes from your email provider, bank, or a government agency.

To try and trick you, web addresses will often contain COVID-19-related wording within the URL, such as, “corona-virus-business-update,” “covid19-advisory,” or “cov19esupport.” These pages are designed to look legitimate or impersonate well-known websites. But they are not the real thing.

If you enter your password on the spoofed page, criminals can access your online accounts and steal your personal information. This can then be used to send out more phishing emails using your list of email contacts.

Malware

Another type of attack uses COVID-19-related messages to install malware on your computer. Cybercriminals send emails persuading you to open an attachment or download a malicious file from a linked website. When you open the attachment, the malware is on your device.

For example, security agencies have seen email messages that install keystroke logging malware onto people’s devices. One email appears to be from the Director General of the World Health Organization, another offers recipients thermometers and face masks to help fight the coronavirus epidemic. The email claims to include images of these medical products but instead the attachment contains malware.

SMS Phishing

Most phishing attempts come by email, but they can also come through text messages (SMS).

SMS phishing attempts are designed to get you to click on malicious links by using financial incentives such as government payments and rebates. A text message may encourage you to click on a link to apply for financial relief or to see if you qualify for relief. Others state that someone you know has tested positive for COVID-19 and recommend you get tested. The message will ask you to click a link for more information, but instead of information, the link contains malware that can infect your device and steal your personal information.

Working from Home

The 2020 coronavirus pandemic and subsequent distancing protocols has led to more people working remotely than ever before. If you are working from home, you must be extra vigilant about implementing good cybersecurity hygiene practices. Some things you can to to protect yourself while working from home:

1. Update all of your software, including your operating system and applications. If you haven’t already done so, turn-on “auto-update” on all your devices. Updates are important because they often include critical fixes to gaps found in software security and if you’re hoping that you’ll remember to update systems yourself, you’re putting yourself at risk of forgetting.

2. Many wireless routers and devices such as remote security cameras and smart speakers found in homes, have easy-to-guess default passwords. Take this opportunity to change these to stronger passwords or passphrases.

3. While you’re thinking about passwords, this is a good time to make sure you have updated your account passwords to a passphrase of at least 10 characters and given each account a unique passphrase that you can remember. If remembering long passphrases makes you anxious, try a password manager. These simple programs store your passwords for you, and then you only need to remember one username and password.

4. Whenever possible, enable multi-factor authentication (a password plus one other requirement, such as a text message). This provides a way of double-checking that you are who you say you are when accessing online services and accounts. Do this on all accounts including cloud storage accounts used for data and document sharing.

5. Use company-approved devices and applications to collaborate with coworkers and complete your work tasks. Don’t substitute your preferred, personal-use tools for ones that have been approved by your company.

6. Devices used for working outside an office environment are more vulnerable to theft and damage so be sure to turn on the screen-lock feature if a device is left unattended. Keep your portable devices with you or in a secure location when you’re not using them. Set devices to log-out of your accounts automatically in case you walk away from your computer and forget to log out.

7. Use virtual private networks (VPNs) to access work-related accounts such as email and file services. VPNs create an encrypted network connection that authenticates you and your device, and encrypts data as it moves between the user and work accounts. All VPNs should be updated with the latest software patches and security configurations.

8. Limit access to the device you use for work. Don’t let your family and friends use your work computer or phone.

Online Meetings

As more and more people turn to video-conferencing platforms to stay connected, there have been reports of hijacking (also called “Zoom-bombing”). And in March 2020, the FBI announced they had been receiving reports of online meetings being interrupted by pornographic images and abusive, threatening language. So what can you do to help prevent online meeting hijacking by bad actors?

  • Do not make your meetings public. Make sure you require a meeting password or use the waiting room feature to control who can get into your meeting.
  • Do not share a link to a meeting via a publicly available social media post. Provide the link directly to the people meant to be attending the meeting.
  • Change your screen-sharing options “Host Only.” If, during the meeting, you need to pass control to someone else you can do so.
  • Make sure you are using the most up-to-date version of remote access/meeting applications.

The FBI has also warned of an increase in cybercriminals sending emails that appear to be meeting invites from providers like Zoom or Microsoft Teams.

Be extra careful and don’t click on links in emails or text messages unless you are sure the sender and the invitation are legitimate. If you aren’t sure, you can contact the sender asking them if they sent you an invite.

Julia Phelan Ph.D is a learning engineer and co-founder of To Eleven. The name was inspired by This is Spinal Tap (“Why don’t you just make ten louder and make ten be the top number and make that a little louder? Nigel Tufnel : [pause] These go to eleven”). The name embodies the fact that To Eleven goes above and beyond in all they do. To Eleven focuses on the design and implementation of learning experiences for myriad learners and contexts along with consulting and advising services. Julia created a cybersecurity course series for the property management industry focusing on the ‘human element’ of keeping data and devices secure. www.to11solutions.com