By Devin Craft
Many bad actors are capitalizing on the fear and urgency presented by the worldwide COVID-19 outbreak to initiate new email-based attacks. These COVID-19 themed scams are examples of Phishing. Phishing is when an attacker sends a fraudulent or malicious message that looks legitimate or appears to be from someone you know.
The basic aim is to trick people into thinking the email is something that it is not, and compel people to click on malicious links or attachments. Phishers often impersonates someone you know (like a coworker, your boss, or a customer) or a platform you trust (like Microsoft, Google, or UPS), while simultaneously preying on urgency and fear, with the intention of tricking you and stealing your username and password. They might provide a website that looks like a social media service (Facebook, Twitter, LinkedIn, Etc.), a work-related resource (Office 365), or critical infrastructure (banking and utilities).
Note that the image below is an example of an impersonation. The name displayed looks legitimate, “Gates Foundation”, but there is a subtle typo in the actual e-mail address, "email@example.com” Phishing emails such as this one expect readers to only see the display name, without the seeing or checking the email address beside it. Check and verify the email address.
How do you protect yourself?
Even though there are tools in place to help prevent phishing messages from making it to your inbox, you are the best preventative measure. If you can train yourself to spot the tell-tale signs of phishing emails, you won’t fall for them.
Consider these points before you click: Is the offer enticing? Is it likely too good to be true? Is there a sense of urgency? Have you received messages from the sender before?
If an email subject sounds too good to be true (“New COVID-19 prevention and treatment information! Get the vaccine for FREE”), it probably is. And if an email demands urgent action from you (“URGENT: COVID-19 ventilators and patient test delivery blocked!”), take a moment to slow down. Verify and make sure it’s legitimate. Always be suspicious of any attachments and links in email. Keep in mind that legitimate sources of health information won’t use unsolicited email or text messages to make announcements or require action from customers.
Some measures to take include:
- Check the sender's email address. Are they who they claim to be? Check that their contact name matches the actual email address they’re sending from. When in doubt, and you do know the person that the email is supposedly from, give them a call to verify the email’s legitimacy.
- Do not click or tap! If it’s a link and you’re on a computer, take advantage of your mouse cursor and hover over the link (without clicking!) to closely inspect the web address before clicking.
- Do not open attachments from unfamiliar people. Avoid opening attachments from any external email addresses or phone numbers.
- Get someone else’s opinion. A good practice is to use a different medium to verify whether an email is legitimate. For example, if you receive a strange email claiming to be the HR department, try calling your HR over the phone to double-check that it’s from them. When in doubt, you can always forward the suspicious email to firstname.lastname@example.org and ask for expert review (ideally, using the “Forward as Attachment” option in Outlook).