The FBI is warning that cyber criminals are targeting teleworking employees with fraudulent termination phishing emails and video teleconferencing (VTC) meeting invites, citing COVID-19 as the reason.
The emails try to lure victims into clicking on malicious links by offering to provide more information or online conferences regarding termination or severance packages. The FBI requests companies to alert their employees to look for emails coming from Human Resources or management with spoofed email domains.
Messages sent to recipients have included attention-grabbing subject lines such as, "Termination Review Meeting." The emails cite the current COVID-19 pandemic as the reason for downsizing, give instructions describing how to process out from the company, and direct the employees to click a potentially malicious "hotlink" to receive termination benefits.
In another instance, FBI investigation determined attackers sent meeting notifications asking recipients to join a VTC meeting regarding their purported terminations. The emails contained links to a fake VTC service login page; and used hyperlinked text such as "Join this Live Meeting" to appear as a legitimate automated meeting notification. Recipients who fall victim to this attack have login credentials as well as any other information stored on the VTC platform compromised.
Indicators:
- Calls from employees who mistakenly believe themselves to be terminated.
- Employees reporting malware or ransomware infections.
- Employees reporting suspicious activity on legitimate accounts such as video conferencing accounts.
- Emergence of fake VTC applications installed on users' smartphones, tablets, or computers.
Recommendations:
- Alert employees to look for emails coming from Human Resources or management with spoofed email domains
- Select trusted and reputable telework software vendors; conduct additional due diligence when selecting foreign-sourced vendors.
- Require use of password or PIN for any teleconference or web meetings.
- Beware of social engineering tactics aimed at revealing sensitive information. Use tools that block suspected phishing emails or that allow users to report and quarantine them.
- Beware of advertisements or emails purporting to be from telework software vendors.
- Always verify the web address of legitimate websites or manually type them into the browser.
- Do not share links to remote meetings, conference calls, or virtual classrooms on open websites or open social media profiles.
- Avoid opening attachments or clicking on links within emails from senders you don't recognize.
- Only enable remote desktop access functions like Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC) when absolutely necessary.
Information concerning suspicious or criminal activity can be reported to your local FBI field office or the FBI's 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by email at CyWatch@fbi.gov.