With COVID-19 taking hold of our country, there are a lot of unknowns that can bring fear and uneasy feelings to our daily lives. Unfortunately, with that vulnerability comes people who prey on these circumstances for their personal gain.
With that in mind, all businesses should be particularly careful of potential phishing attacks and business email compromises (BEC). Though these schemes have been around for a while, they may take on different forms as the landscape of our country changes. As many businesses move to work from home, these fraud attempts may be more likely. To help keep you, your company, and employees safe, we at Gusto would like to provide some education that can help you prepare against digital security threats.
Lately we’ve noticed email trends sent from malicious actors pretending to be nonprofit organizations, offering coronavirus testing, or government agencies asking for assistance during the outbreak. These tactics allow them to play on emotions or act in a position of power to compel people to help. In order to better determine if they are from a legitimate source, look for the following things:
- Double check email domains: Make sure the emails are coming from the correct domain. Example: emails from the Center for Disease Control (CDC) should have “@CDC[.]gov” instead of “@CDC[.]org” or “@CDC[.]com”.
- Requests for monetary transfers: If you receive an email from any charity, government agency, or unsolicited person/source asking to send money via MoneyGram, Western Union, or gift card, don’t!
- Testing kit scams: If you receive an email or phone calls about getting a coronavirus testing kit, Google around to see how your state is conducting testing and do not open the door for anyone claiming to be from the CDC, or any company/agency, offering testing.
- SBA (Small Business Association): With the new Coronavirus Aid, Relief, and Economic Security Act (CARES), many fraudsters are now honing on ways they can purport fraud on small businesses in need. SBA does not proactively reach out on 7a, disaster loans, and grants. If you have applied for a loan, be aware of providing personal identifying information (PII) and ensure the application number matches what you have recorded and that the email communication is in fact ending in SBA.gov. It is always best practice to call to verify. You can reach SBA disaster loans by calling 800-659-2955 or send an email to email@example.com. For SBA lending products call 800-827-5722 or send an email to firstname.lastname@example.org. Check out the SBA website for more details.
How can Gusto and policymakers support your business during COVID-19?
How to empower your teams to stay vigilant
Additionally, here are more tips on what to look out for or what to do:
- Requests for personal details: Be wary of emails, calls, and texts using the phrase “COVID” that also ask for personal details, such as social security number, bank account information, or passwords.
- Unusual or unexpected senders: Be on alert for emails using the phrase “COVID” from untrusted or unsolicited sources, and all emails from an untrusted or unsolicited source that may ask you to download an attachment or a program. Unless it is from a trusted source, you should never download these items. Bad actors may use the heightened anxiety around COVID to induce you into unsafe download behaviors that you would not otherwise take!
- Calls for urgent action Be suspicious of any communication (email, phone call, etc.) that is emotion-based (urgency, desperation, anger, etc.). These are often phishing attempts to get you to click on a link and share sensitive information.
- Unexpected communication methods: For work-specific emails, confirm suspicious requests that come through a second channel, meaning if chat communication is the norm but you receive an email, this can be a cause of suspicion.
- Know who the helpers are: Know who to contact in your company if you find a phishing email or something to be suspicious. Use your resources to help you through this!
- Mind your personal technology security: Don’t leave your computer or phone unattended if you’re in a public area and always lock your computer when you leave it, even at home.
- Confirm personal information requests: If you have an employee who is asking for personal information like W2s or changing personal details on their account at Gusto over email, be suspicious and talk with the person via phone to verify, even if the email states they can’t be reached over phone because e.g., in the hospital or out of the country.
- Governmental communications: In addition to the specifics regarding the SBA noted above, if you receive emails from tax agencies and other government entities asking about your business or starting to provide support during COVID, verify the sender with a Google search or contacting the agency directly with a known phone number and confirming the legitimacy of the email.
- Enable two-factor authentication to send SMS codes. Receiving SMS notification to your phone is an easy way to get notified if someone else is logging into your account without your knowledge. To set it up with Gusto see the step by step guide here!
- Check with us! If you receive an email from Gusto that you are unsure about, just give us a call to verify!
What if I’m a victim?
If you feel you are a victim of these schemes, you can still take action to possibly prevent or minimize loss:
- Change your password for your email account as well as your other accounts immediately.
- Enable two-factor authentication on both your email and other accounts.
- Notify others that may be impacted by such compromise.
- Contact Gusto if you feel that your account with us has been compromised, or you have other concerns, by emailing email@example.com, firstname.lastname@example.org, or email@example.com.
We know there’s a lot of uncertainty in the world right now and we want to reiterate that Gusto is here to support you however we can. Don’t hesitate to reach out to us to let us know what we can do to help ease any concerns or offer assistance.