COVID-19 Phishing Scams and Malware

The phrase “shooting fish in a barrel” means something is extremely easy. If that’s the case, then we might want to consider changing it to “shooting phish in a barrel” during COVID-19; it’s phishing season, and it’s getting easier and easier to get a big catch.

Scammers are thinking of a lot of different things when they come up with a scam, but at its core, scamming is a business – there’s a cost-benefit analysis to be done, and if the benefits outweigh the risks, the scammers are going to go forward with their plan.

COVID-19 has weighed the scales in favor of the scammers in two ways. The first is that the cost of phishing is lower – a lot of people are going to take the bait. The second is that the potential rewards are much higher – network security isn’t at its best right now. We’re going to address both sides of this equation; at the end of each, we’ll give you tips to keep your business protected from phishing scams and malware.

The Carrot and the Stick

Computer security is notoriously hard to crack – it’s an arms race weighted in favor of the person playing defense. Humans, on the other hand, can’t be programmed for security in the same way computers can – they make mistakes.

Hackers know this, and they prey on human emotion in order to gain access to networks – that’s what phishing is all about. During the pandemic (and generally), there have been two pretty effective ways for getting people to do what you want – the carrot and the stick.

The Carrot

The “carrot” is anything that incentivizes a behavior by offering a reward. In the case of COVID-19, this reward can often come as a promise of money from the government. Scammers will make an official looking email, then tell the person they’re phishing to click a link to sign into PayPal (or some other such site), and gain their login information.

Scammers might also prey on a target’s desire to help others: they might, for example, tell them to download a piece of malware, claiming that it’s software to help the government track COVID-19 cases. 

The Stick

The “stick”, of course, is when someone does something because they’re worried about the consequences if they don’t do that thing. In other words, scammers prey on fear. They may send emails containing links like “video conference regarding staff terminations” – click on that and you’ll be sent to a “Zoom login screen” that’s actually a phishing attack.

Scammers may also pretend to be public health officials, notifying their targets that they “may have been infected with the coronavirus”. A similar tactic takes place – they’ll encourage their target to either download malware or give away their login credentials.

You’re not a Horse

Fortunately, the carrot and the stick tactic is best used on non-human animals. Humans have the capacity for reason – the ability to sense that something is off, or to learn certain signs of danger.

Education is your best protection against COVID-related phishing attacks. Teach your team the basics of avoiding phishing attacks, such as:

• Always verifying the sender of any emails.
• Never downloading suspicious attackers.
• Always checking the URL of websites before logging in.
• Looking for HTTPS.
• Always asking a co-worker if they’re not sure whether or not a message is safe.
• Trusting their gut if something looks suspicious.

You should also emphasize that all COVID-related messages should undergo the utmost scrutiny.

Network Security

At this point, we’ve established that COVID has made life easy for scammers – they prey on emotional responses, and we’re pretty much, universally, in place of heightened emotions right now.

That’s bad enough, but things get even worse – there are a ton of people working from home. The consequence of this is that network security has taken a massive hit. Anything from VPNs without the right setting to improperly secured routers can create holes that hackers can use to access your data. 

There’s only so much you can do on the employee side to remedy this – not everyone is tech-savvy, so you’ll need experienced IT folks to help ensure everything is secured. Even then, people make mistakes – fortunately, there are a few things you can do to prevent data breaches:

Keeping Things Secure

First, consider using multi-factor authentication for just about everything – use a couple of fairly independent factors, too, like a password and a code texted to the employee’s cell phone number. Multi-factor authentication may slow productivity very slightly, but it makes your security exponentially more difficult to crack.

Second, encourage employees to back up their data on an external drive. This can be particularly useful in decreasing ransomware attacks – if all of their data is backed up, they can simply get new hardware and restore the data. 

This is All-Seasons Good Advice

Talking to your employees about phishing scams, encouraging regular data backups, using multi-factor authentication – while COVID-19 may be spurring you to take these actions, this is advice you should really be applying at all times. Scammers take advantage of bad situations in the hopes that people will make bad decisions, but people make bad decisions all the time – rain or shine. Keep these protocols in place in a post-COVID world, as well.