An unfortunate by-product of the current COVID-19 pandemic is the growing trend of phishing attempts using public concern over this crisis to trick people into clicking on malicious links posing as resource information. Phishing scams are hardly new threats but the coronavirus outbreak creates a uniquely strong environment for these scams to be effective. People are anxious for constantly updated and valid information regarding the pandemic. This crisis is particularly ripe for security incidents because COVID-19 has the potential for disruption to both personal activities and businesses. Many company representatives who might otherwise be immune to emails targeting health information are seeking content relevant to supply chain disruption events. This means that in addition to phishing emails from sites posing as government agencies and health organizations, we can expect to see phishing emails from sites purporting to be delivery companies and/or companies providing information on market conditions.

Phishing is a dangerous form of hacking because it provides an entry point for many types of cyber incidents, including identity theft and delivery of malware onto a victim's computer. This can lead to infiltration of the entire user network associated with the ground zero individual. In turn, this can result in global theft of company data (whether it relates to individual employees and customers or other sensitive corporate information). This can also be the entry point for ransomware attacks.

In fact, Check Point Software Technologies, a leading provider of IT security products and services, reported last week that, since January 2020, there appear to have been more than 4,000 coronavirus-related domains registered globally. Check Point’s researchers believe that approximately three percent of the domains registered are malicious, and an additional five percent appeared suspicious.

The result is an environment in which people are more likely to click on links, even from unknown senders, without first confirming the validity of the sender and the link. In addition, in the 24-hour news cycle environment, it is easier for phishing emails to blend in with the high volume of email traffic, which can also lead to reduced diligence. Researchers are discovering new campaigns daily, one egregious example being a campaign in the form of a phishing email with a PDF offering coronavirus safety measures. When opened, malware is loaded onto the user’s computer.

Many of these hacks are particularly effective at avoiding traditional firewall protections. Anxious to stay on top of this information, people often forget to confirm URL validity before accessing sites or opening attachments. Knowing this, many fraudsters use links to fake maps which appear to track the progress of the pandemic, and to information purporting to come from legitimate and respected health resources. These fake sites contain malware that steals usernames, passwords, credit card information and other data stored in browsers. In some cases, users are eventually sent to the legitimate site (after providing passwords and other information to the hacker).

Pitfalls to avoid include the following:

• Use common sense – does the sender appear to be a legitimate source of information? Do not click on everything that shows up in your inbox.
• If an email asks you to click on a link or open an attachment, continue to validate first. To do this:
• Scroll over the link to see if the full address is consistent with the sender identifier;
• Check closely for misspellings in the sender name (close to a legitimate name but not quite right);
• Check for odd content in the email (for example, the salutation identifies you as “Dear Ms. L. Smith” instead of “Dear Ms. Smith” or “Dear Lisa”); and
• Do not be embarrassed to call the sender to verify the email came from that person (do not reply to the email).
• Watch out for links to non-profits asking you to donate in relief. If you want to make a donation, go straight to the non-profit’s website.
• Never click on a link asking you to reset your password. If in doubt, go straight to the website, log in, and use the formal password reset procedure. Similarly, do not provide personal information, including financial information via an email link.
• Implement and use dual authentication protocols. Keep computer systems up to date, including all security protections.
• When in doubt, do not click. It is better in this environment to be overly suspicious.
• Businesses should already be routinely testing their environments and providing security education and training for personnel. This is the time to remind everyone of these protocols.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]