Misfortune of any kind is a breeding ground for an enterprising cyber-criminals’ schemes, as opportunities abound for attackers to take advantage of confusion and chaos for their own financial gain. As the Payroll Protection Program (PPP) relief fund continues to provide hundreds of billions of dollars in much needed loans to small businesses hit by the devastating impact of COVID-19, cyber criminals have become more active than ever, using the program as bait for their latest spear phishing campaigns. Spear phishing activity is up over 600% since the beginning of the year, meaning that the next email purporting to provide PPP guidance during the COVID-19 pandemic may be concealing a virus of a different kind. Whether it involves socially engineering recipients into visiting fraudulent PPP websites or opening malware-infected attachments, criminals are accelerating their spear phishing attacks to steal as much information and money as they possibly can.
To help avoid becoming the next victim of a spear phishing attack, here are some best practices that organizations should consider:
Attackers have reached a point where the spear phishing attacks they use are almost indistinguishable from legitimate emails, complete with logos, falsified email addresses, and specific information gleaned from online sources such as LinkedIn. When emails arrive, asking users to open an attachment, click on a link, or respond with any sensitive information, refrain from taking immediate action.. Instead, users should pause and take a moment to ask the question: “was I expecting this request from this person at this time?”
The rapid rollout of the PPP program has left many unanswered questions, to include where business owners should go for help. Business owners may be uncertain whether a PPP website is legitimate or not. Further compounding this confusion are reports of significant numbers of questionable PPP website domains being created that appear authentic. Before entering sensitive information into a website, contact the resource by phone in order to verify its legitimacy.
Use a different password for each website. If credentials are stolen by entering them into a website that turned out to be a well-designed trap created by criminals, they cannot then be used to access other sites. Legitimate government agencies and financial institutions will never send an email or call asking for a password or other sensitive information.
Citrin Cooperman’s Technology Risk, Advisory & Cybersecurity (TRAC) Practice's cybersecurity team can help you remain safe from spear phishing attacks. Whether it is developing a customized on-demand cybersecurity awareness training or conducting a spear phishing simulation, our team of security experts can help your clients socially distance themselves from cyber-criminals and their attacks.