The following information is from the US Department of Homeland Security (US DHS) Cybersecurity and Infrastructure Security Agency (CISA).
CISA warns individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19).
Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes.
Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages individuals to remain vigilant and take the following precautions.
- Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
- Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
- Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
- Review CISA Insights on Risk Management for COVID-19 for more information.
If you are working from home during the COVID-19 response, please note the following security recommendations:
- Employees who are using their own personal electronic devices should ensure that their use is in full compliance with their organization’s security policy, as well as their work rules, technical standards and mobile/personal device technical standards and policies.
- Do not download or save sensitive or confidential data to a personal device. If you inadvertently do save or download such data to your personal device, you should take immediate steps to permanently remove the data from your device by deleting it from the location where you have it stored, and then deleting it from your recycle or trash bin.
- Ensure that you have a strong password to protect access to your personal device and that that password is not shared with others, including friends and family. Do not reuse your personal passwords for work purposes. Use complex passwords and change them in accordance with your agencies' policy.
- Do not accept "remember my password" prompts. Securely log in each time you utilize remote access.
- Explicitly log out of all browser and virtual desktop sessions when not actively in-use, do not just 'X' out of the active window. If you do not log out, others with physical access to your device could gain unauthorized access to your organization's data.
- To the extent possible, ensure that your personal device is fully patched with the latest security patches.
- To the extent possible, ensure your personal device is using a current and up-to-date anti-virus/threat solution, a personal firewall, and a malicious content blocker for your web browser. Microsoft Windows devices come with Windows Defender which provides these things.
- When traveling with your portable device, ensure that you keep it in your physical possession at all times.
- When utilizing Wi-Fi, ensure you only connect to known and secured networks. If use of public wi-fi becomes a necessity for connectivity, ensure that you explicitly ask the hosting organization (e.g., library, coffee shop) for the correct network to join. Be mindful of shoulder surfing and do not leave printed documents on public printers where they can be seen by unauthorized individuals.
- If your remote access device has been lost or stolen, you should immediately contact your supervisor and your organization’s information security officer or designated information security representative.
Additional information is available from:
- SANS Security Awareness - Top 5 Steps to Securely Working from Home
- National Institute of Standards and Technology - Navigating the Conference Call Security Highway
- National Cyber Security Alliance/Stay Safe Online - Security Tips for Remote Workers
- Cyber Readiness Institute - Securing a Remote Workforce
- FBI Public Service Announcement: Telework Vulnerabilities
View all active warnings:
- FBI Public Service Announcement: Telework from Hotels Risk
- Fake Online Coronavirus Map
- Enterprise VPN Security
- NSA Compromised Personal Network Indicators and Mitigations
- FBI Public Service Announcement: Fraud Schemes
- FTC Consumer Information
- FBI Public Service Announcement: Exploits of Virtual Environments
- FBI Public Service Announcement: Online Extortion Scams
- COVID-19 Disinformation Activity
- COVID-19 TLP:White Private Industry Notification
- Fake Termination Private Industry Notification
- Scams Related to Economic Payments
- Postcard Disguised as Official OCR Communication
- Spoofing COVID-19 Loan Relief Webpage via Phishing Emails