While our usual social events - sports, political rallies, and concerts - are canceled for the time being, social engineering is going strong.
Phishing campaigns are leveraging fear and uncertainty, stemming from the coronavirus pandemic, to steal money and scare the pants off of people, typically in one of three forms: scams, malware infections, and username / credential stealing.
The scams are appalling. In an all-new low, a blackmail attack - detected over 1,000 times in just two days - claimed to know people’s whereabouts and threatened to infect them and their families with coronavirus unless they paid a ransom. Other scams promised coronavirus cures or face masks or asked for investments in fake companies that claimed to be developing vaccines. Donation requests for fake charities are popular; beware an email from the non-existent World Health Community that asks for donations to a Bitcoin wallet.
Malware attacks have tricked thousands into downloading a fake Chrome update and malware parading as Zoom software. Mobile phone users in hard-hit parts of Spain and Italy have been prey for malware dressed up as COVID information apps.
Finally, phishing attacks to your email are using COVID as a lure to collect your username and password. In one example, an email claiming to be from the CDC attempts to steal Microsoft Exchange credentials when the malicious link is clicked. In another, your local hospital emails saying you’ve been exposed to the virus and need to come in to get tested; they attach a handy spreadsheet for you to fill your contact information that is actually malware.
With phishing, we remind you:
Hover, don’t click! Like using a toilet in a roadside gas station, you may not wish to make contact with that link. Hover over it with your mouse, and check the bottom left corner of your browser or email client to see what the link is and if it matches what’s written in the email. If you can’t tell, instead of clicking on the link, go to the website it’s supposed to be referencing in a tab in your browser.
Police the grammar. This is the moment for your long-shamed inner nerd to shine. Did your hospital admin really spell coronavirus wrong? Would the hospital name really be spelled like that in the email address? Why not just Google that person’s email address and name and find out.
They’re just not that into you. Sure, you’re great. But your hospital is not going to call you. The CDC is not going to email you. Sadly, that prince in Africa is not actually going to give you his money. If a major company or important person is reaching out to you, they’ll likely call you by name, and will probably call you or reach out in a way that doesn’t look or feel shady.