COVID-19 Phishing Attacks
Protecting yourself from Malware, Ransomware and More
With the amount of global coronavirus infections passing 90,000, there is no shortage of opportunists, scammers and criminals lining up to profit from people’s fears and concerns. In the last several days, authorities across the world, including the World Health Organisation (WHO) have issued statements warning people about coronavirus related emails and texts.
As organisations and businesses work to balance continuity and precautionary measures, including the European Union’s cancelling of over 100 events and Twitter’s withdrawal from the annual South by Southwest (SXSW) festival, the cynical rollout of dodgy products and phishing attacks continue.
Coronavirus Phishing Warnings
The W.H.O has specifically warned users of scammers and criminals disguising themselves as the health authority in order to steal or extort money and sensitive information, reminding users to verify the authenticity of any party before interaction. The sad truth being, that in nearly all times of uncertainty, professional phishers are working overtime to profit off people’s fears.
At the centre of a COVID-19 coronavirus scam is the exploitation of a reasonable fear; a common feature amongst most forms of phishing attack. Just like non virus related phishing email, scammers will utilise fear, anxiety, curiosity and greed to control your behaviour, all in the hopes of getting their hands on your money or information.
Phishing Scams and Data Breaches
It’s now thought that around 32% of all breaches utilise phishing as part of the attack, and all too frequently it is the negligence and a lack of user awareness that makes this possible. By imitating organisations such as the WHO, scammers spread their infections and target the more vulnerable in a manner not unlike an actual virus.
Defending Against Phishing Attacks
Though the tactics and methods employed by attackers and criminals is increasingly sophisticated, and often exploiting current events, there are plenty of simple ways users can be trained to defend their important information.
With awareness of these four basic areas for anti-phishing security training, a significant portion of phishing attacks, in either email or form, can be defended against to great effect and help neutralise threats.
The first element of any email that users need to inspect in the address from which an email arrives. The most basic of phishing attacks may use non-sensical or gibberish addressed, whereas more advanced attackers frequently attempt to confuse users by creating addresses that mimic those of official, or trusted organisations.
The subtle substitution of characters, such as ‘I’s with ‘1’s may be an element of a fraudulent address, as well as adding hyphens where there is none contained in the official address, such as cdc-gov.org/cdc.gov.
Though it may take a few extra moments, it’s worth taking the time to authenticate an email address before taking any action. Should you find any inconsistencies, inaccuracies, or anything generally suspicious regarding an address, report and delete the message.
Terms such as ‘ASAP’ or ‘URGENT’ can be used in subject lines or the body of the text to help pressure a user into handing over important information or taking insecure actions, for fear of not completing a task in a given window of time.
Though there are undoubtedly instances where you will be receiving time-sensitive requests, invariably from workplace management etc., a sense of urgency is often employed by phishing attackers to help increase the chances of a target making a ‘snap’ or poorly judged decision.
When opening and reading of an email, there is always an inherent level of risk, though far more prominent is the risk that comes with opening an attachment. Despite most workplace email accounts will have scanning capabilities, with most dangerous files being filtered out, we cannot rely entirely on these fallible systems to protect us.
Ranging in levels of dangerousness, malware can come in many forms with many objectives, but when you open an attachment, you are putting yourself, your computer and quite possibly your entire network at risk.
Attackers try to obfuscate malware, burying a file type, such as .exe behind other, more trusted file types. For, example, “InnocentFileYouRequested.PDF.exe”. This email, at a glance, can look perfectly safe, though an attachment titled in such a way is almost definitely not something you want to be opening.
Scammers go to great lengths to capture credentials, credit card numbers and many other forms of sensitive information, phishing emails invariably so this by directing a recipient to an inauthentic website.
Before you click on a link, make sure to take the time to inspect it first. Although methods may differ slightly, it is typically by hovering over a link that you can see the address to which it points. If the URL displayed is different than you’d expect, chances are the message is fraudulent and looking to exploit you.
If you’ve already clicked on a link, again be wary of the address. Scammers frequently build websites that appear as a legitimate login page etc., whilst attempting to obfuscate ab inauthentic URL address. The best option for links you are uncertain about, is to avoid following links altogether, and instead use a search engine to find your desired page or type the address manually.
Simulated Phishing Training
With the average cost of an attack now over £4,000, a simulated phishing campaign is one of the best ways to prepare a workplace for a phishing attack, whilst also educating about many of the tactics that phishers use and how to avoid falling for them.
Though particular methods, such as the exploitation of the coronavirus panic, may pass, the fundamental awareness and education needed to defend against phishing attacks enables a staff to mitigate the avoidable risk of a successful phishing attack and data breach.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
SME Security is No Picnic: problem in Chair not in Computer. Information security blog by information security awareness training provider Hut Six Security.
How Does the Data Protection Act Affect Businesses? Rights, Obligations and Important Concepts. Blog by Hut Six Security.
Google Warning Over Huawei Devices: Huawei concerns continue. - blog by Information Security Awareness Training provider Hut Six Security
How Much Compensation for Breach of Data Protection Act? Your Data Rights and Right to Compensation. Blog by Hut Six Security.
Phishing is a number one cyber threat, and awareness training is required to ensure all employees realise it's a business-critical matter.
What does phishing mean in computer terms? The understanding of this term is at the core of Information Security awareness. Blog by Hut Six Security.
Protecting data on your computer in 5 steps: Password Protection, VPNs, Anti-virus, Software Updates and Security Awareness.
Knowing How to Block Phishing Texts is vital to personal information security in the 21st century. Blog by Hut Six Security.
How do Information Security Attacks threaten the UK Education Sector? Blog by information security awareness training provider Hut Six Security.
There remains concerns about the overall security of storing and processing information in the cloud. Is Information Stored in the Cloud Secure?