Recently the F5 IT organization sent an internal alert from our Chief Information Security Officer, Mary Gardner, on how to avoid getting suckered by fraud while working from home or simply while being distracted by current events. Especially during fast-moving and uncertain events, crooks are counting on the distractions. They are taking advantage of it to sneak in a scam. Whether leveraging increased volume of online shopping, increased usage of online education and 'meeting' software, or the increased need for pandemic information and critical infrastructure - the bad actors may be seeing results. Already we have seen scams related to scheduling vaccines, hospital systems locked with ransomware, and a DDoS attack on the U.S. Dept. of Health and Human Services.
With Mary's permission, we adapted her memo and are providing it here as a reminder about the increased amount of organized online fraud schemes as a result of COVID-19. Be vigilant, stay safe, and if you would like to learn more about phishing attacks check out F5 Labs 2019 Phishing and Fraud Report.
From Mary Gardner, F5 CISO March 2020
This message is to provide information about the increased amount of organized online fraud schemes as a result of COVID-19. While most organizations have systems in place to detect and quarantine such email scams, your vigilance will make them even more effective. However, these systems can never be 100% perfect, and you may encounter cybercrime scams through other channels, such as your personal email accounts.
Check the senders email address.
Click on sender’s address and verify it is from a trusted source.
Think twice before clicking on links or downloading attachments.
Be wary of opening email attachments and/or clicking on email links or links in text messages from unfamiliar sources.
Make sure to check the domains that are linked to, in order to verify they are trustworthy and familiar domains.
Make sure to avoid using or clicking on shortened URLs, such as from services like Bit.ly, since these obscure the true destination website.
If you clicked on link or downloaded an attachment, do not supply any information on website and of opening.
Do not click on links within suspicious emails or text messages.
If you receive an email or text message that asks you to log in to an online account via a link provided, instead of clicking on the link, open a browser and go directly to the company’s website yourself.
View trusted sources/web sites.
Watch out for malicious or compromised websites. The initial part (domain) of a website address should represent the company that owns the site you are visiting.
Check the domain for misspellings.
For example, malicious sites commonly use domain names that swap the letter O with a zero (0) or the letters L and I with a one (1). (if Example.com is spelled examp1e.com, the site you are visiting is suspect.)
Sites which aggressively open popups and display misleading buttons often trick users into accepting content through constant popups or mislabeled buttons.
Keep your software up to date.
Download the latest version of your web browsers and applications.
This applies to home machines as well. Keeping your home computer OS and third-party apps up to date is an important action to keeping your computer safe.
Protect your Personal Information.
When you must provide personal information – whether in a web form, an email, a text, or a phone message – think about why someone needs it and whether you can really trust the request.
From the web, stick to sites that use encryption to protect your information.
Look for https at the beginning of the trusted web address.