COVID-19 has become a global issue as cases spread at a rapid pace. While physical health is a top concern, you should be aware that malicious attackers are using this opportunity too.
Not only are attackers sending out phishing emails, text messages, and making phone calls pretending to be the WHO or the CDC but these attackers are leveraging emotional messaging and fear to lure victims.
Individuals fall victim by carrying out actions outlined in messages; like opening attachments, clicking links and providing sensitive information.
In a recent report, Proofpoint researchers wrote: “In this latest round of campaigns, attackers have expanded the malware used in their coronavirus attacks to include not just Emotet and the AZORult information stealer, but also the AgentTesla Keylogger and the NanoCore RAT—all of which can steal personal information, including financial information.”
This is a hostile attempt to take advantage of the public’s fear of coronavirus and trick them into sharing personal, financial and business information.
What can you do to protect yourself?
According to the World Health Organisation, they will never:
– Ask you to login to view safety information
– Email attachments you didn’t ask for
– Ask you to visit a link outside of www.who.int
– Charge you money to apply for a job, register for a conference, or reserve a hotel
– Conduct lotteries or offer prizes, grants, certificates or funding through email
– Ask you to donate directly to emergency response plans or funding appeals.
Here is a list of WHO guidelines to prevent phishing:
1. Verify the sender by checking their email address
Make sure the sender has an email address such as ‘[email protected]’ If there is anything other than ‘who.int’ after the ‘@’ symbol, this sender is not from WHO. WHO does not send email from addresses ending in ‘@who.com’, ‘@who.org’ or ‘@who-safety.org’ for example.
2. Check the link before you click
Make sure the link starts with ‘https://www.who.int’. Better still, navigate to the WHO website directly, by typing ‘https://www.who.int’ into your browser.
3. Be careful when providing personal information
Always consider why someone wants your information and if it is appropriate. There is no reason someone would need your username and password to access public information.
4. Do not rush or feel under pressure
Cybercriminals use emergencies such as COVID-19 to lure people into making decisions quickly. Always take time to think about a request for your personal information, and whether the request is appropriate.
5. If you gave sensitive information, don’t panic
If you believe you have given data such as your username or passwords to cybercriminals, immediately change your credentials on each site where you have used them.
6. If you see a scam, report it. If you see a scam, tell us about it. Report a scam
7. You can also go straight to the source for information on the coronavirus:
Smishing (Phishing attacks via SMS), or Vishing (via phone or VoIP) are other flavours of social engineering techniques where attackers aim to get emotional responses, forcing individuals to click without thinking.
When you receive unexpected emails, texts and/or phone calls use S-T-O-P:
2. Take a Deep Breath
3. Opportunity to Think
4. Put the email into perspective and report the Phish, SMISH, or Vish. Report to your IT team.
Remind users to never open attachments from senders they don’t know. Inform users of all the various forms that these phishing, smishing or vishing attempts may take.
Niamh Vianney Muldoon is Senior Director of Trust and Security EMEA at OneLogin