While much of the world has slowed down due to the COVID-19 pandemic, phishing scammers have done the opposite.
They’ve been hitting inboxes with a whole slew of new coronavirus-themed phishing emails designed to prey upon people during the disruption. These scams take advantage of common fears and needs for information.
They also exploit the fact that many employees are working from home and disconnected from their normal network security and office safeguards.
User awareness is one of the most important layers of protection when it comes to phishing emails. If people know what to watch out for, they can more easily identify a scam email when they receive it.
With all the new COVID-19 phishing related campaigns being sent out by scammers, you’ll want to give your employees a heads up and refresher on phishing safety tips. You can share the information below to keep them informed.
Popular Coronavirus Phishing Emails to Watch For
The rise in coronavirus themed phishing attacks is astounding. In February of 2020 there were 1,188 COVID-19-related phishing attacks. During the first three weeks of March those attacks numbered 9,116.
Here are the attack types to make your employees aware of.
Fake CDC Alert
This email purports to be from the Centers for Disease Control & Prevention (CDC). It promises a list of “new cases around your city” that you can review. It also uses the tactic of urgency by stating “You are immediately advised to go through the cases above for safety hazard.”
The link takes users to a malicious website, like so many of these scams do. Malicious sites can download ransomware, spyware or other malware on a user’s computer as soon as they’re loaded.
Stimulus Package Scam
Since the new stimulus package was passed in late March, multiple phishing scams have been popping up. These scams often direct users to a page to “sign up” for their stimulus check. The form is designed to steal user information like SSN’s and other details that can be used for identity theft.
Fake Help Desk Email
This scam takes advantage of the fact that so many employees are working remotely from home and may have less connection to their colleagues.
It pretends to be from an “IT Helpdesk” that is working on behalf of the user’s company. It warns that due to security reasons, it is deactivating employee emails and to keep theirs from being removed, they need to visit a URL given in the email.
WHO Safety Measures Fake
The World Health Organization (WHO) is another popular organization that is spoofed in COVID-19 phishing emails.
This email uses the organization’s logo and promises safety measures for dealing with the coronavirus.
When the user clicks the link, they’re directed to a page that looks like it’s the WHO website and are asked to sign in with their email and password (a common phishing ploy).
False Work Policy Update
Another employee-targeted scam is an email directing employees to read a new company policy related to communicable diseases. This email often inserts the name of the company the employee works for to make it more believable.
The email says, “We require all employees to read and acknowledge the policy before (date).” This tactic is used to get employees to click the link before thinking because they don’t want to get in trouble by not reading the new policy by the date given.
Tips for Phishing Safety
Phishing is relentless, and it is the number one cause of data breaches and malware infections. Paying attention to phishing safety can make a big difference in a company’s overall cybersecurity success.
Default to Not Trusting Emails
Phishing scams often fool users because users tend to trust the messages in their inbox unless they’re given a reason not to.
You should instead take the opposite stance and distrust all email until you’ve ensured it’s legitimate. This simple change in thought process will help prevent you from being fooled as easily.
Carefully Search for Anything That’s “Off”
There is usually some clue in a phishing email that reveals it as a fake. They can be hard to spot in the busyness of the day, but if you take the time to look, you can often find them.
Some clues are:
- Grammar and spelling issues (even small ones)
- Slight differences in a URL (i.e. cdc-virus.gov.me, instead of the real, cdc.gov)
- The email being to multiple recipients
- The “from” address not matching the organization logo used in the email
Hover, Don’t Click
The single act of hovering over a URL instead of clicking can reveal a majority of fake URLs. For example, the text of a URL might be to a legitimate website, but when you hover over the link, you’ll see the actual URL is to a completely different site that usually makes no sense in connection to the email text.
Get a Second Opinion
If you’re truly unsure about an email and are worried that it might be legitimate, get a second opinion from a trusted source.
Even if you’re working remotely from home, you can still get on the phone to your IT support partner to ask their opinion before taking any action. This can often save you from making a costly mistake.
Ensure Your Network and Users are Protected from Phishing
There are several measures that can be put in place to backstop your users when it comes to phishing attacks. The C Solutions team can help ensure everyone’s protected, both in the office and while working from home.
Schedule a free cybersecurity assessment today! Call 407-536-8381 or reach us online.