Print Friendly, PDF & Email

Cyberattacks, Foreign Disinformation Campaigns Leverage Coronavirus Theme

AAFCPAs would like to remind clients that cyber criminals and other bad actors are often poised to capitalize on a crisis. In this case, cyber criminals and foreign governments are using the Coronavirus (COVID-19) pandemic as a theme to lure individuals into making harmful clicks or actions.

AAFCPAs reminds clients and their employees to be particularly wary of topics like:

  • Check Updated Coronavirus Map
  • Coronavirus Infection Warning
  • CDC or World Health Organization emails or Social Media Coronavirus Messaging
  • Keep Your Children Safe from Coronavirus
  • Donate Now to Help Coronavirus Victims

What can you do?

AAFCPAs advises clients to take a disciplined approach to cyber-security in order to better guard against and minimize your organization’s risk of becoming a victim.  This disciplined approach includes:

  • Conducting regular security awareness training of employees—including alerting them to risks related to Covid-19. Your best line of defense in protecting your organization against social engineering attacks is employee awareness.
  • Maintaining vigilance when reading emails or accessing links. Hover over links and see where they point. Look at the sender’s email address and pay attention to details like replaced letters/numbers, for example: may appear as If the email comes from an organization like a bank and asks you to log-in and check your account status, use links that you have used before instead of clicking on what is provided in the email. If the email comes from a colleague or friend and asks you to wire money for example, call that person and verify.
  • Adhering strictly to internal control processes & procedures. Emails that appear urgent in nature and request that the recipient bypass the regular processes in the interest of time and requestor’s level of authority should always be a red flag.
  • Ensuring systems are updated with the latest patches. This includes operating system, VPN, software and hardware (drivers etc.).
  • Considering what information you are accessing and printing from home, and how you are disposing of it, especially as it relates to Personal Identifiable Information (PII), client records, proprietary information, and other sensitive data. Ensure adherence to privacy and confidentiality laws and policies, as well as those documented in your organization’s Written Information Security Program (WISP).

Additionally, individuals are urged to check the source of information received and to confirm the accuracy with at least one additional reputable source. Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.

How may AAFCPAs help?

AAFCPAs conducts Cyber Security & Technology Risks Assessments to help clients identify risks from the use of technology that could potentially cause information loss or financial or reputational harm to an organization. These assessments may include:

  • A proactive assessment of risks associated with social engineering attacks, including simulated phishing, spear phishing, and whaling expeditions by AAFCPAs’ “White Hat” Certified Ethical Hacker (CEH)
  • An assessment of IT General Controls (ITGCs), including programs, data, change management, and computer operations
  • An assessment of IT Vulnerabilities and Penetration Testing
  • Assessments of Firewall, Wireless, and VPN Configurations

If you have questions or concerns at this time related to your organization’s IT & Cyber Security, or if you have been a victim of a breach, please contact James Jumes, MBA, M.Ed., leader of AAFCPAs’ Business & IT Consulting practice at: 774.512.4062,; Vassilis Kontoglis at 774.512.4069,; or your AAFCPAs Partner.

About the Authors

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.
Vassilis Kontoglis
Vassilis is a highly-skilled IT professional with proven expertise in: business process improvement and change management, information systems gap analyses, cyber security and IT risk assessments, systems selection & implementation, IT auditing, and special attestation reporting (SSAE 18 and SOC 2). Vassilis performs comprehensive and thorough reviews of technology systems and environments, and advises clients on how to use technology to best achieve business goals and objectives.  He elicits input from stakeholders at all levels of the organizational hierarchy in order to thoroughly evaluate business performance across functional boundaries.  He analyzes current and potential business and IT processes to identify clear opportunities for improvement, which may include streamlining and automation, productivity increases, strategic alignment and cost reductions.