It's clear to us all, we’re living and working in unprecedented times. COVID-19 has forced companies worldwide to be agile, adapting quickly to current events, changing the way they work, communicate, and plan for a puzzling future. But as we all adjust to this crisis, cybercriminals are taking full advantage, targeting both businesses and individuals who may have their guards down. The result? New cyber threats are emerging daily, from phishing emails disguised as updates from the World Health Organization (WHO), to outbreak maps loaded with data-stealing malware. As attackers take advantage of virus anxiety and isolated individuals, these scams are likely to intensify. This is why education is critical, now.
Yes, you’re already checking through a list of new and daunting challenges. Dealing with a personal or professional phishing attack is probably not on it, but it should be. If you can check off the following six tips, you can at least help yourself and your team stay protected from the current threats.
Tip #1: Read your messages closely
Remember: phishing scams are all about deception. These attacks typically take the form of emails or instant messages that appear to be from reputable sources. The content will attempt to manipulate the reader into clicking a link to a fake domain, downloading malware, or sharing sensitive information such as passwords and financial details. To date, we’ve seen phishing attacks referring to the American government’s stimulus plan promising $1,000 checks in exchange for personal information, as well as extortion emails threatening people with COVID-19 infection.
While these communications can sometimes be convincing, here are some key tells to look for:
- URLs: A link containing the name of a respected organization is no proof of legitimacy. Read URLs from right to left—the site’s actual domain will be at the end. Also look out for URLs that begin with an IP address, and never enter personal information to a site with a link that does not contain “https” (the s stands for ‘secure’).
- Text: As demonstrated below, phishing messages are often riddled with mistakes in spelling, grammar, or formatting. But some can be subtle, so read the text carefully, checking for irregularities.
- Language: If it sounds too good (or extreme) to be true, it almost definitely is. Disregard any unrealistic promises or threats, especially if there's a request for money.
- Sender: Hover your cursor over the sender’s name to see if the domain in the email address matches that of the sender. Any spelling mistakes, inconsistencies, or public domains expose the message as a scam.
Tip #2: Be cautious with government or NGO communications
Government agencies and officials are unlikely to send you unsolicited messages. While health organizations and NGOs may send emails regarding coronavirus, legitimate messages won’t ask for your personal information or any immediate payment. The most reputable sources of COVID-19 information will be outside your inbox. Visit the Centers for Disease Control (CDC), WHO, or your preferred news outlets in lieu of opening emails related to the pandemic.
Source: Infosec Institute
Tip #3: Watch out for fraudulent charities or crowdfunding campaigns
In times like these, we want to help whomever we can. Sadly, scammers are taking advantage of that generosity to pad their own pockets. Be sure to research any charity or organization asking for contributions. Look for previous reviews or ratings, and only pay by credit card or check, avoiding cryptocurrencies like bitcoin. The Federal Trade Commision (FTC) offers great advice around researching charities and suggests keeping an eye out for red flags that could indicate you’re dealing with a criminal.
Source: BBC via Kapersky
Tip #4: Scrutinize online sellers hawking high demand products
Demand for face masks, medication, and other household and sanitary products is on the rise. Scammers are already stealing millions by setting up fake marketplaces and taking payments for products that will never arrive. Stick to established and trustworthy retailers. If an unknown seller suddenly emerges with the products everybody needs, search for the company or individual with terms like “review,” “complaint,” or “scam.” Once multiple sources confirm that they’re legitimate, only pay by credit card.
Tip #5: Hang up on robocalls
There’s been a spike in robocalls claiming to sell discounted coronavirus testing kits, health insurance policies, and remote working aids. To be clear: it is illegal for a robocaller to sell you anything over the phone unless the company has your prior, written permission to contact you that way. If you do answer a robocall that’s attempting to make a sale, hang up without pressing any numbers, then report the robocall.
Tip #6: Use security software that protects against phishing
Organizations know that if one employee is scammed, attackers might gain access to all their corporate accounts—and the sensitive business data within.
Phishing scams rely on users handing over their account credentials, so one of the best ways to protect against them is to reduce the number of credentials that can be stolen. Explore solutions that minimize the use of passwords with single sign-on and adopt an added layer of security by enabling multi-factor authentication. You can also opt to make your organization passwordless, providing more of a barrier for hackers looking to breach your networks and applications.
COVID-19 and all it’s repercussions is new territory for everyone. This has bolstered cybercriminals to target individuals for their credentials, personal information, and funds. We hope the steps we’ve outlined above will empower you and your organization to mitigate the impact of these attacks, so you can safely check off the professional and personal issues that matter the most to you right now.
If you're seeking more information to navigate the changes caused by COVID-19, see the following resources: