COVID-19 has become a global problem as cases spread at a rapid rate. While physical health is a major concern, you should be aware that malicious attackers take advantage of this opportunity as well. Not only do attackers send phishing emails, text messages, and make phone calls pretending to be the WHO or CDC, but these attackers leverage emotional messaging and fear to lure victims. Individuals are victims by performing the actions described in the messages; such as opening attachments, clicking links, and providing sensitive information. In a recent report, Proofpoint researchers wrote: "In this latest series of campaigns, attackers have extended the malware used in their coronavirus attacks to include not only Emotet and the AZORult information stealer, but also agent Tesla Keylogger and NanoCore RAT, all of which can steal personal information, including financial information." It is a hostile attempt to harness public fear of coronaviruses and encourage them to share personal, financial, and business information. What can you do to protect yourself? According to the World Health Organization, they can never:
- Ask you to sign in to view security information
- Attachments to emails you did not request
- Ask you to visit a link outside of www.who.int
- Charge you money to apply for a job, register for a conference or book a hotel
- Conduct lotteries or offer prizes, grants, certificates or financing by email.
- Ask you to donate directly to emergency response plans or fundraising calls.
- Verify the sender by verifying their email address
- Check the link before clicking
- Be careful when providing personal information
- Don't rush and feel pressured
- If you've provided confidential information, don't panic
- If you see a scam, report it. If you see a scam, tell us about it. Report a scam
You can also go directly to the source for information on the coronavirus:
- CDC
- WHO
Smishing (phishing attacks via SMS) or Vishing (via phone or VoIP) are other flavors of social engineering techniques where attackers seek to elicit emotional responses, forcing people to mindlessly click. When you receive unexpected emails, text messages, and/or phone calls, use STOP:
- Stop
Take a deep breath
Ability to think
Put email in perspective and report Phishing, SMISH, or Vish. Inform your IT team.
Remind users to never open attachments from senders they don't know. Inform users of all the forms these phishing, smishing, or vishing attempts can take. Niamh Vianney Muldoon is Senior Director of Trust and Security EMEA at OneLogin