This article was written by Shawn Henry, the President and CSO of CrowdStrike Services. Prior to joining CrowdStrike, Henry worked with the FBI, where he was credited with boosting the bureau’s computer crime and cybersecurity investigative capabilities. This excerpt is from a longer article that was originally published on the CrowdStrike blog.
Recently, there has been a rise in fraud schemes related to the COVID-19 pandemic. This should come as no surprise. Our adversaries seek to exploit one of our basic human conditions – fear. Right now, we are vulnerable — and our adversaries know it.
In a crisis, people tend to lose sight of their better judgment. Meanwhile, criminal hackers and scammers are eager to take advantage of us. As a result, social engineering has become one of the most common techniques deployed by adversaries. It continues to be the most successful method used to breach organizations and steal personal information and company-owned intellectual property.
Cybercriminals are using malicious websites and apps that appear to share the latest COVID-19 information, only to deliver malware to your device to steal information or lock devices and demand payment. Our desire for the latest news makes us more susceptible to these tactics. But we must not let fear cloud our judgment. The adversary wins if we let our guard down and fall victim to these scams.
Social engineering attacks have also sought to take advantage of the recent rise in remote employees. The risk of social engineering increases when more employees work from home. It’s easier to fool unsuspecting employees who now have limited face-to-face interaction with their coworkers. That call from “IT” might not be who you think it is. And that email from “Apple” may not come from where you’d expect. Stop and think — ask yourself — is the person on the other end of the phone or computer really who they say they are?
To help keep us all safe, we suggest reminding all users of the following practices. They’ve likely heard these before, but now may be a good time to jog everyone’s memory:
- DON’T CLICK ON LINKS SENT BY PEOPLE YOU DON’T KNOW. Hover over them first; trust but verify!
- Avoid opening attachments within emails from senders you do not recognize.
- Be wary of emails or phone calls requesting account information or requesting that you verify your account.
- Do not provide your username, password, date of birth, social security number, financial data or other personal information in response to an email or robocall.
- Always independently verify any requested information originating from a legitimate source.
- Always verify the web address of legitimate websites and manually type them into your browser.
- Check for misspellings or improper domains within a link (for example, an address that should end in a .gov ends in .com instead).
- Before transferring money or information, verify by voice or video call.
- Be alert to counterfeit items, such as sanitizing products and personal protective equipment, or people selling products that claim to prevent, treat, diagnose or cure COVID-19.
Security awareness is the best way to prevent being victimized. It’s important to be cognizant of common social engineering tactics in order to spot the signs of targeting. Make sure your company has a process in place to allow employees to engage IT security personnel if they have any reason to believe they might be the victims of a social engineering attack.
Together we’ll all get through this, and by using good technology, policies, and processes, our networks and data will be safer and more secure.