COVID-19 and Cyber Health: “Think Before You Click”
In these unprecedented times, we are confronted with change in many aspects of our lives. Some of these changes in circumstance require changes in our current behavior and often they introduce completely new tools and behaviors to learn and put into practice. The changes have not gone unnoticed by bad actors who will not hesitate to exploit any uncertainty, fear or change. There has been an astronomical increase in coronavirus themed spam recently, with some vendors reporting increases of 14,000%.
A communicable disease reminds us all how connected we are and how what we do affects others. Social distancing, increased hand washing, masks, gloves; all things we are seeing as measures to protect you and those around you. An approach to protect yourself, your family, and your employer in the digital world might consist of two areas of discipline: 1) protecting your home network and 2) practicing good digital hygiene.
Protecting Your Home Network
Protecting your home network starts with where the internet enters your home. This device, often referred to as a router or modem, is typically provided by your internet service provider. You want to be sure that the default password for the administrator account has been changed from the default setting to a strong password. If you use WIFI in your home, you’ll also want to make sure that you have enabled encryption on your WIFI network. WPA2 is the preferred type of encryption. If your device does not support WPA2 encryption, consider purchasing a new router with support for modern encryption. You may need to work with your internet service provider to ensure device compatibility.
If you are using your personal computer to connect to work, you’ll need to make sure it is being updated and is protected. Older operating systems like Windows 7 do not get security updates and are targets with known vulnerabilities. You should upgrade to the most recent version of the operating system for the type of computer you’re using. The major operating systems have built in Anti-Virus and Anti-Malware as well as the ability to automatically update themselves. All these features should be verified to be on and working. If possible, you should be the only one using the computer that is connecting to the work environment. Much like your luggage at the airport, it’s most secure when you’re the only one in charge of the computer
Practicing Good Digital Hygiene
Practicing good digital hygiene is the second major area of focus. In the digital world, much like the physical one, we are going to run into ‘digital germs’ as we navigate our daily lives. We can all exercise the equivalent of forgoing handshakes and sneezing into our elbows in the digital world. Cybercriminals know how to exploit fear of loss and hope of gain in the same way that many advertisers do. Seeing evidence of these ploys in an email, text or any digital communication should raise an immediate red flag. They are often used to entice or scare a user into taking an action like clicking a link or opening an attachment.
One way to avoid clicking a link is to navigate directly to a website resource. For example: If you are sent a notice that the CDC is opening up a test site in your area with a link to click, you should go directly to the CDC website (www.cdc.gov) and search for the information there.
With email attachments, it helps to examine a few simple points.
Do you know the sender?
Were you expecting this communication?
Is there a sense of urgency or obligation, implied or explicit?
Here are just a few examples of cyber criminals trying to utilize the current situation:
A Cure from the WHO: Cybercriminals have been targeting health agencies such as the World Health Organization with both direct attacks and spoofs for phishing emails. In this campaign, the emails claim to be from the WHO’s Director-General, with details on drugs to take to prevent and cure the virus. In one instance, an attached document installs a keylogger and info-stealer. In another instance, the emails offer information on a virus vaccine but deliver malware instead.
Local Hospital alerts you of contact with an Infected Person: A threat actor is pretending to be from a local hospital telling the recipient that they have been in contact with a colleague, friend, or family member who has tested positive for the COVID-19 virus. The email then tells the recipient to print the attached EmergencyContact.xlsm attachment and bring it with them to the nearest emergency clinic for testing. In fact, that form is a malicious, macro-laden Office document that is at the time of this report detected by only a handful of major anti-virus applications.
Local Relief Funding: Cybercriminals send spam allegedly with information on how to get relief funds during the virus outbreak. If the user opens the attached document, malware infects the machine to steal online banking credentials.
Small Business Relief Spam: In this instance, spammers send emails claiming to be from the U.S. Small Business Administration with an attachment purporting to be an application for disaster assistance in light of the coronavirus. If someone takes the bait, the malicious file attachment executes malware that installs a Remote Access Trojan (RAT).
Government Stimulus Check Scams: The FBI’s Internet Crime Complaint Center (IC3) issued an alert warning of coronavirus-related phishing attacks, particularly surrounding economic stimulus checks. Scammers are leveraging the COVID-19 pandemic to steal your money, your personal information, or both. “Look out for phishing emails asking you to verify your personal information in order to receive an economic stimulus check from the government,” the FBI says. The distribution of economic impact payments will begin in the next three weeks and will be distributed automatically, with no action required for most people. You will not be sent an unsolicited email seeking your private information in order to send you money. Here are the links to the FBI alert and the Stimulus update page: https://www.ic3.gov/media/2020/200320.aspx and https://www.irs.gov/coronavirus.
Fake Apps: As people increasingly work from home and online communication platforms such as Zoom, Teams, Slack, House Party, etc., explode in popularity, cybercriminals are taking advantage of the spike in usage by registering new fake domains and malicious executable files in an attempt to trick people into downloading malware on their devices.
In the current environment, heightened awareness is an essential tool for continued health and safety from both a physical and digital perspective. For the new cybersecurity challenges, our reactions require some diligence and while the specific steps for what to do for each situation may seem complicated, the overarching strategy can be distilled into a simple mantra: “Think before you click”.
Modera Wealth Management, LLC (“Modera”) is an SEC-registered investment advisor with places of business in Massachusetts, New York, New Jersey, Pennsylvania, North Carolina, Georgia and Florida. Modera may only transact business in those states in which it is registered or qualifies for an exemption or exclusion from registration requirements. SEC registration does not imply any level of skill or training. For information pertaining to our registration status, fees and services, please contact us or refer to the Investment Adviser Public Disclosure web site (www.adviserinfo.sec.gov) to obtain a copy of our disclosure statement set forth in Form ADV Part 2A. Please read the disclosure statement carefully before you invest or send money.
This article is limited to the dissemination of general information about Modera’s investment advisory and financial planning services that is not suitable for everyone. Nothing herein should be interpreted or construed as investment advice nor as legal, tax or accounting advice nor as personalized financial planning, tax planning or wealth management advice. For legal, tax and accounting-related matters, we recommend you seek the advice of a qualified attorney or accountant. This article is not a substitute for personalized investment or financial planning from Modera. There is no guarantee that the views and opinions expressed herein will come to pass, and the information herein should not be considered a solicitation to engage in a particular investment or financial planning strategy. The statements, information and opinions expressed in this article are subject to change without notice.
Investing in the markets involves gains and losses and may not be suitable for all investors and should not be considered a solicitation to buy or sell any security or to engage in a particular investment or financial planning strategy. Individual client asset allocations and investment strategies differ based on varying degrees of diversification and other factors. Diversification does not guarantee a profit or guarantee against a loss.