Weekly COVID-19 Security and Privacy Update

County of Los Angeles - Internal sent this bulletin at 05/13/2020 02:28 PM PDT

From the Office of the CIO

Here are this weeks tips to keep you and the County’s information digitally safe while you remain physically safe in your homes. Unfortunately, I cant provide any tips to keep you emotionally safe from the “cabin fever” that you are probably experiencing by now.

Disinformation:

I received an interesting report yesterday from the Department of Homeland Security (DHS) discussing the dramatic increase in disinformation related to COVID-19. I have attached a copy of this report if you wish to read the complete document. However the most interesting part that I though should be passed along to you are the recommendations to protect yourselves from this type of threat. DHS recommends the following:

Go to trusted sources of information like www. Coronavirus.gov. FEMA has also established a coronavirus rumor control website at www.FEMA.gov/coronavirus/rumor-control where you can learn more about specific disinformation campaigns.
Check the source of the information.
Search for other reliable sources of information on the issue.
Think before you link – take a moment to let your emotions cool down before sharing anything online.

Tips like this can be helpful not just for information related to COVID-19. Consider these recommendations when viewing any information obtained from online sources.

CISAInsights-COVID-19_Disinformation_Activity_MAY2020_Final_508.pdf

Top Scam of the Week:

With the unemployment rate the highest since the Great Depression millions are looking for ways to make ends meet. A new job scam is doing the rounds, preying on people that want to make $5,000 a month doing work from home. It sounds like a great deal, but this scam is run by criminals that will try to use their victims for money laundering. If you get an email claiming you can make this much money to make ends meet since you or a family member was laid off due to the coronavirus pandemic, use your delete key. In general, be very careful with any Internet "work from home" schemes, many of these are fraudulent. Do not give out any personal information to these criminals and warn your family members and friends.

We continue to receive warnings from the FBI, DOJ, and other federal and state resources reporting increases in attacks.

Again, a reminder of other attacks that have been seen:

Phishing scams promising stimulus checks – This week there seems to be an increase in reports of this type of scam.
Websites promising to provide free Coronavirus testing and vaccines
Headlines that when clicked distribute malicious software with the ability to bypass antivirus and other protective controls.
Extortion scams threatening to infect family members with Coronavirus if payment is not made to the threat actors.
Extortion scams requesting payment for stolen or encrypted files (aka. Ransomware) with a twist in which the scammer claims to possess damaging information obtained from the files about the victim that will be released if the extortion money is not paid.
Coronavirus-themed spam and phishing messages spreading malware, impersonating the “Centers for Disease Control & Prevention” or the “World Health Organization” (WHO).
Targeted e-mail addresses to deliver a Word document embedded with a script ultimately resulting a malware infection of the computer
Malicious coronavirus map hiding malware that steals information from your system(s) etc.
Here is a new addition to the list - Fake “free trial” scams offering free product or subscription to services. These scams advertise “no risk”, “cancel anytime”, and may use celebrity photos or videos to make it seem like they are promoting the product or service. This scam is intended to steal financial information.

Remember that the malicious among us will continue to devise new and creative ways to compromise our systems, steal our data and take advantage of your good natures.

If you would like to review an extensive list of COVID-19 scams, the Cybercrime Support Network has complied a very impressing one. This list can be seen here.

Watch out for Phishing:

Continuing to remind you about the dangers of “Phishing” and how to avoid them. Be sure to exercise caution when opening emails. Again, here are some tips that can help to recognize malicious emails:

Be very suspicious of emails from unfamiliar people or organizations.
Watch for a sense of urgency in the message. If the messages is demanding immediate action consider that it may be phishing.
Never respond to requests for personal information. Those asking for your name, phone number, social security number, credit card, login credentials, etc.
Spelling and/or grammatical errors are often indicators of phishing. Rarely do legitimate e-mail messages contain these types of mistakes.
Look at the email address If something looks suspicious, report it.
Hover over any embedded links or buttons. Examine the web address that appears. If it looks unrelated to the sender or the intended destination DO NOT CLICK ON IT. For example, a .ru destination is Russian, .jp is Japan, .br is Brazil, etc.).
Watch out for unexpected attachments. If you are not expecting an email with an attachment, check with the sender (if you actually know the sender).

Inform your family and friends of these indicators so that they can also be diligent in their email communications.

Where to Report Issues:

Any potential loss, theft, fraud, or compromise, whether suspected or confirmed, or loss of County equipment must be immediately reported to your supervisor and IT Security staff. Report such circumstances to:

Phish Alert Button (PAB): On County owned computers the PAB is used to report suspicious phishing emails. The PAB is available in the Outlook client, Outlook web browser, and Outlook mobile app.
Your department’s IT Security staff: Follow your departmental reporting protocol, generally the help desk.
Auditor/Controller's Fraud Hotline: website fraud.lacounty.gov, telephone 800-544-6861 or email fraud@auditor.lacounty.gov.
County’s Chief Information Security Officer: rjohnson@cio.lacounty.gov or 213-263-5660
County’s Chief Privacy Officer at privacy@ceo.lacounty.gov or 213-974-2164

If you suspect criminal activity against you or a family member you can report the circumstances to:

An FBI local field office. Field offices can be found at fbi.gov/contact-us/field.
FBI Cyber Watch at 855-292-3937 or cywatch@fbi.gov.
Cybercrime Support Network (CSN) at fraudsupport.org.
Internet Crime Complaint Center (IC3) at ic3.gov. IC3 reports are forwarded to the FBI, Secret Service and Homeland Security. However, the report form is complicated and difficult to complete. Reporting to CSN is easier to complete and forwards the submission to IC3.

“Change is hard for the unready.” – Cy Wakeman

Ralph Johnson, CISSP, CISM, HISP, CIPP/US

Chief Information Security Officer

County of Los Angeles