Have you been noticing an abundance of suspicious looking emails flooding your inbox over the past few months? You aren’t alone! In the age of COVID-19, InfoSecurity Magazine reports that phishing scams have soared by over 600% since the end of February. Unfortunately, many of these scammers prey on fear and uncertainty in order to worm their way around barriers. And working from home means those barriers aren’t often as well maintained as they would be in the office.
So what can you do to help keep your passwords and accounts secure? When it comes to phishing, awareness is often the best defense. With that in mind, we’ve put together a guide to help you navigate some of the common tricks and scams to watch out for during these trying times.
If you receive an email claiming to be from the CDC or WHO, you should be careful. It is most likely a scam! These messages often contain links claiming to list coronavirus cases in your area along with an urgent request to review those cases and see if you were in contact with anyone affected. The links may look legitimate on the surface. However, hovering a mouse pointer over the link and examining the actual target underneath reveals that it actually points somewhere more nefarious.
Phishers have been sending many scam emails purporting to offer important health advice related to the pandemic. These often appear to come from a specialist, doctor, or expert of some kind. These emails may contain a link or even an infected attachment. If you receive one of these messages, do not open any attachments or follow the links. Delete the email immediately. If you feel uncertain about your health, it is always best to contact your own doctor directly.
Workplace Policy Updates
You may receive occasional updates from your employer while working from home. This is normal and expected, but if you receive one of these notices, review it carefully before following any links or downloading any attachments. Cybercriminals have been sending highly targeted “Policy Update” messages appearing to come from your employer. These messages appear to link to an updated company wide policy due to the pandemic. Always double check the link by hovering your mouse over the text and checking where it really goes. If you are unsure, reach out to your employer directly and ask whether or not the message came from them.
Many scammers are exploiting people’s best intentions by requesting financial support to help victims of the virus and front-line workers. Although these types of emails may not always be phishing scams, the charities they fund are usually illegitimate. Rather than helping to fund relief efforts, the money instead goes straight into the scammer’s bank account. Always do your research before donating to any charity. If you receive a charitable appeal via email, it is most likely fake.
SMS Recovery Hack
You may receive an email or SMS from someone claiming to be your employer or email provider. The attacker typically claims that someone breached your account and they need you to forward a forthcoming SMS code to restore it. The attacker then initiates an account recovery process which automatically sends out an SMS code to the account owner’s phone. If you unwittingly forward that code to the attacker, they will be able to take over your account.
These attacks have become very popular lately and have seen widespread success. There is even a variation of this scheme affecting WhatsApp users. To ensure this doesn’t happen to you, never forward any account codes to someone else. Your email provider should never require this information. If your employer legitimately needs it to rescue your account, contact them directly over the phone or video conference to ensure you know exactly where you are sending it.
Since touch devices have become the norm, a new type of attack targets these devices by simulating a smudge, hair, or piece of dust on the screen. Many people are already educated about the dangers inherent with clicking unknown links in an email, but wiping smudges from their touch screen is almost a reflex. However, if the smudge is actually a disguised link, that reflexive swipe may be detected as a tap. If you’re using a touch device, it’s always a good idea to close your email and browser before cleaning the screen.
Scammers have been placing ads around the web and over email claiming to offer cures and treatments for the virus. Norton Security reports that the websites these ads lead to sometimes contain malware. Even in the best case scenario, the products and services they offer are useless.
How to Avoid Phishing Scams
Now that you are aware of some of the more malicious phishing scams going around right now, here are some general practices that will help protect you and your accounts from these threats:
- Avoid opening unsolicited email.
- Hover your mouse pointer over links to see where they really lead.
- Do not download attachments from any email unless it was something you were expecting to receive and you are certain of where it came from.
- Do not supply personal information to anyone via email.
- Watch out for sloppy spelling and grammar. Although this is not always a guarantee (they get more convincing all the time), poor grammar and spelling usually indicates the email is coming from a fake source.
- Be wary of urgency. Emails that try to create a sense of urgency are almost certainly scams.
- Stay calm. People can be more easily manipulated when they are in a state of panic. Try not to fall victim to fear-inducing emails or messages. This is a tactic used by social engineers to bypass your natural defenses. Instead, keep a steady hand and delete such emails.