COVID-19 was declared a global health emergency by WHO in March 2020. With infections and death rates on the rise, the pandemic caused by the spread of the novel coronavirus led to fear and apprehension.
The world immediately came to a standstill as lockdowns were imposed in cities around the world. All physical activities stopped while people were confined to their homes. As we tried navigating through this unprecedented time, we witnessed a surge in online activities. Businesses, education, interactions- everything started taking place online. While social media helped people stay connected and businesses running in such fearful times, cybercriminals exploited this fear among people.
Cyberattacks aren’t uncommon during times of crisis; these criminals play on societal vulnerabilities. COVID-19 has been classified as the largest-ever cybersecurity threat. Healthcare and financial industries were the most common prey. Out of all the different types of cybercrimes, email phishing attacks were found to be the most common.
What is Phishing?
Phishing attacks are a type of cybercrime wherein the attackers engage in fraudulent communications. The unsuspecting victims think these messages are from a reputable source. The communications most commonly occur via email. For instance, WHO released several alerts regarding suspicious emails attempting to take advantage of the COVID-19 emergency. These emails appeared to be from WHO or the COVID-19 Solidarity Response Fund.
The goal of the cybercriminals who engage in phishing is to steal sensitive data like financial or login information or install malware on the victim’s device. Phishing emails that appear to be from WHO often ask people to give sensitive information such as usernames or passwords. They would also ask people to click on a malicious link or open a malicious attachment.
In the case of corporations and organizations, employees would receive phishing emails threatening suspension or loss of accounts to get them to divulge private information. Attackers would also use text messages and web-based applications to target people.
Types of phishing attacks
- Deceptive phishing: It is the most common type of phishing. The attacker obtains confidential or private information about the victim and uses it to steal money or launch other attacks.
- Spear phishing: This form of phishing attack targets individual victims rather than groups or organizations. The attackers research the victims to engage in more personalized communication with them, making their impersonation believable to the victim.
- Whaling: Whaling means going after “big fish” like a CEO or some other head of an organization. The attacker puts in a lot of effort in profiling the victim and waits for an opportunity to get their login credentials. This can be catastrophic for the organization as the attacker could get confidential company information.
- Pharming: This is an attack similar to phishing. Here, users are directed to a fraudulent website that appears legitimate. They don’t even have to click a malicious link for this. Attackers infect the victim’s device to be redirected to the bogus site even when the correct URL is typed
How to protect yourself from phishing?
- Take time to analyze the request seeking your personal information
Due to the fear and apprehension created by COVID-19, people often don’t think twice about opening and acting on coronavirus-related emails. Coronavirus-themed emails can take different forms, including CDC or WHO emails, health advice emails, or workplace policy emails. You can keep the following in mind to recognize COVID-19 related phishing emails:
● Online requests from personal information: Legitimate government agencies like CDC, WHO, or others don’t ask for information or personal data online. So, beware of such emails. Never disclose personal or financial information, usernames, and passwords via email.
● Check the email address: If there is anything other than the trusted agency’s correct domain name after the ‘@’ symbol, don’t engage with it. For example, anything other than ‘who.int’ after the ‘@’ symbol means the sender is not WHO. However, sometimes even with the correct domain name, the email could be malicious. After all, criminals go to great lengths to make the emails seem legitimate.
● Spelling and grammar mistakes: Phishing emails most likely have spelling, grammar, and/or punctuation errors.
Generic greetings: Greetings like “Dear sir/madam” or using your name are signs of phishing emails.
● Emails that demand immediate action: Phishing emails often create a sense of urgency and insist that the receiver act immediately. The goal is to get you to click the malicious link and provide personal information.
- Do not trust third-party sources spreading COVID-19 information
There are plenty of illegitimate and fraudulent sources disseminating information about COVID-19. Make it a point to look for information and updates related to coronavirus only on government agencies or healthcare institutions’ official websites.
Malicious and fraudulent emails that expose you to cybersecurity risks often look like they are from real organizations. However, legitimate government agencies do not correspond with you via email.
Some of the reputable sources for legitimate information about COVID-19 include websites of:
● Center for Disease Control and Prevention (CDC)
● World Health Organization (WHO)
● National Institutes of Health (NIH)
- Protect your devices
One of the goals of phishing attacks is to install malware on your devices. Attackers invade your systems and steal private and sensitive information or launch other attacks. To protect your device:
● Make sure you install anti-spam, anti-spyware, or anti-virus software.
● Keep your device up-to-date. The software updates are meant for bug fixes and enhancing the security of your device.
● Keep strong passwords. If your password for your accounts is “password”, you have a slim chance of being protected from these attacks.
- Please do not click on links without checking them
A lot of phishing emails carry malicious links. These emails are worded in a way that creates a sense of urgency to check out the link. These links often redirect you to fraudulent websites and install malware into your system. They could also expose you to hackers who can steal private information.
To check the links, you can hover your mouse over the URL to see where it leads. While sometimes it may be obvious that the web address is fraudulent, phishers can create links that seem legitimate.
The best way to prevent getting trapped by bogus websites is to type the legitimate domain name yourself while browsing. If you receive a certificate error, it’s a sign that something is not right.
If you do become a victim of phishing...
If you unwittingly gave away your login credentials or other sensitive information, do not panic. Immediately change your credentials on every site you’ve used them. Make sure to update your device’s security software and run a scan to identify any malware in your system. If you have given away financial information, intimate your bank or credit card company immediately.
Lastly, if you receive a phishing email, report it and delete it. If you become a victim, let others know about it so that you can prevent them from falling prey to such attacks