Savvy cybercriminals understand how headlines can be used to exploit vulnerable users through digital messaging, like email. These bad actors follow ongoing news, often taking advantage of major world events, such as natural disasters, to capitalize on the fear, anxiety, and uncertainty that could cause recipients to pay less attention to the legitimacy of an email. To think of it another way: the bait on the hook may change from grasshoppers to worms, but it’s still a hook.
The latest hook? The pandemic. Since nearly every individual and organization is impacted by COVID-19, everyone is a potential target for these cyberattacks, especially those without cybersecurity experience, namely small businesses. Attackers have used lures such as vaccinations, stimulus checks, and small business loans to entice unsuspecting victims looking to protect themselves from the impact of the pandemic.
In the wake of COVID-19, cyberattacks have surged. A recent report by Google’s Threat Analysis Group showed that over 18 million COVID-related malware and phishing attacks are attempted daily through their systems––and that’s just through Gmail. To add to the staggering amount of attacks targeting inboxes, an additional 240 million COVID-related spam messages are sent daily. Another study, conducted by IBM X-Force, suggests that small businesses are the primary target of these attacks––nearly 40% of small business owners surveyed indicated they’ve received COVID-related scam emails. One of the most popular scams being utilized by cybercriminals includes posing as a Small Business Administration (SBA) official offering COVID-19 relief funding as part of the SBA’s relief program. It’s important for small business owners to understand what these attacks look like in order to protect themselves, and their businesses, from financial loss.
The first step is identifying attacks and understanding what they might look like to the victim. The primary types include phishing and malware. Phishing attacks are aimed at gathering sensitive information or finances from recipients. Cybercriminals make phishing attacks difficult to discern from legitimate emails to trick recipients, often posing as legitimate senders, like banks or coworkers, by using similar email addresses to collect personal information or induce financial payment.
Cybercriminals use malware to target both individuals and businesses with malicious software designed to corrupt data or gain access to networks. The goal of malware-laden messages is to get end-users to unknowingly download malicious software through an unsuspecting file or hyperlink. Cybercriminals use malware to monitor activity, gather sensitive data, or corrupt files to hold for ransom.
The most basic advice is: if it seems too good to be true, it is. Some additional precautions to protect you and your business from falling victim to a COVID-19 digital attack include:
- If you don’t know the sender, don’t open the email and don’t click any links.
- Legitimate organizations will never request you to confirm sensitive information, like passwords or financial information via email.
- Legitimate organizations will most likely address you by your name. “Dear sir” or “dear customer” are indicators that the sender doesn’t know you and is likely posing.
- Be on the lookout for spelling and grammatical errors. Legitimate organizations often are meticulous in their communications; cybercriminals are not.
- Stay up to speed. If the content of a message contradicts what you’re hearing in the news, assume the intent of the email is nefarious.
- Pay attention to warnings within your email client—if your mailbox provider is doubting the authenticity of the message you should too.
- Make sure your software is up to date. This includes spam filtering, antivirus software and your operating system. Make sure updates and backups are up-to-date.
- If you’re looking for information about the virus then go to the sources such as the CDC, WHO, FEMA, your local state and county government, or https://www.coronavirus.gov/ these are legitimate sources of information. You should be concerned if the information reaches you out of the blue and unsolicited.
Small business owners should be focused on the safety of themselves and their families, not the risk of being one click away from financial disaster. Undoubtedly, this pandemic will lead to the development of stronger threat indicators, industry cooperation, and robust processes to better protect businesses, both large and small, and private citizens from cyberattacks. In the meantime, everyone must educate themselves and remain alert to the threat of email phishing to better protect themselves and their businesses from exploitation.
Len Shneyder is Co-Chair of the Communication Committee at the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) a nonprofit where industry comes together to work against botnets, malware, spam, viruses, DoS attacks and other online exploitation to fight online abuse, and VP of Industry Relation at Twilio.