Cyberattacks, Foreign Disinformation Campaigns Leverage Coronavirus Theme

AAFCPAs would like to remind clients that cyber criminals and other bad actors are often poised to capitalize on a crisis. In this case, cyber criminals and foreign governments are using the Coronavirus (COVID-19) pandemic as a theme to lure individuals into making harmful clicks or actions.

AAFCPAs reminds clients and their employees to be particularly wary of topics like:

  • Check Updated Coronavirus Map
  • Coronavirus Infection Warning
  • CDC or World Health Organization emails or Social Media Coronavirus Messaging
  • Keep Your Children Safe from Coronavirus
  • Donate Now to Help Coronavirus Victims

Best Practices for Reducing IT & Cyber Risks - eBook

What can you do?

AAFCPAs advises clients to take a disciplined approach to cyber-security in order to better guard against and minimize your organization’s risk of becoming a victim.  This disciplined approach includes:

  • Conducting regular security awareness training of employees—including alerting them to risks related to Covid-19. Your best line of defense in protecting your organization against social engineering attacks is employee awareness.
  • Maintaining vigilance when reading emails or accessing links. Hover over links and see where they point. Look at the sender’s email address and pay attention to details like replaced letters/numbers, for example: may appear as If the email comes from an organization like a bank and asks you to log-in and check your account status, use links that you have used before instead of clicking on what is provided in the email. If the email comes from a colleague or friend and asks you to wire money for example, call that person and verify.
  • Adhering strictly to internal control processes & procedures. Emails that appear urgent in nature and request that the recipient bypass the regular processes in the interest of time and requestor’s level of authority should always be a red flag.
  • Ensuring systems are updated with the latest patches. This includes operating system, VPN, software and hardware (drivers etc.).
  • Considering what information you are accessing and printing from home, and how you are disposing of it, especially as it relates to Personal Identifiable Information (PII), client records, proprietary information, and other sensitive data. Ensure adherence to privacy and confidentiality laws and policies, as well as those documented in your organization’s Written Information Security Program (WISP).

Additionally, individuals are urged to check the source of information received and to confirm the accuracy with at least one additional reputable source. Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.

How may AAFCPAs help?

AAFCPAs conducts Cyber Security & Technology Risks Assessments to help clients identify risks from the use of technology that could potentially cause information loss or financial or reputational harm to an organization. These assessments may include:

  • A proactive assessment of risks associated with social engineering attacks, including simulated phishing, spear phishing, and whaling expeditions by AAFCPAs’ “White Hat” Certified Ethical Hacker (CEH)
  • An assessment of IT General Controls (ITGCs), including programs, data, change management, and computer operations
  • An assessment of IT Vulnerabilities and Penetration Testing
  • Assessments of Firewall, Wireless, and VPN Configurations

If you have questions or concerns at this time related to your organization’s IT & Cyber Security, or if you have been a victim of a breach, please contact James Jumes, MBA, M.Ed., leader of AAFCPAs’ Business & IT Consulting practice at: 774.512.4062,; Vassilis Kontoglis at 774.512.4069,; or your AAFCPAs Partner.

About the Authors

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.
Vassilis is a leader in AAFCPAs’ Business Process & IT Consulting Practice. He has 20+ years’ proven experience providing business intelligence, productivity, information risk management, and cybersecurity solutions. He is a critical resource in keeping clients and the firm on the forefront of transformative technologies while mitigating risks that come along with these advancements. Vassilis leads the delivery of Robotic Process Automation solutions at AAFCPAs. He understands the unique requirements to achieve RPA success, including proper design, planning, implementation, and governance. He works collaboratively with clients and cross-functional teams, and leverages his deep understanding of enterprise information systems, business logic, and structured inputs to automate rote processes and increase operational efficiency. Vassilis is also the leader of AAFCPAs’ automation center of excellence (CoE), an internal team that streamlines automation output, provides structure, and helps scale automation through the firm.