Coronavirus & Cybersecurity: Are You At Risk?
I wish I could say I have no anxiety over the Coronavirus (COV19), but I would be lying to you. We all sort of are a little stressed out in a way; no matter if you believe it’s a global medical pandemic, or media hysteria.
The reason why I may have a little more angst than most is because my work entails that I travel around the country. Being less than a foot away from Susan-with-the-cough puts a little worry in my subconscious mind.
So here I am, sitting at the Nashville airport waiting for my flight, as I have two conferences over the next two days.
Some friends have said to me, “You’re nuts!” for braving every terminal, airplane, and new city I step foot in.
So again, as I sit here I start to wonder. I mean, the economic impact is getting worse with the stock market. The media coverage on this issue is depressing. Local cases are popping up in our communities, so school closings and cancellation of major conferences and sporting events plague us all around the world. While this is all daunting (and true), we have to really look at a different issue, past these current ones.
This is the perfect opportunity for cybercriminals to strike.
We all know these evil doers are using COVD19 to hit us when we are at our most vulnerable state. No matter if it’s local or national news, or a mere google search- you will see tons of articles about targeted spear phishing emails distributing malware. The malware is being used to steal usernames and passwords, as well spread ransomware.
The advice is always the same: Don’t trust emails from individuals or companies you don’t know or recognize.
This works well when you get an easily identifiable piece of spam email, one that looks like an ad for diet pills or viagra. As I always say during my talks, you are not going to get an email from a cybercriminal directly, with misspellings and broken english (although they do exist).
Instead, it’s going to come from someone you know and trust.
Here’s two examples that should make sense:
- Numerous HR departments are sending out legitimate Coronavirus updates for their employees. However, cybercriminals are using this in their favor. These emails are directing employees to stay home if they are sick, or providing updates on the work from home program. When I make this point, many companies tell me they have excellent end point products that will pick up these types of phishing emails. This goes back to the question I always ask during my presentations. How many organizations are using two-factor authentication on their email? On my best day, only 25% of the attendees raise their hand; that is, those who are actively using 2FA.
- According to Microsoft, only 11% of enterprises use 2FA. Here’s how it works- Cybercriminal gets the password of the HR Administrator of said company on the darkweb, and takes control over the account. He uses it to send out a spear-phished internal email to all employees and it’s mixed in with legitimate emails. The employee doesn’t know the difference, and will click on any link in the email, as there is a level of trust. At this time, it’s game over.
Many of us get our news from social media in our personal circles. Either Facebook, Linkedin, Instagram or Twitter. Think about your own life and social circles. From my (pretty vast) experience with this, I can legitimize the following statement:
Very few users are utilizing 2FA on their social media accounts. And email is worse.
How do I know this? Because once again, I always ask this question during my talks. Aside from hearing crickets, very few hands go up. Social media is bad, but this is (not surprisingly) exacerbated when asking about email. So if this is the case, the cybercriminal/con man/hacker (whatever jargon you may use) gains access to the social media account and sends out a targeted message with some fake news stating, “There is confirmed case in your neighborhood,” or “Schools closed in Your County,” or even worse, there is a death. Think about how much negative energy is fueling this disease.
I hate to say it but if a trusted friend or family member emailed me about this epidemic, it would be hard for me not to click on the message.
So let’s remember a few important things to mitigate any further stress:
- Cybercriminals are going to use the Coronavirus to get us to click on links or open attachments.
- Email and social media are the attack vectors.
- The messages will appear to be very real and will come from individuals and organizations you know and trust.
- Think before you click and act. Become a human firewall.
- Remember that most people you know and trust are not using 2FA. Don’t be one of them. Please make sure you are utilizing your remote accounts including email and social media.
You don’t have to be a victim, whether it’s a global disease or a cybercrime victim. Be a human firewall, and don’t forget to wash your hands!