It’s a thing, because of course it is.

For centuries criminals have preyed on the feelings of confusion and vulnerability that accompany epidemics and natural disasters, and our current situation is no different.

Online criminals are mounting aggressive phishing campaigns that seek to capitalize on public concern surrounding the Coronavirus-COVID-19 pandemic. Cybercriminals often take advantage of health scares or disasters, and the current situation has generated dozens of new phishing campaigns designed to scare or entice recipients into clicking on harmful links or attachments in emails, text messages and social media posts.

As Federal and State aid programs come online, the bad guys are seeking to exploit people’s need for help or information, posing as aid management staff, government agency employees, bank representatives, debt collectors, law enforcement, or even your employer.

Terminology note

In order to get out of having day jobs or leaving their mom’s basement, thieves are often the first to adopt new technology, so it’s important to know that the threat isn’t just in your inbox. Some cybercriminals still use old-school phone cons, and others have adopted text messaging as a way to bait the hook. In this article I use phishing to refer to the following four data-piracy schemes.

Phishing is criminal activity that occurs when crooks send emails or text messages that appear to be from reputable companies or trusted institutions in order to convince people to reveal personal information, such as passwords and credit card numbers.

Spear phishing is an email or electronic communication targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.

Vishing is the telephone equivalent of phishing and is the act of using the telephone in an attempt to convince the user to surrender private information that will be used for identity theft.

Smishing is the text message equivalent to phishing and uses SMS text messages instead of email or the phone as bait.

Protect our Elders

As with the virus, the elderly are at higher risk for phishing, so if you have elderly parents and loved ones, make sure to remind them this is happening and offer to review any unsolicited communications they receive, especially those that ask for any kind of identity information like social security and/or bank account numbers, medical records, or username/password information.

Forwarding all our spam to the Nigerian Prince never gets old. What a dope.

Stealing from the elderly is a multi-billion-dollar business in the U.S. that drains people of their retirement funds and government benefits. A recent Department of Justice report assessed that the elderly lose an estimated $3 billion to criminals every year and finding this out made me so angry that my son thought I was going to go Endgame and leave a smoking crater where West Omaha used to be.

They shall be avenged.

The good news is that armed with information and some examples, you’ll be able to help your loved ones and friends spot fraudulent messages and avoid getting hooked.

What is phishing?

Phishing is a form of psychological manipulation used by cybercriminals to trick people into performing actions or divulging confidential information. Perpetrators are fishing for information they can either use themselves for profit or sell to larger criminal organizations.

These messages might ask you to open an attachment to see the latest statistics. If you click on the attachment or embedded link, you’re likely to download malicious software onto your device. This software could allow cybercriminals to take control of your computer, log your keystrokes, or access your personal information and financial data, which could lead to identity theft.

How do I recognize & avoid phishing emails or texts?

Beware of online requests for personal information. A coronavirus-themed email that seeks personal information like your Social Security number or login information is a phishing scam. Legitimate government agencies won’t ask for that information. Never respond to the email with your personal data.

Check the email address or link. You can inspect a link by hovering your mouse button over the URL to see where it leads. Sometimes, it’s obvious the web address is not legitimate. But keep in mind phishers can create links that closely resemble legitimate addresses. Delete the email.

Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation, and grammar errors, it’s likely a sign you’ve received a phishing email. Delete it.

Look for generic greetings. Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam” signal an email is not legitimate.

Avoid emails that insist you act now. Phishing emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information — right now. Instead, delete the message.

Many cybercriminals are super-lazy, and here’s an email I received from someone pretending to be PayPal who wasn’t even really trying. The message includes examples of what to watch for.

“We have updates on our been Scheduled disable on?” Very phishy.

How do I spot a coronavirus phishing message?

Below are some coronavirus-themed phishing emails that have been circulating.

CDC alerts. Cybercriminals have sent phishing emails designed to look like they’re from the U.S. Centers for Disease Control. The email might falsely claim to link to a list of coronavirus cases in your area. One of these phishing emails reads “You are immediately advised to go through the cases above for safety hazard.”

Here’s an example of a fake CDC email.

Source: CDC – Alert: Phishing Email Referencing CDC and Flu Pandemic. 2020

Health advice emails. Phishers have sent emails that offer purported medical advice to help protect you against the coronavirus. The emails might claim to be from medical experts near Wuhan, China, where the coronavirus outbreak began. One phishing email says “This little measure can save you, use the link below to download Safety Measures.”

Here’s what a fake health-advice email looks like.

Source: U.S. Department of Health and Human Services – 2020

Workplace policy emails. Cybercriminals have targeted employees’ workplace email accounts. One phishing email begins, “All, Due to the coronavirus outbreak, [company name] is actively taking safety precautions by instituting a Communicable Disease Management Policy.” If you click on the fake company policy, you’ll download malicious software.

Here’s an example.

Source: U.S. Department of Health and Human Services- 2020

More coronavirus phishing hooks

  • Phony websites containing maps and dashboards.
  • Information about protecting yourself, your children or your community that contains malicious links or attachments.
  • Charitable appeals, claiming to help victims of the virus, which are not legitimate
  • Misleading ads or spam about masks or other protective gear, or other helpful hints to combat the virus.
  • Fraudulent emails were sent to college students that posed as official communications from University personnel offering bogus updates about closures and other coronavirus-related news.
  • Fake emails from employers targeting people who are working from home provide links to fake OneDrive or Office365 login screens designed to capture and steal email addresses, login names, and passwords.
  • Emails that appear to come from the World Health Organization and promise information on safety measures to avoid infection. Recipients who click on an embedded link visit a site that prompts them to share personal information.
  • Researchers from Sophos, meanwhile, have identified dozens of malicious websites with domains that reference COVID or COVID-19, the disease caused by the coronavirus.

You should also be highly skeptical of emails and websites claiming to provide information or goods related to the ongoing pandemic.

In the post-truth U.S., good cyber-hygiene requires that we never take source claims at face value. One of the most reliable sources for legitimate coronavirus-related information is this page from the U.S. Centers for Disease Control and Prevention. Communications from local departments of health can also be helpful, but only when the emails or websites can be confirmed as coming from a legitimate agency.

World Health Organization. WHO provides a range of information, including how to protect yourself, travel advice, and answers to common questions.

National Institutes of Health. NIH provides updated information and guidance about the coronavirus. It includes information from other government organizations.

Deep Throat said “trust no one.” And that’s hard, Scully.

fox mulder

Photo: Marvel Studios – Avengers: Endgame; 2019.

Leave a Reply