5 minute read 3 Apr 2020
Mother Working In Office At Home With Daughter

How to guard against phishing scams amid the COVID-19 pandemic

By Todd Marlin

EY Global Forensic & Integrity Services Technology & Innovation Leader

Global leader in technology & Innovation, with significant experience serving the financial services industry.

Contributors
5 minute read 3 Apr 2020

Phishing scams have long been among the most popular cyberattack methods. The coronavirus (COVID-19) pandemic opens up more opportunities for cybercriminals.

COVID-19 has upended work and home life for most of us. The shift to remote working and fears about the virus have led to a surge in phishing attempts, with cybercriminals moving quickly to take advantage of the new world reality.

Phishing and email scams have long been among the most popular and effective methods used by cybercriminals. They can be used to distribute misinformation, to obtain illicit financial gain, and to seek personal and sensitive information from a victim. Employees victimized by attacks can expose critical company data located not just on their own computer, but throughout an entire network.

Now, COVID-19 is giving cybercriminals a new way to dupe anyone anxious about the pandemic, as That email may be infected too (pdf) explains. Scammers are sending emails that seem to come from legitimate organizations such as the World Health Organization, the US Centers for Disease Control and Prevention, and other government authorities.

Almost all the fraudulent emails come down to asking the recipient to either click on a link or open an attachment. Either action could result in activating a malware or redirecting the user to enter confidential data.

Common forms of phishing attacks

As with most phishing attacks, the criminals often use legitimate content sourced from reputable organizations to entice the reader to click on a link. The URL appears to be from a legitimate website but clicking on it infects the victim’s computer by sending them to a malicious site that extracts their data.

Phishing attacks also prey on hunger for information in time of crisis by sending recipients attachments claiming to contain important health information. When the victim clicks on the document, they could unknowingly yield control of their computer to someone working remotely through an embedded hidden code.

There are several avenues attackers have been exploiting to conduct phishing attacks. Some of the most common ones are:

  • Spear-phishing: Faux emails, believed to be from a trusted sender, prompting victims to reveal confidential information or following links to credential harvesting websites or malware
  • Spoofing: Using look-alike names to authoritative personnel, adding or switching domains to malicious sites, or using similar email or site layouts
  • Social engineering: Leveraging LinkedIn and other publicly available information to map out corporate hierarchies and using the knowledge for executing educated spoofing attacks
  • Spam filter bypassing: Tactics, such as zero-point font used to bypass spam filters that might be in place, often categorized as a more advanced spoofing

Besides COVID-19 scams, other common scams are:

  • Accounting fraud: A request from an accounting or a finance department or leader to approve an invoice payment, a journal entry, or other financial transaction
  • Social media spoofing: A social media notification, such as a friend request or a post you should “click to see”
  • Package delivery notification: A package that requires the recipient to click on a link to confirm delivery or to check tracking status
  • Online shopping account spoofing: Your online shopping account experienced suspicious access activity that requires you to click on a link to review or confirm
  • Password resets: Your online account has been compromised; please click on a link to regain access to your account

Risks increase amid remote working

Phishing is certainly not new, but security experts report attacks are increasing due to the COVID-19 pandemic. As we exercise social distancing and spend more time working remotely, the risk of falling into phishing traps increases.

Many face-to-face interactions have moved online, and remote employees may be more inclined to use corporate laptops for non-business work. Employees using personal email accounts from corporate laptops can land on infected sites that steal sensitive company information.

Organizations have long been under the threat of phishing emails that impersonate a co-worker or a manager. You might get an email that appears to be sent by a colleague asking you to follow instructions to “transfer money,” “send financial data” or “allow access to confidential product information.”

In the past, you might have called out to someone in the next cubicle to ask for verification, but if that’s not an option, you may automatically click on the link. As employees lose face-to-face contact, the risk of being victimized increases exponentially.

Almost all the fraudulent emails come down to asking the recipient to either click on a link or open an attachment. Either action could result in activating a malware or redirecting the user to enter confidential data.

Staying vigilant can prevent successful phishing attacks

Here are some key steps to protect yourself and your company:

  • Utilize your company’s security measures for suspicious emails sent to your corporate address. For example, many businesses have tools in place that allow you to immediately flag any email you cannot readily verify.
  • Review your company’s cybersecurity guidelines and take training if needed.
  • Use secure in-house corporate tools such as instant messaging and collaboration sites instead of email when possible. If you aren’t comfortable with these tools, now is the time to adopt them.
  • Check the email address of the sender to make sure the domain name is accurate. For example, real.employee@acme.com is not realemployee@acmee.com.
  • Be cautious of generic emails that do not specifically address you.
  • Question the authenticity if the email is full of grammar and spelling mistakes.
  • Most email software will advise you of suspicious email. Don’t ignore those warnings.
  • Use instant messaging or a phone call to contact a colleague who appears to be the sender of a suspicious email.
  • Be cautious of instructions that ask you to download a file, such as an invoice or a bank statement.
  • When directed to a URL, check the address to determine if it’s for a familiar website. Don’t click on any link unless you can verify it.
  • Don’t perform any actions that are outside standard workflows (e.g., transferring money to process payments) without verification.
  • Don’t reply to emails that ask for personal information. Legitimate organizations asking for sensitive information will send you a secure link that encrypts data.
  • Don’t open attachments without verifying them. Contact the sender via phone or use a secure in-house communication tool to first confirm the authenticity of the documents.

Summary

Amid the coronavirus (COVID-19) pandemic, employees who are working from home and using personal email accounts from corporate laptops can land on infected sites that steal sensitive company information. Vigilance and caution are warranted even in the best of times; be wary of clicking links and downloading files from unknown sources, and find time to refresh your knowledge of company cybersecurity policies and resources.

Read more insights from EY to help you navigate through the COVID-19 crisis.

About this article

By Todd Marlin

EY Global Forensic & Integrity Services Technology & Innovation Leader

Global leader in technology & Innovation, with significant experience serving the financial services industry.

Contributors