Phishing in the Time of COVID-19: How to Recognize Malicious Coronavirus Phishing ScamsMarch 19, 2020
For malicious people, preying on collective fear and misinformation is nothing new. Mentioning national headlines can lend a veneer of credibility to scams. We’ve seen this tactic time and again, so it’s no surprise that COVID-19 themed social media and email campaigns have been popping up online. This blogpost provides an overview to help you fight against phishing attacks and malware, examples of phishing messages we’ve seen in the wild related to coronavirus and COVID-19, and specific scenarios to look out for (such as if you work in a hospital, are examining maps of the spread of the virus, or are using your phone to stay informed).
Avoiding phishing attacks
The COVID-19 themed scam messages are examples of “phishing,” or when an attacker sends a message, email, or link that looks innocent, but is actually malicious and designed to prey on fears about the virus. Phishing often involves impersonating someone you know or impersonating a platform that you trust. Your day-to-day diligence is the best preventative measure. Consider these points before you click: Is it an enticing offer? Is there a sense of urgency? Have you interacted with the sender before over this platform?
If an email sounds too good to be true (“New COVID-19 prevention and treatment information! Attachment contains instructions from the U.S. Department of Health on how to get the vaccine for FREE”), it probably is. And if an email demands urgent action from you (“URGENT: COVID-19 ventilators and patient test delivery blocked. Please accept order here to continue with shipment.”), take a moment to slow down and make sure it’s legitimate. Keep in mind that legitimate sources of health information likely won’t use unsolicited email or text messages to make announcements. Some examples of phishing emails — ones that we’ve received and you might similarly encounter — are included at the bottom of this post.
Some common-sense measures to take include:
- Check the sender’s email address. Are they who they claim to be? Check that their contact name matches the actual email address they’re sending from.
- Try not to click or tap! If it’s a link and you’re on a computer, take advantage of your mouse’s hover to closely inspect the domain address before clicking on them.
- Try not to download files from unfamiliar people. Avoid opening attachments from any external email addresses or phone numbers.
- Get someone else’s opinion. Ask a coworker: Were we expecting an email from this sender? Or ask a friend: Does this email look strange to you? A good practice is to use a different medium to verify (for example, if you receive a strange email claiming to be your friend, try…