Cybercriminals Working Harder During Coronavirus

6/26/2020

By Charlie Kerwin

SVP, Information Security


How do you tell “fake” from “real”?  When it comes to your digital life, there are ways to take charge.  The first step is to be aware of potential cybercrimes; step two is to know how to react when you spot one. cyber crime

Fake Contact Tracing Text Messages

Scammers are using COVID contact tracing as a cover for gathering your personal data.

According to the Federal Trade Commission (FTC), here’s how it’s supposed to work:

“People who had contact with someone infected with COVID-19 may first get a text message from the health department, telling them they’ll get a call from a specific number. The tracer who calls will not ask for personal information, like a Social Security number. At the end of the call, some states ask if the contact would like to enroll in a text message program, which sends daily health and safety reminders until the 14-day quarantine ends. But tracers won’t ask you for money or information like your Social Security, bank account, or credit card number. Anyone who does is a scammer.”

Fake Stimulus Emails

The FTC also reports that scammers are using stimulus payments as a way to get between you and your money and/or your identity.  The FTC says you should never respond to an email from the Internal Revenue Service, the organization issuing the payments. Submit all information to the IRS at irs.gov/coronavirus.  According to the IRS, “The IRS won’t contact you by phone, email, text message, or social media with information about your stimulus payment, or to ask you for your Social Security number, bank account, or government benefits debit card account number. Anyone who does is a scammer phishing for your information.”

Fake Package Delayed/Delivery Emails

The FTC reports that phony “delivery failure notification” email is making the rounds. You’ll get an email that looks like it’s from the postal service and says you missed a delivery. To get the delivery, print the attached form and take it to your local post office.

In fact, the email is bogus; there is no package. If you download the attachment or click on a link, you’re likely to end up with a virus or malware on your device.

Fake Voicemail Notifications

Attackers are using fake voicemail messages to gain access to business correspondence and other confidential commercial data.  How? By sending you an email noting you have a new voicemail message.  The body of the message gives you the time and length of the message and an intriguing preview of the message. For example: “Just checking in…” “Here’s a reminder…”

To hear the full message, you need to click the link and land on a web page where you’re presented with a Microsoft Outlook log in screen . . . only it’s not. If you “sign in,” the criminals likely have the user name and password you use to log on to a company device.

Fake Termination Phishing

Cybercriminals are combining the fear of being laid off with on-line meeting invitations to steal passwords. The meeting invites are heavy on scare tactics, using words like “termination” and “critical” to really make readers concerned.

But go back and reread that invitation before you accept it.  Look for awkward working.  You might see a misspelled word or two and run across some awkward sentences. Examples include: “You need be in this critical meeting,” or “You are equally expected and required.”

Next, look at the meeting link. You might be taken to a website that looks a lot like Zoom or GoToMeeeting.  But are you on “Zoom.us” or “gotomeeting.com”? To assure you’re on the real sites, click the padlock icon next to site’s address to view information about its SSL certificate which confirms the owner of the website. Next, take a close look at the login screen. Are you asked for more than your username and passcode? If so, it’s likely someone phishing for data.

Fake Meeting Invites

Just like Fake Termination Phishing, Fake Meeting Invites encourage you to input data that criminals can use for other purposes. So check the meeting details before accepting the invitation. Were you expecting the meeting? Was the meeting generated by your company’s online meeting provider? (Check the url!) Are you being asked to provide more than your user name and password?

If ever in doubt, check with the meeting organizer before you accept the meeting.

A Final Note

Keep in mind INB will never ask for your banking passwords.  If you receive an email or message asking for this information, please contact us immediately by calling 1-877-771-2316.



All Posts