Tips to Protect Your Business from Phishing Scams Amid COVID-19
During the coronavirus crisis, businesses need to safeguard their employees and workplaces from fraudulent email schemes attempting to obtain confidential information. Recently, Microsoft issued a warning about new phishing scams that try to lure victims with fake COVID-19 emails that seem to be sent from the Centers for Disease Control (CDC). Phishing is a widely-used scam tactic that disguises emails to appear as if they come from a legitimate source to trick recipients into sharing sensitive information, such as login credentials, credit card or bank account information, or Social Security numbers. Phishing is so successful that it is responsible for billions of dollars of business and consumer losses each year.
How Phishing Attacks Work
There's a good chance you or a member of your organization has been the target of a phishing attack. Phishing emails arrive in your inbox looking as if they were sent from a reputable source, such as a service company, a government agency or maybe even someone within your organization. In the email, your name may be included in the salutation and you might find an alert about an account that needs updating or a recent order you placed. The message is designed to get you to click on a link embedded in the email.
If you click on the link, you will be directed to a website that looks legitimate and will ask you to enter your login credentials. If you do, the phisher has all it needs to impersonate you. With some phishing emails, clicking on the link unleashes a virus or malware that can steal your data or encrypt it to hold it for ransom. Even worse, it also uploads a keylogger component, which can record computer users' keystrokes as they enter passwords and other confidential information.
Increase in COVID-19 Scams
The phishing campaign identified by Microsoft delivers a widely-used malware called Lokibot which, in this case, uses COVID-19 as the lure to get you to click on a link. The email pretends to be from the CDC, with subject lines such as “Business Continuity Plan Announcement for May 2020.” When Lokibot is unleashed, it steals login credentials. Additionally, it uploads a keylogger component, that records your keystrokes as you enter passwords and other confidential information. It's estimated that thousands of different malware attacks disguised as important COVID-19 information are launched each day.
How to Defend Against Phishing Attacks
You and your employees are your first and last line of defense against phishing attacks. To fortify your defenses, everyone in your organization needs to be educated on what a phishing attack looks like and how to combat it. Here are six red flags to look for in suspicious emails:
- Fake sender address: An email may look legitimate, but by scrutinizing the sender's address, you can see if there are any misspellings or an extra dash in the address. Sometimes the lower cap letter "L" is replaced with the number "1."
- Generic or "phishy" salutation: If the salutation does not contain your name, consider it spam and delete it. Some emails might include an odd form of your name in the salutation, such as your email moniker (i.e. frsmith). If the email doesn't get your name right, delete it.
- Urgent call-to-action: Any email that contains urgent calls to action, such as "your account will be closed" or "action required," should be considered suspect. Look for other red flags and have your supervisor review it.
- Request for sensitive information: Just know that any legitimate business or government agency will never request confidential information. Delete it.
- Phony links: Most phishing scams are all about the links. Never click on a link unless you are 100% certain of the source. Avoid links that don't start with "https" in the URL. If there is no "s", it's probably fake.
There is no better defense against security attacks than becoming thoroughly educated about the risk and arming yourself, your family, and your employees with the knowledge to prevent them. It is also essential to boost your cybersecurity defenses by upgrading your firewall regularly.
The opinions voiced in this material are for general information only and are not intended to provide specific advice or recommendations for any individual. Ameris Bank is not affiliated with nor endorses any of the companies featured in this article.