Millions of people across North America have changed their daily work routines over the last few weeks. More emails and video conference calls. Less travel and trips to the office. Revised tax filing deadlines. Small business loan applications. Constant updates to news sites and CDC recommendations. And all the anxiety that comes along with such changes.
Unsurprisingly, hackers and cybercriminals are taking advantage of all the confusion surrounding the COVID-19 pandemic. Phishing emails, phone calls purporting to be from the IRS, and fake web links are proliferating. The targets are diverse: frazzled employees receive fake text message requests from someone impersonating their boss. Hackers try to hijack video meetings. And phony emails try to spoof bank alerts, health agency communications, and even the ever-popular donation drives that strive to support health care workers.
The end goal of all of these efforts is data compromise, identity theft, and other forms of illicit online activity. So how can you keep yourself, your business, and your data safe during these trying times?
1. Use caution with any request for verification of personal and/or banking information.
This is the most common form of phishing, or impersonating someone via email, text, or phone to try and convince them to share secure information. Be wary of these requests, particularly if they seem out of the ordinary or arrive via channels you’re not used to. If anyone is asking for your username, your password, your date of birth, your Social Security number, or your bank account information, take a second to consider the source and the setting before your respond.
2. Keep video meeting links private.
The practice of hijacking or gate-crashing video calls has exploded over the last few weeks. Some bad actors try to shock participants with disturbing content, or some lurk to try and steal sensitive information. Security experts urge users to keep meeting links and logins unique and private to avoid unwanted participants. Consider adding waiting rooms that allow meeting hosts to vet participants before they join, and change settings so that only the host can approve a screen share. Need HIPAA or GDPR-compliant video conferencing tools? A trusted IT provider like CMIT Solutions can help you deploy easy-to-use- solutions.
3. Examine sender details, domain names, and recipient lists for clues.
A user’s display name (First Last) should match their sending address (firstname.lastname@example.org) — if it doesn’t, that’s a quick clue that an email could be suspicious. Also look for hard-to-catch misspellings in the domain name (example.com vs. exannple.com) and recipient lists that don’t show anything in the To: field (or display a long list of unrecognizable emails). Often these can tell you whether an email is real or not before you even read the body copy.
4. Avoid clicking every link in an email or opening attachments.
Even if a message purports to be from the U.S. Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO), don’t just blindly click all the links included in them. Instead, hover over the URLs with your mouse to ensure the display link matches what’s written in the email. If you see long strings of unfamiliar characters, don’t click them; manually type out the website you want to visit as an alternative to ensure accuracy. The same goes for email attachments. Whether they’re PDFs, JPEGs, MP4s, or other file types, if you’re not expecting that specific file from a sender, don’t click on it.
5. Look for certain grammatical mistakes or clunky phrases that indicate a phishing or spamming attempt.
Notice a misspelling, lower cased word in a company name, or other awkward sentence in an email? It could be junk. In supposed IRS communications related to the recent law that sends most Americans a $1,200 check, scammers will try to employ phrases like “stimulus check” or “stimulus payment,” where the official term for the payment is “economic impact payment.” With those payments scheduled to start deploying to taxpayers’ bank accounts this week, expect an uptick in scams surrounding them.
6. Be wary of account status notifications.
Many emails will claim to be from Amazon, Facebook, or other popular platforms and try to inform a user that his or her account has expired or that credit card information has to be updated. To fend off this kind of attack, don’t click suspicious links in an email; instead, navigate to the home page of the website in question, log in safely and securely (hopefully using multi-factor authentication), and then verify your accounts status that way.
7. Don’t engage with potential scammers on the phone or via email.
Many of us may be tempted to try and stand up against a phishing attempt or scam attack. But engaging with illicit callers or responding to suspicious emails may only lead to further targeting from cybercriminals. If you think you’ve received a disingenuous email, flag it as junk or spam so your email filters and IT support team can identify future attacks. And if you get a spam phone call, simply hang up, then block the number from contacting you again.
8. Help vulnerable people know what to look for.
Scammers understand that their easiest targets might be those who have the lowest level of technological literacy. That’s why phone scams often target senior citizens, text message schemes often go after teenagers or college students, and email-based social engineering attempts often try to discern certain employees who send, receive, and reply to more messages than anyone else. When it comes to the IRS, the government agency never calls—instead, they send letters. If you get a text message that looks fishy asking you to verify information, resist the urge to reply right away. And keep your eyes peeled for emails using the steps outlined above.
Hackers count on unsuspecting users clicking on illicit links, downloading malware-loaded attachments, and sharing personal information. If we all practiced better IT hygiene, many of the tools in their arsenal would be rendered useless.
At CMIT Solutions, we protect businesses and employees from evolving cybersecurity threats, deploying the right tools to train your employees to serve as the first line of defense in weeding out bad actors. Contact CMIT Solutions today to protect your data, your people, and your business.