Now more than ever it’s important to heighten awareness of email security. The lines between home and work have become blurred during the COVID-19 pandemic, and it makes the need for vigilant email security practices necessary. Phishing schemes alleging to have information about the COVID-19 pandemic are also increasing in frequency, which makes for a particularly high risk situation.
Organizations of all types and sizes can become victims of cybercrime activity, hacking, and other unwanted network intrusions, which can lead to significant financial disruption and potentially even financial statement audit risks. Management teams and financial leaders can help protect their organization from the costs associated with data loss by supporting enterprise-wide cybersecurity awareness.
In the first of our “phishing during COVID-19” articles, we will take a look at the various types of phishing threats that are out there and how your organization may be able to protect itself from falling victim to these scams.
Implement Your Best Defense
Highlighting the critical thinking and review of emails is a tried and true method for preventing risk associated with phishing. All employees need to be particularly mindful of the requests, links, and content in external, or otherwise, out-of-network emails.
It’s easier to lose focus and forget to review emails critically when working from home, or because everyone is receiving an increase in emails from a wide array of organizations surrounding the COVID-19 pandemic. Vendors of all types may be reaching out about changes in customary business practices, and email fatigue can chip away at the level of awareness. Keep in mind that some recent phishing schemes carry a COVID-19-themed message, so an email that appears to be coming from a trusted vendor may not be as innocuous as it seems.
Educate on What Types of COVID-19 Scams Are Out There
One of the ways leadership teams can help prevent data loss risks involves educating the enterprise about some of the known phishing schemes so everyone knows what types of emails to be aware of, regardless of whether it’s coming to personal or work email addresses.
Emails from “Reputable” Sources
Some of the COVID-19 scams we have seen claim to be coming from the Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO), or other public health offices. In some cases, the sender information is “spoofed” which makes it appear to come from a trustworthy source (such as WH0; but the ‘O’ is actually a zero “0,” thus spoofed). The email or text message may contain a link to a “fake” email login page or fake WHO login page and instructions to enter your user credentials, password or company or personal information.
Right now, cyber actors are preying on the human traits of fear, concern, and curiosity surrounding the coronavirus. These messages may include inaccurate and alarming health information as a distraction or bait for the recipient to open the email, click on the links inside, or provide personal information. Inaccurate healthcare advice is also spreading quickly with false advertisements for coronavirus “cures” or supplements to prevent contracting the virus.
Another example relates to the Small Business Administration’s (SBA) Paycheck Protection Program loans and Economic Injury Disaster Loans. Scammers have created fake email correspondence asking for organizations’ personally identifiable information. Be cognizant that an email with the SBA logo may not be coming from the SBA. A telltale sign of a potentially legitimate email will be the domain name, which should be sba.gov. Legitimate SBA emails should contain a reference to the SBA application number.
Tax season is often accompanied by phishing scams as cyber actors try to access tax returns. Scammers may use the crisis as an opportunity to entice taxpayers into “verifying” their filing information in order to receive their stimulus payments, which are tied to 2018 tax return information, and then use the personal information to file false claims for the stimulus money. Remember that the IRS will not randomly call you, and you should never provide your direct deposit or other banking information for others to input on your behalf into the secure portal, whether that’s through email or over the phone.
Spoofing and Requests Appearing to Come from ‘Internal’ Senders
Another common scam takes the form of “spoofing” emails so that they appear to come from someone within your company. These scam emails may encourage you to click on a link to receive information on company policy or information from your company insurance provider. When emails come from someone familiar, you are far more likely to disregard red flags and download documents, or share personal information. It doesn’t help that most employees are now working remotely, and therefore may be less likely to call or walk down the hall to verify that the person whose email has been spoofed is actually the one making the request.
Cyber actors have specifically targeted the finance department function in their scams. One example that we are seeing more and more of during this remote work environment are emails sent to the controller from the “alleged” CFO (really just a bad actor posing as the CFO). The bad actor tells the controller in the email to “approve and send the $40,000 wire to the vendor as I am on vacation and can’t be reached.” The controller sends the wire based on the “alleged written approval,” and the wire is sent.
Fake Vendor Emails
Hackers are also imitating services that you would expect to hear from, such as your bank or credit card company, Amazon and UPS deliveries, utility companies, and even online retailers, who you may have made purchases from in the past. As a reminder, bank account numbers and credit card information are never communicated via email so everyone should be wary of any email that asks for financial information.
One of the most convincing yet callous scams comes in the form of requesting donations. Charities, churches, food banks, the Red Cross and many more are all reaching out to solicit support. Continue to use good judgment and properly vet any electronic requests for donations. Reputable providers often have “checkout” systems with visible security in place for donations made online.
Text Message Risks
Not all phishing comes through emails. Cyber criminals are turning to text messaging to install malware and steal information, too. If you receive a text from a number you don’t know that includes a short message and a link, never click on it. Following that link can allow hackers to install malware on a phone or steal other information from applications and emails.
Make Information Actionable
One way organizations can help educate employees on safe practices and ensure the message sticks is by distributing an email phishing checklist to help them spot scams and phishing emails. We suggest including the following information as it can be applied at work and at home:
- Remind them that hackers pay attention to what is normal and try to mimic it as best they can to trick readers.
- Review all web addresses and hyperlinks before clicking on them to ensure the actual web address matches and appears to be legitimate.
- Check for accurate logos, spelling, contact information, grammar, etc. as these are telltale signs of a scam.
- Do not use account numbers emailed to you or share account numbers via email; COVID-19 response or not, this is not a good business practice.
- Watch out for pushy language – urgent messaging or immediate action requests are also signs of a scam.
Report Issues, Seek Help
Lastly, organizations should emphasize to their staff, that if a message seems suspicious or out of place, to trust their instincts. If you suspect that you or someone you know has fallen prey to a scam, consider reporting it to the FTC, your cybersecurity provider, or contact our national cybersecurity practice leader at Tiffany.Garcia@cbiz.com.
For more information on the evolving changes we are seeing to business operations in the COVID-19 environment, please see our COVID-19 Resource Center.
Copyright © 2020, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).