Watch Out for Scams and Phishing Campaigns

Cybercriminals are actively targeting remote workers right now because of the COVID-19 pandemic and are using coronavirus-oriented scams to do it. Reports indicate many remote workers let down their guard because they are at home and are busier and more anxious than usual. Recent scams have duped the unprepared by using messages with false claims of positive COVID-19 test results, claims that emergency work protocols were being implementing by the user’s employer or the government and coronavirus-oriented websites and heat maps laced with malware. While the packaging of these scams may be new, the trick is the same one we are all used to. The bad guys want us to believe that we need to click on or open an attachment or link that downloads malware or allows them to steal our credentials. There are too many examples of this to list but below are a couple of recent alerts from federal agencies with useful information about specific scams and how to avoid them.

• There was a recent joint alert from the U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC), titled “COVID-19 Exploited by Malicious Cyber Actors. See https://www.us-cert.gov/ncas/alerts/aa20-099a.
• The Social Security Administration (SSA) has also issued a “Coronavirus-Related Medicare Scam Alert to warn Medicare beneficiaries of scammers who are using the pandemic to try to steal their Medicare number, banking information and other personal data. See https://blog.ssa.gov/coronavirus-related-medicare-scam-alert/#more-4730.

These scams and phishing campaigns can typically be avoided if you understand certain characteristics of the scams and scammers. Understanding these concepts below should allow you to safely navigate your incoming emails:

• Be Cautious About Opening Attachments or Clicking on Links – No one should open any documents or links in any email or text that comes from an unidentified or suspicious source. Files and links can contain malware that can weaken your computer’s security or compromise an entire system. Even unexpected messages or emails from friends or family members’ accounts should be scrutinized because they can be hacked or compromised.
• Focus on the Email Address – Phishing usually involves obviously untrustworthy email addresses. You can check an email address by right-clicking on it or by drafting a reply email (without sending it).
• Scams Are Urgent – Most scams and attacks attempt to induce panic and cause the recipient to act before thinking or investigating the authenticity of the request. They do this by falsely claiming urgency or sending the request at odd hours or just before or after the weekend.
• Bad Spelling, Grammar or Formatting – Phishing messages are notorious for containing misspelled words, poor grammar and inappropriate indentations, returns and spaces.
• “Click Here Messages – A hallmark of scam emails is virtually no message at all. Many scam emails contain just a link with a sentence fragment. Think twice when you receive such a message!
• Financial, Wire or ACH Information is a Red Flag – Most credible businesses would not email you about ACH, wire transfers or other payment information, nor would they solicit sensitive personal information or payment information through unencrypted channels like email or text messages.
• Mismatched Email Address Information – Make sure the name of the sender matches with the email address displayed in the “From: field. If there is no match, it is untrustworthy.
• Generic Signature Line – Messages from a business or professional should contain a familiar signature block, disclaimer, and have credible contact information.
• Unexpected Requests for Information – Be extremely wary of following links or answering questions from contacts you did not initiate or that seek personal information.
• When in Doubt, Don’t Click! – Whenever you are unsure of the legitimacy of an email, text or communication, pick up the phone and call the person/company that supposedly sent you the message or go to your account or the website on your own. There is no need to rely on a link to a website or your account in an email when you can navigate there on your own. Doing so removes the risk and allows independent verification.
• Protect Your Credentials – Cybercriminals are often attempting to steal user’s credentials so they can get into your system and spread malware. If you are ever prompted to enter your credentials outside of your work network or in a manner that is unusual, don’t do it. Contact your IT resource with questions and validate the process first.
• Do Not Feel Compelled to Open/Click – Always remember, your job description does not include “open every single email message sent to you. When in doubt, do not open the attachment or click through to the link you have been sent. If you do not recognize the sender and are not expecting the message, then it is probably not important so don’t feel compelled to figure it out. Put it aside and review it again later or wait to see if the sender follows up.

If you have any questions or would like to schedule a consultation about data security practices please contact Kurt E. Bratten, Shareholder, at (518) 694-5678 or via e-mail at kbratten@oalaw.com.