Apr

Alert: COVID scams and cyber attacks

Be safe…and smart

There continues to be growing exploitation by cybercriminals of the current Coronavirus (COVID-19) global pandemic. There are a large number of online scams, phishing messages, and other attacks taking advantage of the current situation. These are likely to continue and increase over the coming weeks.

Although the Smithsonian has security measures in place to protect against such threats, it is not possible to block all of them through automated tools. Additionally, your home computers and devices are not likely to have the same level of protection as we have at the office. It is therefore important that you increase your awareness and vigilance against these attacks. Just like the steps to protect yourself from the virus, there are precautions you need to take to protect yourself from related scams.

Criminals often rely on social engineering methods to entice a user to carry out a specific action. They may make the message appear to come from a trustworthy source, such as the World Health Organization (WHO) or an individual with “Dr.” in their title. Other emails pretend to be from an HR department or a school and advise the recipient to open the attachment. These criminals are taking advantage of human traits such as curiosity and concern around the Coronavirus pandemic in order to persuade potential victims to:

Click on a link or download an app that may lead to a phishing website, or the downloading of malware, including ransomware. For example, a malicious app claims to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access to install ransomware on their device
Open a file (such as an email attachment) that contains malware. For example, email subject lines contain COVID-19-related phrases such as “Coronavirus Update” or “2019-nCov: Coronavirus outbreak in your city (Emergency)”
Visit a website that malicious cyber actors use for stealing valuable data, such as usernames and passwords, credit card information, and other personal information. If the user clicks on the hyperlink, a spoofed login webpage appears that includes a password entry form. These spoofed login pages may relate to a wide array of online services including—but not limited to—email services provided by Google or Microsoft, or services accessed via government websites. If the victim enters their password on the spoofed page, the attackers will be able to access the victim’s online accounts, such as their email inbox. This access can then be used to acquire personal or sensitive information, or to further disseminate phishing emails, using the victim’s address book.

Criminals are also taking advantage of rapidly deployed new networks and communications platforms that organizations have deployed to enable widespread telework and distance learning. Due to the urgent circumstances, these may contain vulnerabilities or not be as stringently secured as they would be normally. This has led to increased attacks that target these weaknesses as well as those that exist on the personal devices that people are using to connect.

Some important things you can do to protect yourself are:

Think before you click on anything. Be skeptical. Don’t let emotion cloud your judgement.
Do not give out any personal, financial, or other sensitive information unless you are absolutely sure the request is legitimate. Never give anyone any of your passwords under any circumstances.
Make sure your computers and devices are kept updated. Do not use old operating systems, web browsers, and other unsupported software. Set everything to automatically update.
Install antivirus software on all your computers, and make sure it is kept updated. SI provides free Cylance antivirus for home use if you need it.
Secure your home WiFi. Change default settings and passwords.
Practice good password hygiene. Set strong passwords. Do not reuse them in different places. Use multifactor authentication when it is available (such as on banking sites). Use a secure password manager if you have too many to remember.
When hosting online meetings, use your conferencing tool’s security features (such as setting a password/PIN for the meeting).
Hang up on robocalls and do not respond to suspicious phone messages.
Report any suspicious activity to the OCIO Help Desk (if related to SI work or systems) or the FBI Internet Crime Complaint Center (for non-SI-related situations)