On April 21, 2020, the American Hospital Association alerted its members that the Federal Bureau of Investigations (FBI) had issued an FBI Flash to update healthcare providers on additional cyber activity* that continues to exploit fears related to the COVID-19 pandemic. The FBI stated that it had been notified of targeted email phishing attempts against US-based medical providers. The phishing attempts use subject lines and content related to COVID-19 and distribute malicious attachments. Individuals or companies receiving email with unsolicited attachments that may be a phishing attempt should NOT open the email or email attachment if the individual or the company does not have the capability to examine the attachment in a controlled and safe manner.

FBI Alert provides technical details. The FBI Flash provides technical details about the phishing campaign to assist individuals and company IT personnel in identifying the malicious emails. The technical details include a list of email senders, email subject lines, attachment file names and hashes related to the phishing attempts.

The FBI Requests Assistance to Respond to the Threat. To assist in the FBI’s response to the COVID-19 phishing campaign, the targeted individual, or his or her company, is being asked to:

• Provide the FBI with a copy of the suspicious email with the full email header and a copy of any attachments;
• Retain any logs, image(s) of infected device(s) and memory capture of all affected equipment. If you do not know how to capture this information, keep the infected device(s) powered up but disconnected from the network so that the information can be captured later by a forensic expert;
• Record the date, time, location, type of suspicious activity, number of individuals affected at your company and the type of equipment involved in the suspected phishing activity.

The FBI Recommends taking the following actions in response to a suspected malicious email

• Be wary of unsolicited attachments as cyber actors can “spoof” an email address to make it look like it’s from a trusted source.
• Keep software updated by installing patches so attackers can’t take advantage of known vulnerabilities.
• Do not open suspicious email or email attachments even if your antivirus software indicates the message is okay. Attackers are constantly releasing new viruses not registered by antivirus software.
• Save and scan any attachments before opening them.
• Turn off the option to automatically download attachments!
• Consider whether to create a separate email account with restricted privileges to read email.
• Determine whether your email software or a firewall offers additional security filters that you can utilize.

Report concerns about suspicous or criminal activity to your local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Call or email CyWatch at (855) 292-3937 or CyWatch@fbi.gov. To find a local FBI field office, go to www.fbi.gov/contact-us/field.

*On April 8, 2020, the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) issued Alert (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors. We encourage readers to review the technical information (which includes screen shots of text messages, emails and fake websites) and extensive mitigation and phishing guidance for individuals, organizations and cyber security professionals.

For information about Wyatt’s Data Privacy & Security Incident Response Team, see the tab on this blog to the Data Incident Response Team and our Data Privacy & Incident Response Team brochure.  For additional guidance on responding to a cyber security incident within the first 24-48 hours afterward, see our Six Tips, which can also be found on the blog’s Data Incident Response Team tab.