CISA Warns of Hurricane-Related Scams

Summary 

CISA is alerting the public to be cautious of potential cyber scams following hurricanes. After major natural disasters, fraudulent emails and social media messages—often containing harmful links or attachments—are common. It’s essential to exercise caution with any emails that mention hurricanes, especially those with attachments or hyperlinks. Be skeptical of social media appeals, texts, or door-to-door requests related to severe weather events. Scammers often take advantage of the vulnerability and charitable intentions that arise during such crises.

Resources for Protection 

To avoid falling victim to malicious cyber activity, CISA recommends reviewing the following resources:

• Federal Trade Commission: Staying Alert to Disaster-related Scams and Before Giving to a Charity
• Consumer Financial Protection Bureau: Frauds and Scams
• CISA: Phishing Guidance

Recognizing Red Flags 

1. Official Communication: Government disaster assistance agencies DO NOT call or text requesting financial information. There are no fees associated with applying for disaster assistance from FEMA or the Small Business Administration. Any request for money from someone claiming to be a federal official is likely a scam.
2. Caller ID Spoofing: Be aware that phone scams may use caller ID spoofing to hide their true identity. If you receive a suspicious call, hang up and contact the agency directly using the number on their official website. Never share personal information unless you’ve confirmed the caller’s identity.
3. Door-to-Door Agents: Workers or agents from government agencies should carry official identification and show it upon request. They will not ask for or accept money.

Protecting Against Charity Scams 

Consumers should be vigilant about scammers impersonating charities seeking donations for disaster relief. Here are some steps to safeguard yourself:

• Donate to Trusted Charities: Stick to well-known charities and verify their legitimacy via their official websites. Resources like the Better Business Bureau’s Wise Giving Alliance, Charity Navigator, Charity Watch, and GuideStar can help.
• Verify Charity Contact Information: Always check the official website for legitimate phone numbers before calling or texting to donate.
• Avoid Suspicious Emails: Don’t open emails requesting donations unless you can verify the sender. Scammers often use email for phishing and malware distribution.
• Fact-Check Social Media Posts: Before donating based on social media solicitations, verify the information. Crowd-funding sites may host unvetted requests.

To report suspected fraud, call the FEMA Disaster Fraud Hotline at 1-866-720-5721. For other fraudulent activities during natural disasters, contact FEMA or report scams to the FCC or FTC.

DefenseStorm Recommendations 

The DefenseStorm team will continue monitoring for developments regarding this threat and has updated our ThreatMatch feed with relevant indicators of compromise (IOCs). Continuous research into newly discovered or recurring malware and ransomware is ongoing. To enhance security, we recommend the following practices:

• Conduct regular internal training on phishing awareness.
• Block identified threats using appropriate controls.
• Keep systems and software updated with the latest patches.
• Maintain a robust password policy and enable multi-factor authentication.
• Regularly back up data and securely store backup copies offline.
• Implement a comprehensive recovery plan for sensitive data and servers.
• Use app hardening techniques and restrict administrative access