We are observing a growing number of phishing attacks where the attackers are exploiting the COVID-19 situation to give their scams credibility. The signs of a phishing attack may include an enticing offer or a sense of urgency.
Current COVID-19 phishing emails may look like CDC alerts with malicious link claiming to point to a CDC website, health advice emails claiming to be from medical experts, or fake workplace policy emails with malicious links or attachments. If you click on the link, the malicious website may steal your personal, banking or login information, or drop malware onto your computer. Downloading and opening attachments may install ransomware or backdoor into your computer.
Tips on how to recognize and prevent coronavirus email phishing scams:
- Review carefully the sender email address, keep in mind that it might be “spoofed”.
- Watch for mistakes in spelling and grammar.
- Watch for non-personalized greetings. Phishing emails usually use greeting like “Dear Sir/Madam”.
- Do not act if you feel pressured: phishers usually create a sense of urgency.
- Use out of band verification via phone, SMS or chat, if in doubt.
- Refrain from clicking on the links in emails right away. Inspect these by hovering your mouse over the URL to see where it leads.
- Do not submit Social Security number or login information on sites claiming to be government agencies. Do not respond to such emails with your personal information.
- Do not download or open attachments from unsolicited emails.
- If you already opened an MS Office that is asking you to “Enable Content”, close and delete that document immediately.
- Watch out for file extensions in attachments. File.docx.exe or File.pdf.exe are not documents, but executable programs that may harm your computer.
- If you’re not sure about legitimacy of an email or a website and there is no way to verify, run the email client or browser from an application sandbox (like Sandboxie)
General cyber security tips:
- Check for updates of operating system and software periodically. Enable automatic updates wherever possible.
- Make sure to use antivirus.
- Use your company VPN.
- Work under user account, not under the administrator account.
- Use long and strong passwords. If they are hard to remember, use a password manager.
- Do not install unneeded applications.
To learn more about different phishing attacks and how to prevent them, please read our new whitepaper:
Phishing Attack Simulations and Effective Measures to Prevent Them
Image by Gerd Altmann