​It's the most wonderful time of the year – for malicious threat actors.

While many of us began working early on our holiday lists due to the struggling supply chain, the bad actors also have been at work. Their latest ruse? Sending unsolicited gift cards and USB thumb drives via shipping companies and the U.S. Postal Service, promising a shopping spree or other reward for unlocking a code on the USB. What does the USB really contain? Malware.

While not verified as the malicious actors behind this scheme, a cybercriminal group from Eastern Europe may be to blame. The group has been targeting the financial sector with an official-looking letter claiming to be from the U.S. Department of Health & Human Services regarding COVID-19 guidelines. The letter contains a USB device known as a “BadUSB" or “Bad Beetle USB." After being plugged into a computer, the device injects a series of keystrokes to download and execute malware.

PNC received a report in early October that a company known to us received a suspicious package addressed to an employee with a “thank you for being a loyal customer" message, a $500 gift card and a USB thumb drive. The package was followed by a voicemail to the employee's personal mobile phone stating that the gift card would expire soon if action wasn't taken. This was, of course, a bogus offer.

While PNC's Security Defense team has controls around USB and malware disruption to protect employees and PNC systems, individuals potentially could be targeted with similar schemes at their home addresses. There are ways, however, that consumers can prevent themselves from becoming a victim.

The Cybersecurity & Infrastructure Security Agency (CISA) offers the following tips for protecting against a malware threat on personal computers:

  • Do not plug an unknown USB drive into any computer in your possession.
  • Take advantage of security features such as passwords and encryption on your USB drive to protect your data; always back up your information.
  • Disable autorun, which causes removable media such as DVDs and USB drives to open automatically when they are inserted into a drive.
  • Use and maintain security software and keep all software up to date. Use a firewall, antivirus software and anti-spyware software to make your personal computer less vulnerable to attacks.

Regarding the current overall cyber threat environment, Susan Koski, senior vice president and director of Security & Enterprise Response said, “We've never seen the kind of threat environment we're living in today. We are in a constant state of reactive and proactive, defensive offensiveness." The best offense is a great defense, so while PNC Security Defense protects the bank and its devices, we can all protect our personal devices by staying in the know about current threats and taking appropriate action.