Predictably, cyberattackers have figured out how to take advantage of public fear over coronavirus. Cyberattackers have developed new coronavirus email scams that literally threaten the life of the victim.

How do Email Scams Work?

In a coronavirus email scam, the cybercriminal uses extortion to obtain bitcoins or cash.

Bitcoin extortion is a tried and true method of attack. In a typical extortion email, the cyberthief would claim he or she has compromised a user’s email account, and now has access to the victim’s entire online life. The cyberthief would then claim that he or she has recorded a webcam video of the victim allegedly visiting pornographic or illegal gambling sites. Then, the extortion: the cybercriminal would claim that unless the victim transfers a certain amount of bitcoins or other form of payment to the cybercriminal, the cybercriminal would make the embarrassing information public.

Is your organization secure?
Find out now with our HIPAA compliance checklist.

Although the not-quite-English wording and grammar of many of these messages is a clear indication that the message is a scam, people still fall for this coronavirus email scam because the message is otherwise convincing. In many cases, the user is convinced the message is real because the cyberattacker displays an old password of the user in the message. This old password is one that was acquired from a previous data breach, that has now been made public. 

How do Coronavirus Email Scams Work?

Hackers wasted little time in developing coronavirus email scams. Some of these coronavirus scams are charity scams – messages that pretend the sender is gathering charitable donations for groups like the American Red Cross. Other coronavirus email scams exploit the fact that many people now have to work from home – by posing as an organization’s IT department to trick a remote user into installing malware.

In a new variation of a coronavirus email scam, the cybercriminal still uses a previously leaked password to make the message appear convincing. Instead of threatening to release an embarrassing video, however, the cyberattacker now threatens the life of the user. The cybercriminals claim to know the exact location and daily routines of the victim. They further further state that they “… could even infect your whole family with the CoronaVirus…” (note inaccurate spelling.)  The user, to stop the cyberattacker from carrying out the threat, is instructed by the cyberattacker to transfer bitcoins to the cyberattacker.

How Can Users Protect Against These Scams?

Since the attack is fake and the attacker neither knows you nor has access to your computer, you should never pay the ransom. If you do pay the ransom, the cyberthief will just pocket the money. Since, by paying the ransom, you’ve shown the attacker that you are an easy mark, you may be subject to future attacks. Instead of panicking over these messages or taking them seriously, users should seek refuge in the real world and deploy a series of security measures.

Security measures organizations should take include using strong passwords. Password guidelines, which incorporate best practices from the latest National Institute of Standards and Technology (NIST) guidelines (set forth in NIST SP 800-63B) are listed below: 

  1. Passwords should be a minimum of eight (8) characters in length, and be a maximum length of at least 64 characters.
  2. Special characters can be used, but their use is not required. However, passwords should be restricted as follows: 
    • Use of sequential and repetitive characters (i.e., 12345 or aaaaa) should be restricted.
    • Use of context-specific passwords (i.e., name of organization site) should be restricted.
    • Use of commonly used passwords (i.e., p@ssw0rd, etc.) should be restricted.
    • Passwords obtained from previous security breaches shall not be used.
  3. Password protection requirements for users:
    • Never reveal a password over the phone to anyone;
    • Never reveal a password in an email message;
    • Never reveal a password to your supervisor;
    • Never talk about a password in front of others;
    • Never hint at the format of a password (i.e., “my family name”);
    • Never reveal a password on questionnaires or security forms;
    • Never share a password with family members;
    • Never reveal a password to co-workers;
    • Never write down your password; instead, memorize it;
    • Never keep a list of user IDs and passwords in your office; and
    • Never misrepresent yourself by using another person’s user ID and password.

Other important security measures include:

  • Enabling multi-factor authentication (MFA).
  • Establishing a system through which employees can report scam emails to your IT department.
  • Performing a security risk assessment, followed by risk management.  Performing a security risk assessment will reveal security risks and vulnerabilities. Risk management remediates these risks and vulnerabilities. 
  • Actively updating antivirus and antimalware software.
  • Installing the latest patches and security updates.

HIPAA Protects You

Protect your business from expensive breaches and fines!