Dear Faculty and Staff,

IT Services is seeing an advanced persistent threat and increase in phishing and social engineering scams due to the coronavirus (COVID-19) global pandemic. Cybercriminals are using the pandemic for commercial gain, deploying a variety of ransomware and other malware.

IT services advises the College community to remain vigilant for scams related to COVID-19. Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Please exercise caution in handling any email with a coronavirus or COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to coronavirus or COVID-19.

Summary of Attacks

Cybercriminals will often masquerade as trusted entities, and their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities. Malicious cyber actors rely on basic social engineering methods to entice College Community users to carry out a specific action. These actors are taking advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade users to:

• Click on a link or download an app that may lead to a phishing website, or the downloading of malware, including ransomware.
• Open a file (such as an email attachment) that contains malware.

Unique Characteristics of Malicious E-mails

Cybercriminals will often use one of the following traits in malicious emails.

• Authority – Is the sender claiming to be from someone official (e.g., Office of President, HR Office, Office of Dean, Office Of Provost, , your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want.
• Urgency – Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten with fines or other negative consequences.
• Emotion – Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.
• Scarcity – Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.

Phishing

IT Services has observed, a large volume of phishing campaigns that use the social engineering techniques described above. Examples of phishing email subject lines include:

• Subject lines containing COVID-19-related phrases such as “Coronavirus Update” or “2019-nCov: Coronavirus outbreak in your city (Emergency)”
• “President discusses budget savings due to coronavirus with Cabinet.rtf.”
• 2020 Coronavirus Updates,
• Coronavirus Updates,
• 2019-nCov: New confirmed cases in your City
• 2019-nCov: Coronavirus outbreak in your city (Emergency).

These emails contain a call to action, encouraging users to visit a website that malicious cyber actors use for stealing valuable data, such as usernames and passwords, credit card information, and other personal information.

SMS Phishing

Most phishing attempts come by email but IT Services has received reports that there are increasing attempts to carry out phishing by other means, including text messages (SMS). See example of SMS Phishing message asking the user to donate money.

Phone Scams

Due to COVID-19 Phone Call Scams have increased drastically over the past few months. In some scams, the scammer will act friendly and helpful. In others, they might threaten or try to scare you. One thing you can count on is that a phone scammer will try to get money or your personal information to commit identity theft. Please be aware and never disclose personal or financial information. For more information on Phone Scams please see FTC.gov website, click here.

A few tips from the FTC website

• There is no prize: The caller might say you were “selected” for an offer or that you’ve won a lottery. But if you have to pay to get the prize, it's not a prize.
• You won’t be arrested: Scammers might pretend to be law enforcement or a federal agency. They might say you’ll be arrested, fined, or deported if you don’t pay taxes or some other debt right away. The goal is to scare you into paying. But real law enforcement and federal agencies won’t call and threaten you.
• You don’t need to decide now: Most legitimate businesses will give you time to think their offer over and get written information about it before asking you to commit. Take your time. Don’t get pressured into making a decision on the spot.
• There’s never a good reason to send cash or pay with a gift card: Scammers will often ask you to pay in a way that makes it hard for you to get your money back — by wiring money, putting money on a gift card, prepaid card or cash reload card, or using a money transfer app. Anyone who asks you to pay that way is a scammer.
• Government agencies aren’t calling to confirm your sensitive information: It’s never a good idea to give out sensitive information like your Social Security number to someone who calls you unexpectedly, even if they say they’re with the Social Security Administration or IRS.

How to Stop Phone Calls from Scammers

• Don’t trust your caller ID: Scammers can make any name or phone number show up on your caller ID. That’s called spoofing. So even if it looks like it’s a Mercy College phone#, government agency like the Social Security Administration calling, or like the call is from a local number, it could be a scammer calling from anywhere in the world.
• If you answer the phone: In-case you answer the phone, and it’s a scammer trying to scare you, please hang up the phone immediately. The longer you stay on the phone, the scammer will try to obtain personal or financial information from you.
• Hang up: Even if it’s not a scammer calling, if a company is calling you illegally, it’s not a company you want to do business with. When you get a robocall, don't press any numbers. Instead of letting you speak to a live operator or remove you from their call list, it might lead to more robocalls.

Defending Against Coronavirus (COVID-19) Cyber Scams

Malicious cyber actors are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is no exception. Malicious cyber actors are using the high appetite for COVID-19-related information as an opportunity to deliver malware and ransomware, and to steal user credentials. College community users should remain vigilant

IT Services encourages the community to take the following precautions:

• Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
• Use trusted sources — such as legitimate, government websites — for up-to-date, fact-based information about coronavirus. See www.mercy.edu/coronavirus for a list of trusted sites.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
• Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.

Please note: All incoming emails to Mercy College email accounts from external parties will have a pre-fix in the subject of the message and a disclaimer in the body of the message. This text will only appear if the email is coming from an external email system. 

IMPORTANT NOTE: If you see this disclaimer text in the subject and body of an email you receive, please exercise caution when clicking on any links or opening attachments. You should never provide sensitive or confidential information such as usernames and password when responding to such emails. 

If you have any questions, please contact the Mercy College Help Desk at 914.674.7256 or helpdesk@mercy.edu.

Thank you,

Mercy College IT Helpdesk

helpdesk@mercy.edu

914-674-7526

Protect your ID, and never provide your username and password in response to an Email telling you that they are needed.  IT Services would never send a request for this information via Email.  Official IT announcements will have the Mercy College logo at the top.