While cybersecurity professionals continue to make huge strides in protecting organizations, all the technology in the world can’t completely protect users and assets — it also requires caution and constant vigilance by everyone. This is also the stark reality of the current COVID-19 crisis. With so many companies forced to quickly transition to a remote workforce, remaining cautious, vigilant and informed must be the mantra for all of us.
As CSO of CrowdStrike, a major component of our internal security is frequent and open communication with our entire team, to make them aware of — and prepared for — the threats we face every day, as an organization and as individuals. It is particularly important that security leaders reach out to their stakeholders now to highlight increased security risks in light of recent adversary activity.
Fraud Schemes and Social Engineering
It should come as no surprise that our adversaries seek to exploit one of our basic human conditions — fear. Right now, we are vulnerable — and our adversaries know it. In a crisis, people tend to lose sight of their better judgment. Meanwhile, criminal hackers and scammers are eager to take advantage of us.
Recently, there has been a rise in fraud schemes related to the coronavirus pandemic, and our CrowdStrike® Intelligence team has collected and disseminated many examples. Social engineering is one of the most common techniques deployed by adversaries because it continues to be the most successful method to breach organizations, and criminal adversaries are leveraging the pandemic to steal personal information and company-owned intellectual property. They’re using malicious websites and apps that appear to share the latest COVID-19 information, only to deliver malware to your device to steal information or lock devices and demand payment. Our desire for the latest news makes us more susceptible to these tactics. But we must not let fear cloud our judgment. The adversary wins if we let our guard down and fall victim to these scams.
Social engineering attacks have also sought to take advantage of the recent rise in remote employees. The risk of social engineering increases when more employees work from home. It’s easier to fool unsuspecting employees who now have limited face-to-face interaction with their coworkers. That call from “IT” might not be who you think it is. And that email from “Apple” may not come from where you’d expect. Stop and think — ask yourself — is the person on the other end of the phone or computer really who they say they are?
Recommendations to Ensure Online Safety
To help keep us all safe, we suggest reminding all users of the following practices. They’ve likely heard these before, but now may be a good time to jog everyone’s memory:
- DON’T CLICK ON LINKS SENT BY PEOPLE YOU DON’T KNOW. Hover over them first; trust but verify!
- Avoid opening attachments within emails from senders you do not recognize.
- Be wary of emails or phone calls requesting account information or requesting that you verify your account.
- Do not provide your username, password, date of birth, social security number, financial data or other personal information in response to an email or robocall.
- Always independently verify any requested information originating from a legitimate source.
- Always verify the web address of legitimate websites and manually type them into your browser.
- Check for misspellings or improper domains within a link (for example, an address that should end in a .gov ends in .com instead).
- Before transferring money or information, verify by voice or video call.
- Be alert to counterfeit items, such as sanitizing products and personal protective equipment, or people selling products that claim to prevent, treat, diagnose or cure COVID-19.
Security awareness is the best way to prevent being victimized. It’s important to be cognizant of common social engineering tactics in order to spot the signs of targeting. Make sure your company has a process in place to allow employees to engage IT security personnel if they have any reason to believe they might be the victims of a social engineering attack.
If you are looking for accurate and up-to-date information on COVID-19, the CDC has posted extensive guidance and information that is updated frequently. The best sources for legitimate information on COVID-19 are www.cdc.gov and www.coronavirus.gov.
You can also access resources to help you ensure the security of your organization and remote workers by visiting the CrowdStrike COVID-19 resource webpage.
I hope everyone will continue to stay safe, and be extra cautious about their online and work-from-home behaviors. It’s vitally important that we take care of ourselves mentally, physically and emotionally during these challenging times. At CrowdStrike, we’re continuing to do our utmost to protect our customers and their organizations, no matter where their employees are located, but the awareness and alertness of every individual are essential to successfully weathering this storm.
- Learn about two new programs for CrowdStrike customers, aimed at securing a newly remote workforce.
- Read a blog on COVID-19 cybersecurity from CrowdStrike CEO George Kurtz.
- Learn more about the cybersecurity challenges during COVID-19 and recommendations for securing your remote workforce in blogs by CrowdStrike CTO Mike Sentonas and Chief Product and Engineering Officer Amol Kulkarni.