Author: Jeff Weeks, Sr. Vice President and Chief Information Security Officer
As with any other wide-scale event, scammers are taking advantage of the feeling of urgency and demand for information around the COVID-19 Pandemic. Luckily, the tactics scammers are using are mostly ploys we have seen and heard before. The best defense against scammers is to keep a healthy skepticism about the emails, phone calls, social media links and text messages we receive.
Following are some emerging COVID-19-related phishing scams and technology threats reported by the Federal Trade Commission, as well as some examples of spam emails to help you recognize and avoid them.
Advertisements: One way scammers try to lure you in is by offering limited supply items, such as toilet paper, hand sanitizer and cold medicine. If you click links or open attachments in these email messages, not only do you open yourself up to the possibility of having malicious software installed on your computer, you may pay for items you’ll never receive and may find additional unwanted charges on your credit card.
Phishing via email/text/phone: One of the tactics scammers use is to send phishing email messages and text messages using familiar company or government agency names to lure you into clicking links or opening attachments. Once the link is clicked or the attachment is opened, you may be asked to disclose sensitive information, such as your social security number, account numbers, or usernames and passwords.
Clicking on links and attachments can also result in the installation of malware on your computer or other device, including ransomware or other malicious code to gain remote control of your computer and/or webcam; or steal keystrokes or files. One common form of malware is Emotet. Emotet not only impacts your device, it propagates to other devices. Emotet can deploy ransomware or install other types of malware that steals user credentials, browser history and sensitive documents. The harvested data is then used to send spam and malware to other email accounts, continuing a growing cycle of cyber-attacks.
A current phone scam targeting individuals working from home is a purported call from your IT department asking for credentials. Some variations of this call may attempt to coax you into granting remote access to your machine.
How to Avoid Falling for Phishing Scams: In general, watching for tell-tale cues and following these guidelines for recognizing phishing are a good foundation for protecting yourself from COVID-19 scams.
- Generic Greetings: While not all phishing messages use generic greetings, the use of “sir/madam” or “resident” might be indicative of a phishing attempt.
- Urgency: Despite the speed with which the coronavirus situation escalated, avoid messages that insist you act urgently. Slow down and analyze the message thoroughly before proceeding.
- Spelling and Grammatical Errors: If an email contains spelling and grammatical errors, especially if it appears to be from an official entity or business, it is more than likely phishing. Don’t click on any links or open any attachments. Delete the message.
- Verify Email Addresses and Links in Email Messages: Inspect the email address of the sender to ensure the domain of the address is consistent with the entity they are purporting to represent (e.g. email messages from and links to the CDC should end in “cdc.gov”). Hover over the link to verify the target of the link, and ensure it is consistent with the sender of the message. Use caution, sometimes scammers create fake addresses that closely resemble the legitimate web address. Look closely, and if anything seems suspicious, don’t click the links and delete the email message.
- Use Independently Identified and Reliable Sources: If you think a message or link may be legitimate, it is best to use a website address you already have or that you have researched independently. If you want up-to-date information about the coronavirus pandemic, go directly to a reliable source.
- Keep Personal Information Personal: Don’t give out personal information on the phone and don’t call a number provided to you in a text message or email. Call the company back at a number you have used before or that you find independently of the phone call, email, or text.
- Don’t Click: Do not click on links in text messages or emails. Again, use a website you are familiar with or call the sender at a number you know or find independently to verify the legitimacy of the text or email.
In the end, protecting yourself from coronavirus-themed scams is the same as protecting yourself from any other scam. Slow down, look carefully, do some research and employ generous use of the delete button.
Here are some documented examples of coronavirus-related phishing email messages:
Centers for Disease Control (CDC) Alerts
One of the tactics scammers are using is to send phishing email messages that appear to be from the Centers for Disease Control and include a link which appears to direct you to a list of new cases in your city. These messages create a sense of urgency by stating: “You are immediately advised to go through the cases above to avoid potential hazards.” But notice the red boxes in the image below. The domain in the email address is incorrect and, while the link in the message appears to direct you to the CDC’s website, hovering over the link reveals the true destination.
Another scam approach is to offer advice for avoiding infection, or to provide guidance for surviving an infection. These messages might claim to be from health officials, or even from China or Italy where the virus had a significant impact.
Requests for Financial Assistance
There are scams related to charitable giving. While some are in the name of specific charities, some are asking for bitcoin or donations to a GoFundMe account, and some are implementing the tried and true money mule scheme. Do your research, only give to reputable and trusted charities, and remember, if it appears too good to be true, it probably is.