Story submitted by Information Technology Services (ITS) and NC’s security vendor SOPHOS:
Cyber-criminals will take any advantage they can to advance their cause. Their cause is usually financial even if indirectly so. The number of COVID-19 scams, phishing attacks and malware campaigns are ever increasing and have adapted old techniques for a new approach. So, while the message may be different, many of the ways to protect yourself and the College remain the same.
The number of new “COVID” and “corona” related domains and certificates created in the last few months has generated a graph like what we are all too familiar with – that exponential rise. It is clear that malicious actors are ramping up their efforts.
Not all those domains and certificates are necessarily malicious. That makes it even more difficult to sort out the bad from the good. Our security vendor, SOPHOS, has identified more than 60 so far and if your SOPHOS software is running, you’ll be protected. However, the bad guys keep changing their tactics. What we can block today will move to another domain tomorrow. The best defense is awareness.
Be extra cautious of emails that don’t reference COVID-19 or coronavirus as well. Some malicious actors are taking advantage of the fact that you may be overwhelmed with emails and try to sneak an older type of phishing attack such as those based on OneDrive or other file sharing services.
Be cautious of social engineering email-based attacks as well. These are the kinds of messages that appear to be from someone you know – a colleague or a friend – asking for urgent help (i.e. your boss asks you to buy gift cards) or offer a chance to make money (like pet sitting). These types of messages don’t have any technical elements in them such as attachments or links. They are just words. Words that try to trick you into doing something to benefit the malicious actor. If it sounds too good to be true, it probably is not something you want to do.
Our security vendor, SOPHOS provided some guidance that applies to your work for the College as well as your personal online activity.
Four quick tips:
- Don’t log in to company websites via emails or texts. If a company wants or needs you to login to your account, you should already know how to access your account from the company’s own site or app. Even if it takes a few more clicks, it’s time well saved because you will automatically miss out on “logins” that could compromise your security.
- Don’t make payments via links in emails or texts. This is point one under a different guise. If you need to pay a company online, reach the payment page by following your own research, or using a link from a document you already have such as a contract or a recent bill. Don’t get begged, cajoled or frightened into taking exactly the “short cut” the crooks want.
- Don’t turn off security features because a document tells you to. Avoid opening unexpected or unsolicited email attachments if you can (and if you do, don’t click links in those documents – see #1 and #2). If a document asks you to [Enable content] when you open it, or make some other security downgrade, don’t do it – it’s a trick.
- Don’t trust apps because the app creator tells you to. App reviews, positive app comments and high download counts are cheap to buy if you have no scruples. Reputation must be earned – it can’t be bought or self-declared. When in doubt, ask someone you know and trust for advice.
Stay alert. Stay safe. Stay healthy.
IT Security and SOPHOS
