Some cybercriminals have already taken advantage of the fear surrounding the Covid-19 outbreak by sending out phishing emails that promise cures, seek donations, or heighten panic in order to extract personal data and money.
Phishing For Fear
Cybercriminals rely on exploiting human error that’s often driven by emotional responses. The coronavirus outbreak has, therefore, provided scammers with a near-perfect opportunity to exploit the heightened the level of fear and to offer things that will take that fear and panic away as a motivation for a person to click on a link. Clicking on a link in a phishing email, however, means having malicious software loaded onto your device that can allow cybercriminals to take control of your computer, log keystrokes, gain access to your personal information and financial data (for theft and identity theft), or simply direct you to a payment page.
Examples of the kinds of corona-virus related phishing emails which have been spotted over the last couple of weeks, and could be coming to an inbox near you, include:
– As reported by Proofpoint, an email purporting to be from a doctor offering details of a vaccine cure that’s been kept secret by the Chinese and UK governments. Clicking on the link promises access to the vaccine cure details.
– Workplace policy emails that target employees in a specific company/organisation and encourage them to click on a link that will take them to their company’s Disease Management Policy. Clicking on the link will, in fact, download malicious software that can provide a way into the company network.
– As reported by Mimecast, using the promise of a tax refund for coronavirus, directing the target to click on a link to input all their financial and tax information and with the lure of gaining access to (bogus) funds.
– Asking for donations for a fake campaign to fund the fast development of a Covid-19 vaccine. In this scam, the victim is directed to a bitcoin payment page.
– As reported by Proofpoint, an email purporting to be from the World Health Organization (WHO) that offers a fake document with information about preventing the spread of coronavirus, where clicking on the link actually leads to the downloading of keylogging software (criminals can track your keystrokes to uncover passwords).
– Emails that exploit feelings of panic, such as an email that claims that Covid-19 has become airborne and asks the target to click on a link to a fake Microsoft login page.
Spotting Phishing Emails
Many phishing emails have giveaways that you can spot if you know what you’re looking for. Examples of ways in which you can identify a phishing email include:
– Online requests for personal and financial information e.g. from government agencies, are very unlikely to be sent by email from legitimate sources.
– Beware of generic greetings. Scammers are less likely to use your name to personalise the email greeting and title.
– Mistakes in spelling and grammar can be signs of scam emails.
– Check the email address by hovering your mouse (without clicking!) over the link in the email. This can quickly reveal if the email is genuine.
– Beware of heavy emotional appeals that urge you to act immediately. These are signs of scam emails that hope to bypass your reasoning and tap into an emotional response.
What Does This Mean For Your Business?
Scammers often use phishing emails when there is/has been a recent crisis, when there’s been fraud/cybercrime that’s affected lots of people, or on other such events to take advantage of those who are looking for help and answers. Scammers know that where emotions are strong and where they can tap into that by offering relief from negative feelings and by saying what people want to hear, they are more likely to achieve their aims.
In the case of coronavirus, although companies and organisations are issuing statements related to it, the best advice is to simply check information that is given out through trusted, official sites such as the NHS https://www.nhs.uk/conditions/coronavirus-covid-19/, the World Health Organisation https://www.who.int/health-topics/coronavirus, and via trusted TV and radio stations.
Crisis or not, always exercise caution when you receive emails from unknown or unusual sources and remember that government agencies and financial institutions don’t send out emails asking for personal and financial information.
Companies also need to alert employees, many of whom may soon be working from home and may have a reduced ability to quickly ask the boss or manager about certain emails, to the threat of phishing emails with a Covid-19 theme and to the threat of social engineering attacks that could take advantage of a physically divided and reduced workforce.