PCI SSC shares guidance on protecting against COVID-19 scams and threats.
What kind of threats are lurking online related to the COVID-19 crisis?
During this time of uncertainty and increased online activity, cyber criminals are actively working to exploit the current COVID-19 story with attacks aimed at taking advantage of the situation. It is important now more than ever to be aware of online scams and threats as they are increasing in volume and sophistication.
During a time when the public is encouraged to stay informed about this unfolding public health issue, cyber criminals are working hard to trick people into falling for common cyber-attacks. According to the U.S. Secret Service, one of the most common online attacks during this time is phishing/social engineering attacks. Cyber criminals are exploiting the Coronavirus through the wide distribution of mass emails posing as legitimate medical and or health organizations with important information about Coronavirus.
Hackers use phishing and other social engineering methods to target organizations with legitimate-looking emails and social media messages that trick users into providing confidential data, such as credit card number, social security number, account number or password.
These attacks have been around for a while and are at the heart of many of today’s most serious cyber attacks and can put your business and your customers at risk. It is important to have your guard up when opening emails and engaging in social media. As more and more people work remotely due to the COVID-19 situation, everyone needs to be aware of how to best protect against phishing and social engineering attacks.
View the Secret Service COVID-19 (Coronavirus) Phishing Alert press release here.
So how can people defend against phishing/social engineering attacks?
Phishing/Social Engineering attacks have been around for years. There are many ways to defend against this type of attack including:
Reduce unwanted email traffic:
- Install and maintain basic security protections, including firewalls, anti-malware software and email filters to prevent known malicious IP addresses or domains for example.
Train employees and users on email and browser security best practices, including these key tips:
- Resist the urge to click links in a suspicious email; visit websites directly.
- Be cautious of email attachments from unknown sources. Also, many viruses can fake the return address, so even if it looks like it’s from someone you know, be wary about opening any attachments.
- Only install approved applications.
- Be sure you’re at the right website when downloading software or upgrades. Even when using a trusted site, double check the URL before downloading to make sure you haven’t been directed to a different site.
- Recognize the signs that your computer is affected and contact IT.
- Use basic security tools that block malicious intruders and alert you to suspicious activity, including firewalls, anti-virus, malware and spyware detection software.
- Regularly check that web browsers and security software have the latest security patches and updates.
Separate Personal-Use Devices from Work Devices:
- Keep computers used for social media sites, email and general internet browsing separate from computers used for processing financial transactions.
Practice good password hygiene:
- Change the passwords on computers and point-of-sale systems (including operating systems, security software, payment software, servers, modems, and routers) from the default ones the product came with to something personal to you but that is difficult to guess - such as combining upper case letters, numbers and special characters, or using a passphrase.
- Update system passwords regularly, and especially after outside contractors do hardware, software or point-of-sale system installations or upgrades.
- Educate employees and users on choosing strong passwords and changing them frequently.
Use two-factor authentication:
- Many of these attacks rely on getting a password one way or another. Requiring another form of ID, such as security tokens, will make it harder for hackers to falsify an account.
Where can I get more information about COVID-19 scam alerts and information on how to protect against Phishing/Social Engineering attack?
Please check out these resources to stay up to date on these increasing threats and guidance to protect against them:
PCI SSC Resources to help you:
- Resource Guide: Defending Against Phishing Attacks
- Infographic: Protecting your Payment Data from Malware
- Additional Phishing Resources