Cybersecurity and Fraud Protection
Spotting and Preventing COVID-19 Social Engineering Attacks
Cybercriminals capitalize on instability, which is one reason why COVID-19 social engineering attacks are on the rise. Learn how to identify the warning signs and help keep yourself and your company safe.
During times of widespread fear and uncertainty—like the COVID-19 pandemic—cybercriminals use social engineering to trick people into taking part in their own fraud. By posing as a legitimate business, nonprofit, government or other trustworthy source, fraudsters can manipulate victims into installing malware on personal and business devices or divulging sensitive data such as usernames and passwords, personally identifying information (PII) and financial account information.
Social engineering attacks can spawn from practically any means of communication, but most are conducted via email, social media, phone call and text message. Cybercriminals often cast a wide net, targeting both individuals and businesses.
Learn ways to identify and avoid COVID-19 social engineering attacks.
What an Attack Can Look Like
Recently, cybercriminals have employed some of the following social engineering attacks during the COVID-19 pandemic:
- Impersonating global health organizations in emails that contain malicious links or attachments or ask for fraudulent donations to combat COVID-19.
- Creating novel coronavirus-themed websites that distribute malware and pandemic tracking apps that contain ransomware or spyware.
- Sending emails with malicious links or attachments that offer products that are in short supply, such as face masks and other personal protective equipment.
- Posing as a health insurance company that offers COVID-19 insurance plans and sending a malicious link that claims to provide access to an account invoice.
- Conducting smishing (SMS phishing) attacks, in which cybercriminals use text messages to target victims. Some COVID-19 smishing attacks include malicious links that claim to provide information about the virus, free masks or stimulus payments.
How to Avoid Falling Victim
- Be extra vigilant about payments controls and wary of emails that contain an attachment or link. When in doubt, contact your information security or information technology department about a dubious message.
- Reconcile your accounts frequently and confirm that business partners have received payments by calling a verified number. Be cautious with payment and account change requests and pay close attention to whom you are paying.
- With many employees now working from home, keep contact information up to date so your bank can contact you quickly if they detect a suspicious payment.
- Don’t trust any requests for payments or account changes that come in through email alone. Always perform call backs to the person making the request using a known phone number from a system of record.
- Always perform call backs when changing the contact information for business partners as well. Don’t simply trust an email asking to change a trusted call-back number.
Finally, if you do become a victim of a social engineering attack, immediately notify your bank, file a report with IC3.gov and contact your local FBI field office to notify them of the fraud. Performing these three steps as quickly as possible may increase your chances of recovering funds.