It was inevitable cyber criminals would jump on the opportunity to use the COVID-19 pandemic as a pretext to target the public – and so they have. Cyber criminals are filling the information void and tricking users by capitalizing on the crisis using email, SMS and voice phishing scams [see COVID-19 Phishing Examples and Guidance (Updated)]. With the shift to work from home, employers should be increasingly concerned about their employees’ overall cyber hygiene, and should morph their awareness communication from a purely corporate standpoint to a mix of corporate and personal awareness education. They should also be sure to communicate issues around highly publicized programs like the U.S. government’s taxpayer stimulus and Payroll Protection Act.
The security team for a financial services company is seeing an increase in phishing and impersonation emails since the COVID-19 pandemic began. Specifically, the team asks:
- With all the disruptions and distractions, how can we keep employees focused with security in mind?
- Can IANS provide some awareness messaging to help employees in this time?
Educate Users on Both Personal and Corporate Threats
Traditional security awareness programs focus primarily on protecting the enterprise from threats, with users’ personal online safety only a secondary consideration at most. During this time of increased work from home, however, the threat model has changed. Employers should consider how they will educate work-from-home employees on both personal and enterprise threats.
It’s no secret the mass migration to work from home has lowered many employees’ productivity. This is to be expected as employees adapt to new workflows. However, it has been compounded by the background stress of a pandemic, economic uncertainty and social isolation. Employees who fall victim to online scams lose further productivity, further negatively impacting the enterprise operations. For this reason alone, employers should shift their awareness messaging and education to focus on personal security issues in addition to corporate threats – at least until the pandemic situation stabilizes.
Crafting Effective Security Awareness Campaigns
When crafting security awareness campaigns, it is important to understand why people are tricked by scams in the first place. The two primary reasons users fall for phishing pretexts of any variety are because they:
- Are called to action.
- Desire to exit a state of confusion (filling an information void).
COVID-19 offers opportunities for attackers in both approaches. People are desperate for information and they are being given constantly updated guidance on how to adapt to remote work, stop the spread of the disease and other “helpful tips” to deal with COVID-19.
The calls to action seen in most phishing emails relating to COVID-19 involve one of three actions:
- Click here for more information.
- Log in for more information.
- Open this spreadsheet for information.
A comprehensive security awareness and education program should cover all three.
We have seen relatively few business-to-business focused phishing related to COVID-19. However, business-to-consumer phishing is substantial. Practically every business with an email list has used the COVID-19 opportunity to send a “what we’re doing for COVID-19” email, creating a ridiculous amount of cover noise for attackers in the process. This has set the stage for users to be expecting these emails and will likely lead to a higher percentage of users treating them as legitimate. Any education program must educate users on how to differentiate the malicious messages from the benign.
The following are examples of personal security-focused messaging organizations should consider sending around two areas critical to employees trying to work through the pandemic: stimulus payments and payroll protection.
To the workforce:
As you have probably heard, the federal government approved a stimulus package that will give many Americans money in the form of tax credits (some are referring to these as “stimulus checks”). There is no clear guidance yet on precisely when these will be delivered, but you should receive the stimulus payment through the same direct deposit used for your 2018 or 2019 taxes (whichever was filed most recently). If you received a paper refund check (or did not receive any refund), you should expect a paper check. The amount of your personal/family stimulus depends on your adjusted gross income (AGI) for the last year you filed taxes (2018 or 2019).
Unfortunately, scammers have already seized the opportunity to fill the information void around stimulus payments and have begun distributing phishing emails asking people to update their direct deposit information to receive their stimulus. Do not click any link in an email discussing the stimulus, even if it appears to come from your bank or the IRS.
If you believe action is needed, type the domain of the organization into your browser manually and go there instead. If the email is legitimate, there will certainly be a link on the website taking you to the appropriate page on the website. Alternatively, you can call the organization for more information. However, be sure not to use phone numbers provided in the suspect email.
Attackers also have constructed scams offering to help people get additional stimulus money under pretexts like “maximize your stimulus check.” Be immediately suspicious of any such offer and report it to corporate security immediately.
Under no circumstances should you open any attachment claiming to have information about the stimulus unless it is communicated through our normal corporate communications channels. You should expect to see additional information from corporate communications about the stimulus by <insert date>.
As always, if you have questions about a specific email or phone call, feel free to contact corporate security at <insert email/phone> and we’ll be happy to help.
To the workforce:
As you may have heard, Congress passed what is being referred to as the “Payroll Protection Act,” which offers loans to certain small businesses to help them weather the economic downturn resulting from COVID-19. As you are probably aware, many of our suppliers and clients are small businesses that would benefit from the loans guaranteed by the Payroll Protection Act.
Our organization [is/is not] considered a small business under the act, but in any case, we will not contact you by email asking for specific information related to this stimulus because our human resources (HR) department already has all relevant information needed in any case.
Unfortunately, many attackers are using news around the Payroll Protection Act as a pretext for getting suppliers to fill out information in Excel workbooks. These spreadsheets have macros that must be enabled to see the content, but they also distribute malicious content with the worksheet.
If you receive any request for information relating to the Payroll Protection Act or Small Business Administration loans, please forward the email to the information security department for action. The phishing documents observed so far have demanded immediate action from the recipient, but this demand should not cloud your judgment on proper security practices. The information security department will determine whether the request is legitimate and contact the appropriate department for action (and will inform you of the status).
In the weeks ahead, we should continue to expect more COVID-19 related emails. As situations on the ground change (including changes to shelter in place orders), phishing pretexts will certainly evolve. Organizations should communicate about phishing pretexts likely to be sent to their workforce immediately to continue to engage them on both personal and enterprise security issues surrounding COVID-19.
COVID-19 and InfoSec: What You Need to Know, April 6, 2020
COVID-19 Phishing Examples and Guidance (Updated), March 31, 2020
Indicators of Compromise: Identify the Latest COVID-19 Attacks, March 20, 2020
Poll: Likely COVID-19-Themed Attack Vectors, March 17, 2020
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.