How to guard against phishing scams amid the COVID-19 pandemic

Phishing scams have long been among the most popular cyberattack methods. The coronavirus (COVID-19) pandemic opens up more opportunities for cybercriminals.

COVID-19 has upended work and home life for most of us. The shift to remote working and fears about the virus have led to a surge in phishing attempts, with cybercriminals moving quickly to take advantage of the new world reality.

Phishing and email scams have long been among the most popular and effective methods used by cybercriminals. They can be used to distribute misinformation, to obtain illicit financial gain, and to seek personal and sensitive information from a victim. Employees victimized by attacks can expose critical company data located not just on their own computer, but throughout an entire network.

Now, COVID-19 is giving cybercriminals a new way to dupe anyone anxious about the pandemic, as That email may be infected too (pdf) explains. Scammers are sending emails that seem to come from legitimate organizations such as the World Health Organization, the US Centers for Disease Control and Prevention, and other government authorities.

Almost all the fraudulent emails come down to asking the recipient to either click on a link or open an attachment. Either action could result in activating a malware or redirecting the user to enter confidential data.

Common forms of phishing attacks

As with most phishing attacks, the criminals often use legitimate content sourced from reputable organizations to entice the reader to click on a link. The URL appears to be from a legitimate website but clicking on it infects the victim’s computer by sending them to a malicious site that extracts their data.

Phishing attacks also prey on hunger for information in time of crisis by sending recipients attachments claiming to contain important health information. When the victim clicks on the document, they could unknowingly yield control of their computer to someone working remotely through an embedded hidden code.

There are several avenues attackers have been exploiting to conduct phishing attacks. Some of the most common ones are:

• Spear-phishing: Faux emails, believed to be from a trusted sender, prompting victims to reveal confidential information or following links to credential harvesting websites or malware
• Spoofing: Using look-alike names to authoritative personnel, adding or switching domains to malicious sites, or using similar email or site layouts
• Social engineering: Leveraging LinkedIn and other publicly available information to map out corporate hierarchies and using the knowledge for executing educated spoofing attacks
• Spam filter bypassing: Tactics, such as zero-point font used to bypass spam filters that might be in place, often categorized as a more advanced spoofing

Besides COVID-19 scams, other common scams are:

• Accounting fraud: A request from an accounting or a finance department or leader to approve an invoice payment, a journal entry, or other financial transaction
• Social media spoofing: A social media notification, such as a friend request or a post you should “click to see”
• Package delivery notification: A package that requires the recipient to click on a link to confirm delivery or to check tracking status
• Online shopping account spoofing: Your online shopping account experienced suspicious access activity that requires you to click on a link to review or confirm
• Password resets: Your online account has been compromised; please click on a link to regain access to your account

Risks increase amid remote working

Phishing is certainly not new, but security experts report attacks are increasing due to the COVID-19 pandemic. As we exercise social distancing and spend more time working remotely, the risk of falling into phishing traps increases.

Many face-to-face interactions have moved online, and remote employees may be more inclined to use corporate laptops for non-business work. Employees using personal email accounts from corporate laptops can land on infected sites that steal sensitive company information.

Organizations have long been under the threat of phishing emails that impersonate a co-worker or a manager. You might get an email that appears to be sent by a colleague asking you to follow instructions to “transfer money,” “send financial data” or “allow access to confidential product information.”

In the past, you might have called out to someone in the next cubicle to ask for verification, but if that’s not an option, you may automatically click on the link. As employees lose face-to-face contact, the risk of being victimized increases exponentially.