Reading Time: 5 minutes
Pierre DeMontigny
Pierre DeMontigny, Network Infrastructure Consultant

During this coronavirus crisis, scammers are using the internet and technology to take advantage of employees working remotely for the first time. Through a mix of social engineering and exploiting security vulnerabilities, scammers are trying to disable and harm your municipal operations through the use of ransomware, malware, and fraud.

Referenced in a TNW article, “According to Barracuda Networks, phishing attacks have seen a 667-percent surge from February to March, as the coronavirus spread took on pandemic proportions and many countries are imposing city-wide quarantines and lockdowns.” It’s likely that surge is continuing. Our current national (and international) crisis creates a perfect storm of risk as people rush to implement remote work technology and processes due to the coronavirus, leading employees to become more susceptible to scams in the absence of information and expertise that alleviates uncertainty.

Don’t become the next cyber victim. Municipalities need to step up and mitigate as much uncertainty and risk for employees as possible. First, we will go over some scams your city employees will likely see. Second, we will propose some tips to help protect your employees from scams. Third, we will let you know how to mitigate even more risk through the use of information technology.

1. Common Scams

Scammers are busy creating fake websites and attachments full of malware, ready for your employees to take the bait. Referenced in a Diginomica article, “Check Point Software’s Threat Intelligence monitoring service has recorded more than 4,000 new coronavirus-related domains registered since January. Of these, its scans found 3 percent to [be] malicious and another 5 percent suspicious, making the probability that coronavirus Internet domains are malicious 1.5-times that of the average site.”

Many coronavirus scams focus on tricking vulnerable employees who are afraid, anxious, or unknowledgeable about IT and the coronavirus. They use disinformation, fake requests, and emotional reasoning to accomplish their scams.

Specifically, you and your employees need to watch out for:

  • Email (and text) phishing scams: Scammers are sending out coronavirus-related phishing emails meant to entice your employees to click. The Better Business Bureau points out that phishing emails may include false hope about vaccinations and therapeutic medicine, stimulus checks, and items currently hard to find (such as hand sanitizer). Employees should be very skeptical about unsolicited emails related to coronavirus concerns.
  • Spear phishing: Spear phishing differs from impersonal phishing emails. Scammers research your city and send you an email that closely imitates your mayor, your city manager, your city clerk, an IT department, or another trusted contact. They hope that you get tricked and hand over sensitive information (such as a password).
  • IT-related phishing scams: It’s understandable if you’re non-technical. However, as employees get used to working from home, technical naivety may open them up to confusion. What if they get an email from “IT” saying their browsing session isn’t secure and they need to sign into a VPN? Or their password needs confirmation because they’re working remote? Or that they need to install special software because they’re working remote? Would your employees click?
  • Social engineering (don’t forget the phone!): Scammers are also using robocalls and calling up employees personally to use the same tricks as described above, only over the phone.
  • Unsolicited, emotional, and/or urgent appeals: Phishing scams are generally unsolicited, and they use fear, doubt, emotion, and urgency to make your employees act before they can think about the request.
  • Sources of information about coronavirus: Scammers are using uncertainty about the most fearful aspects of this crisis such as vaccinations, medicine, testing, and scarcity of goods to get people to click. As we referenced above, many malicious websites exist and scammers want you to click on their links.

2. Tips to Help Employees Protect Themselves

Thankfully, there are many ways to protect employees from these scams if you are proactive. These tips include:

  • Communicate, communicate, communicate: Don’t leave employees in the dark. Communicate your policies about working from home, accessing files and data, and signing into city applications. Give employees clear, transparent information about your IT processes. Make it less likely they will get fooled by a scammer emailing them about fake IT policies. If you don’t communicate well about your policies and processes, then employees are more likely to fall for a scam.
  • Train employees about phishing. Review our blog post “Dissecting a Phishing Email: 6 Ways Scammers Trick City Employees.” The same logic applies to phone calls. Teach employees to be suspicious. Any unsolicited, emotional, and urgent emails or calls from someone they don’t know should raise a red flag. If in doubt about an email or phone call, call your IT staff or vendor, or call your supervisor.
  • Remind employees to be skeptical about information. Don’t be fooled. Cross-check information instead of blindly trusting an email or social media link. Use legitimate sites such as the CDC to get information about the coronavirus.
  • Mandate that employees do not download unauthorized software: Scammers often tempt employees to download software that seems useful but is loaded with malware or viruses. Employees must understand that downloading unauthorized software is not an option, even on their personal devices if they are using them for work. Read our blog post “7 Reasons City Employees Should Not Use Unapproved Software.”
  • Encourage the use of Two-Factor Authentication and password management: Two-factor authentication (2FA) and a password manager can help protect employees who may accidentally give up their passwords to a scammer. A scammer would need physical access to the employee’s phone in order to make use of the password. 2FA gives your employees an additional layer of protection.

3. Additional Tips to Help Protect Employees

Remember, people make mistakes. While employees are not perfect, the above tips can help them detect scams and mitigate some risk associated with actions the scammers want employees to take. However, you can help mitigate even more risk with the following IT best practices.

  • Assign city-owned devices to employees: Many security breaches result from employees using personal devices. If possible, assign them city-owned desktops and laptops, overseen by IT professionals. These devices are easier to secure and maintain.
  • Avoid VPNs if employees use personal devices: If allowing employees to use personal devices is unavoidable, we strongly recommend providing access to city data through a secured, typically browser-based remote portal instead of a VPN.
  • Use IT professionals to oversee security: IT professionals using monitoring and alerting tools can help detect potential security incidents. They can also make sure software and hardware is patched and updated.
  • Ensure employees have antivirus and antispam software: This helps prevent many viruses and can stop scamming emails before they get to an employee’s inbox.
  • Use a centralized document management system: This way, employees will know any important documents are stored in a central repository, making them less likely to click on a malicious document in an email.
  • Have a clear, working incident response, data backup, and disaster recovery plan: Covering envisioned worst-case scenarios, these plans are essential in case your employee does fall for a scam. Your plan can help you mitigate the damage of a cyberattack, recover your data, and ensure employees can get back to work as soon as possible.

For example, with IT in a Box all supported users know they can contact our helpdesk by phone, email, and chat windows from their desktop—from anywhere and at any time. Such processes make it less likely that an employee will fall for a scam purporting to be from IT or that tricks the employee about something coronavirus-related. They know they can always ask us about an email or communication if they have any doubt.

Need help with protecting your employees from scams? Reach out to us today.

Original Date: 4/15/2020