Avoiding COVID -19 Phishing Scams

The New Normal Includes Increased Cyber-Scamming

The coronavirus/COVID-19 pandemic is driving a complete disruption of life as we know it – In fact, the dreaded “new normal” label is already circulating in reference to social-distancing, self-isolation and quarantine, mask-wearing, and moving even more of our work and other daily activities online.

Millions of employees are making an abrupt shift to working from home while entire national populations are existing in a state of anxiety and looking for reassurance online as social media platforms and the Internet in general get flooded with information and dis-information overloads.

Diana Burley, a cybersecurity professor at George Washington University, describes a situation where everyone is nervous and many employees are working from home without the protections commonly afforded by business networks, but with plenty of distractions from children and other factors in the home environment: “It’s become the perfect storm for cybercriminals to exploit the situation and do harm.”

COVID 19 Scams Go Viral

Aggressive cybercriminals have been quick to capitalize on the huge influx of potential new victims as people who are unfamiliar with remote work begin accessing nearly all of their tools, contacts, and resources online. Online bad actors are mobilizing to take advantage of vulnerable targets with coronavirus-related schemes.

More than 58,000 coronavirus scam and phishing websites have already been identified, and experts report that the dark web is buzzing with activity. A common theme is the sale of COVID-19 scam kits that include fraudulent email templates designed to target workers at home.

Email has always presented an open window to hackers and other digital criminals, and cybersecurity experts are now tracking a skyrocketing surge in corporate email attacks that began in late February. As more and more people start working from home, cybercriminals are probing for new opportunities to gain access to corporate computer systems. Others are trying to attack individuals by leveraging the fact that frightened people are spending more time online and doing more communication by email.

Cybercriminals Go Phishing

U.S. federal law enforcement officials have identified email phishing scams as the most prevalent online attack being employed by COVID-19 cybercriminals. Phishing involves sending out fraudulent emails that appear to come from reputable sources such as the government or other official organizations, banks, credit card companies or other businesses, employers, or even a target’s friends and loved ones. The object is to get recipients to click on a link that leads to a fake website asking for personal information, passwords, and credentials that hackers can then use to access personal accounts or corporate networks. Links may also download ransomware, spy programs, or other malware onto the user’s computer.

There are two common types of phishing attacks: phishing and spear phishing. Regular phishing involves sending out many random emails in the hope that recipients will open an email containing links to fraudulent data collection sites or attachments with embedded malware or a virus.

Spear phishing attackers send emails to specific individuals and use social engineering and psychological manipulation to trick targets into performing actions desired by the cybercriminals. Spear phishing requires researching the intended target and gathering information that will let the attacker gain the victim’s trust. The attacker then makes contact while appearing to be a company representative, a colleague, or a trusted third party, a relative or friend, and so on. Spear phishing attacks may have offline as well as online components.

In the current pandemic crisis, criminals are attempting to profit from people’s confusion and fear surrounding the coronavirus. Cybersecurity researchers have identified phishing scams with attackers purporting to be from organizations like the Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO). Targets may receive emails offering information about the virus, hinting at the availability of a vaccine, or claiming to be from charitable organizations working to raise money for victims or medical supplies. These are lures to trick victims into handing over login credentials, downloading malicious software, or parting with their money.

Don’t Take the Bait

We are in dangerous waters. People are fearful, distracted, and extremely motivated to find information. Things are complicated by many legitimate coronavirus-related emails circulating as human resources departments reach out to employees about working from home, businesses try to ease customer concerns, and schools update parents on precautions and canceled events. Malicious emails are easily camouflaged in the onslaught.

Whether you are going online as a business owner or remote worker, or are simply accessing your personal email account, current events call for an attitude of extreme vigilance. Fortunately, avoiding falling victim to a potentially disastrous phishing scam is mainly a matter of being careful and applying a few commonsense principles when using email.

  • Pandemic or not, email use demands caution at all times. Examine your inbox carefully. If something does not look right or feels like a scam, delete it without opening. Messages from government agencies and most other important entities never come solely by email anyway. For anything really critical, the sender will eventually contact you by phone or snail mail.
  • Experienced users know never to click on a link or open an attachment in an email from an unknown sender. Hovering the cursor over a link will show the address, but it can be very difficult to detect a fraudulent or otherwise bad URL and the people making them are experts at deception. Even links from known senders are suspect and it is always best to open a browser window and use the address bar to navigate to the linked site or resource. Unexpected attachments should be verified by email or phone before downloading and all files scanned with an anti-virus program before opening.
  • Never respond to email requests for personal information or log-in credentials. Legitimate government agencies and businesses will never make such requests. They will always ask you to go to on official website for more information. As noted above, do not follow any emailed links. Criminals are creating very convincing fake websites, so use your usual bookmark or shortcut to go to the site you want, or type the address in the search bar. And it never hurts to make a confirmation phone call.
  • Pay no attention to emails claiming to have information about COVID-19 from the government or other official organizations. A quick check of the email address will reveal whether it is from .gov, .edu or some other source that might be trusted. But you can easily go directly to the CDC website, Health & Human Services, the Small Business Administration, or other official sites and look for relevant information. Also use triangulation – if a government organization were to send out an official email announcement, you would hear about it from other news sources, not just from an email.
  • Ignore any email or other online offers related to COVID-19. Vaccinations, home test kits, treatments, and the promise of government checks are all examples of lures being cast out by scammers looking to reel in the unsuspecting. Use fact-checking and triangulation strategies on everything, and then wait a little longer for verifiable official information. Visit sites like the Federal Trade Commission’s Consumer Information portal and What the U.S. Government is Doing to stay in the know on scams and other information and find good links to resources.
  • If you are unfortunate enough to have already handed over sensitive information, all your passwords must be changed immediately. Then make follow up calls to your banks, credit card companies, mortgage company, and any other organization where you have accounts and other resources that might be affected by your security breach. You may want to look into LifeLock or another identify theft protection service.

Be Brave in the New World

The most astute observers of this global disaster are noting that we are undergoing a permanent change. An as-of-yet unreleased report circulating in Washington DC has pandemic emergency conditions going forward for at least 18 months. A plan from the London School of Economics suggests a program in which a spike in COVID-19-related intensive care admissions above a set level triggers a return to emergency lock-down conditions, with such spikes expected to occur in ongoing 6-month waves.

Assess the situation objectively now and make plans to adapt to and thrive in a new working context. This means taking precautions, making adjustments, and adopting new strategies. If you are a business owner who needs to update online infrastructure and deploy COVID-resilient marketing and sales strategies, contact the team at Wodu Media for a consultation. We are completely used to working remotely and are up and running strong to protect and support our clients going forward into an altered business landscape: (800-909-WODU).