Like a lot of you, I’m pretty glued to the news these days, trying to balance unease with calm realism. In trying times like these, we look for resources for critical information and ways to help people less fortunate than us. That’s the good news; the better angels of our nature see difficult situations—fires in Australia, global pandemic, or violent weather—and think: what can I do to help? Most people have big hearts.
The bad news is that there are folks who see these kind acts and seek to profit off our good natures. They’ll try to take advantage of you in this sensitive time. Like we need another thing to worry about.
For example, I’ve been keeping an eye on the Johns Hopkins Coronavirus Resource Center. It has a great interface and real time data. Some cybercriminals agreed, so they started selling a ready-made kit that uses the map to spread malware. This version loads up malicious .jar files—Java files—that can be run directly in a browser. There’s a warning, but if you allow it, you could be installing password stealing software on your computer.
I’m sure you’ve been getting a lot of emails lately about the coronavirus and how you can shift your behaviors now that it has affected our reality. Since we’re opening a lot of these emails looking for information, malicious hackers have found themselves a new phishing strategy. Since January of this year, over 4,000 coronavirus-related domains have been registered. Emails coming from these domains are 50% more likely to be malicious when compared with other domains registered during this period.
To help defend yourself against these scams, we asked our director of information security, Lynn Ballard, about how to guard ourselves against scams. Here’s what she had to say:
“As a security professional, these attacks are frustrating but there are things we can do to help protect ourselves:
- Your company can sandbox inbound email. This technique allows you to inspect the email attachment before it reaches your employees’ inbox. Also, incentivizing employees’ good email hygiene behavior (not clicking on unknown attachments or URL links and reporting suspicious emails) helps reinforce overall security awareness.
- As individuals at work, school, or home, you can do your part by considering what links in emails you click on. It’s ok to be skeptical of emails! For example, if you get an email from your bank with a link to their website, go to the browser and log in to your account directly rather than clicking on the email link. Also, be cautious of attachments in emails; malware can be embedded in Docx, PDF, and MP4s.”
If you get an email from a trusted agency, like the World Health Organization or the CDC, be extra suspicious. The WHO says that there have been a lot of phishing emails appearing to come from their offices. While email addresses can be spoofed—malicious mailers can make an email appear to be from anyone—view all link URLs before going to those websites.
Phishing scams often prey on your sense of urgency to get you to act without thinking. This is when you need to take a moment and consider whether this is a genuine email in need of your attention or something you should trash. Very few emails are as urgent as they claim; the situation may require fast action, but it’s still important to stay calm and take proper precautions to avoid attacks from cybercriminals. Slow down and proceed calmly.
In fact, that’s good advice for us all right now. Slow down. We’re hurrying through our inboxes to tie up loose ends before our next meeting, so we run on our finely tuned instincts. But in times of stress, we need to pay extra attention and proceed with caution. Malicious actors prey on stress, but preparing and examining emails before you act can prevent the worst of their actions.