Fraudulent COVID-19 emails specifically target Canadians, security firm says
Cybercriminals ‘prosper and grow in chaos’
By David Paddon
TORONTO — Cybersecurity experts are renewing their warnings that the COVID-19 crisis is a huge opportunity for criminals to take advantage of confusion as people are forced to work away from the office.
A U.S. security firm says at least two shadowy criminal groups are specifically targeting Canada with faked emails that pretend to provide updated information about the novel coronavirus.
One example collected by California-based Proofpoint pretends to be from the Public Health Agency of Canada but it refers to a real official from another organization and has a fake email address.
Proofpoint executive vice-president Ryan Kalember says the criminal groups, which he calls threat actors, know people have a lot to think about right now and may have their guard down.
“And people click on things,” Kalember says. “Everyone is looking for information and updates … to be communicated from the executives of their own company.”
Although the Canadian example provided by Proofpoint is fairly clumsy and easy to detect, there have been well-crafted emails that seem to be a company president’s message to all staff.
Remote employees vulnerable
David Masson, Ottawa-based director of threat intelligence for Darktrace, says employees are more vulnerable to cyber tricks “when they’re out and about” and not inside their headquarters.
“Right now we’re seeing an explosion of hundreds of thousands, if not millions, of people suddenly working from home for the first time,” Masson says.
“That’s an issue because it’s easier for them to be exploited.”
A spokesman for eSentire — an Ontario-based private company that manages threat detection and response for organizations in several countries — says criminals “can prosper and grow in chaos.”
The criminals know some organizations weren’t prepared for the impact of COVID-19 and are now playing emergency catch-up, says eSentire vice-president Mark Sangster.
“And those are the times to strike,” Sangster adds.
His advice for employees: don’t share information gathered from friends, social media or suspicious email with attachments because that could spread malevolent software through the organization.
“You’re controlling the potential for misinformation because that’s where people end up clicking on fake links or opening fake documents,” Sangster says.
Constant reminders urged
As for organizations, he says they need to provide daily or weekly updates as necessary.
“So employees feel comfortable and there is no confusion around what they must or must not do.”
Sangster also warns that an organization’s overall security protection is weaker if some devices are consumer-grade equipment, such as a router provided by an employee’s internet service provider.
“It’s a good device. But it’s certainly not hardened to the level of commercial, enterprise-type equipment,” Sangster says.
He advises companies to use some kind of secure connection back to their head offices — a virtual private network (VPN).
“That technology effectively encrypts the communications back and forth, so that whoever’s snooping or tries to capture information can’t see it, doesn’t know what it is,” Sangster says.
As for the types of anti-virus software used by most consumers, Sangster says they’re necessary but won’t stop the types of emails that tempt people to click on fraudulent documents or links.
“And unfortunately,” Sangster says, “the kind of tools and technologies that typically are going to do that are that are ones that are going to reside in the corporate head office.”