US-CERT warned users to remain vigilant for malicious cyberactivity centered around Hurricane Harvey including exercising caution with any storm-related emails, attachments, or hyperlinks, even those appearing to originate from trusted sources.
Fraudulent emails often contain links or attachments that direct users to phishing or malware-infected websites. “Emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters,” said the alert from the Department of Homeland Security through the United States Computer Emergency Readiness Team.
US-CERT encouraged users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:
Do not follow unsolicited web links in email messages.
- Use caution when opening email attachments. Refer to the US-CERT Tip Using Caution with Email Attachments for more information on safely handling email attachments.
- Keep antivirus and other computer software up-to-date.
- Refer to the Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
- Review the Federal Trade Commission information on Charity Scams.
- Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. You can find trusted contact information for many charities on the BBB National Charity Report Index.
Asaf Cidon, spear phishing behavior expert and Vice President, Content Security Services at Barracuda, said, “As this example shows, attackers go to great lengths to find any opportunity to launch a phishing campaign. By tapping into human emotion, especially around something like Hurricane Harvey, they are more often to catch someone off guard. It’s critical for consumers and companies alike to identify potential threats, as the US-Cert points out. Still, as the advisory states, it’s wise to double check before clicking on any link or attachment when it comes to a request from undisclosed or unfamiliar source especially when there is monetary investment involved.”
US-CERT putting out an alert about Hurricane Harvey phishing schemes is 100% the right action, according to Stu Sjouwerman, CEO of KnowBe4. “Users need to know that bad guys don’t have a conscience when it comes to disasters; exploiting Hurricane Harvey would be one in a line of many disaster-related phishing schemes that prey on well-intentioned users. The best thing for people to do is to know that threats are real and to expect them. If you want to donate money, do so only through reputable organizations like The Salvation Army or the American Red Cross and go directly to their website – not through an email link to their site.”
Sjouwerman also suggested it’s unfortunately an opportunity to use a topical issue to reinforce security awareness training with an organization’s user base. “Businesses that take security awareness seriously should consider sending simulated phishing tests to their users to highlight just how timely and callous these schemes are and to train their own human firewall against them.”
Mike Wyatt, threat researcher, at digital threat management firm RiskIQ, stated, “Cybercriminals very often leverage natural disasters, major news topics, holidays, events, and other important dates in their threat campaigns. It’s a sad truth, but getting people to click on their links requires social engineering, and leveraging these events is a reliable tactic for them. Savvy threat actors will use convincing branding, language, and URLs to make phishing attempts more realistic and more difficult for users to quickly determine the email’s authenticity.
Before clicking on links related to hurricane relief, Wyatt suggested asking: Who owns the site? Are they reputable? How long has it been around? Did I ask to be sent here?
