Cybercriminals are known to jump on every opportunity they can, including natural disasters and other widescale catastrophes. The new global pandemic is no exception and several new types of coronavirus (COVID-19) phishing emails have been hitting inboxes.

These emails are particularly insidious as they take advantage of people’s fears about the virus, promising helpful information, linking to urgent policy updates, and using other ploys that only result in the recipient getting scammed.

Like other types of phishing emails that good IT security measures are designed to protect against, these scams include links that can:

  • Download malware
  • Steal login credentials
  • Steal credit card details
  • Scam the recipient out of money

One of the best ways to protect your users and your company network from these types of scams is through cybersecurity awareness training. Let your employees know what to watch out for and remind them of the safeguards to follow when it comes to incoming email.

In 2019, nearly 90% of organizations experienced targeted phishing attacks.

Read on for examples of COVID-19 themed phishing attacks and the commonsense steps to take to avoid getting tricked by a phishing scam.

COVID-19 Phishing Scams

These phishing scams have been showing up in people’s inboxes since February and they only keep multiplying.

Stay aware and let your office know to be on the lookout for the following.

Fake Safety Measures

This phishing scam uses the World Health Organization’s logo and pretends to include a link to safety measures to take in the wake of coronavirus. 

These types of emails may also purport to be from other organizations such as the Centers for Disease Control & Prevention. (CDC), and often have a health professional, such as doctor, in the signature line.

Below, is an example from the Federal Trade Commission (FTC).

Coronavirus Map Scam

This next phishing scam takes advantage of the fact that people want to know exactly how many cases of COVID-19 have been detected in their area. It purports to be an email from the “CDC-INFO National Contact Center” and it says in part:

“CDC has established an Incident Management System to coordinate a domestic and international public health response. Updated list of new cases around your city are available at: (link that looks like it’s from the CDC website)”

Of course, like other phishing URLs, the link takes the user to a malicious website that can download malware or steal login credentials.

Workplace Policy Scam

This coronavirus phishing scam targets employees. It will often include the real name of the company in the email and state that “Due to the coronavirus outbreak (company name) is actively taking safety precautions.”

The email will then include a link to a new company “policy” and direct the employee to read the policy by a certain date. Urgency is often a tactic used by phishing scammers to get people to click a dangerous link without checking it first.

Here’s an example from Norton.

Fake University Health Team

This phishing scam is designed to steal a user’s login credentials for their Outlook email account. It includes a link for the “latest information about COVID-19” and is targeted at students and faculty of educational institutions.

Like the work policy email, this one will often include the name of the University or other institution it’s purporting to be from. The link it gives directs users to a spoofed Outlook login page designed to steal their username and password.

Fake Cures or Prevention Tactics

There are multiple versions of emails promising fake coronavirus cures or tactics you can take to prevent an infection. Many of these direct the user to scam websites where these fake products are for sale.

These sites steal the user’s credit card details as well as sell them a bogus product that in many cases never ships.

Best Practices to Avoid Phishing Scams

There are several tactics employees can take to avoid falling victim to a phishing scam. Training on these regularly will keep employees on their toes and help strengthen your overall cybersecurity.

Hover Over Links 

Never trust a link, especially if it’s from someone you don’t know or an email you weren’t expecting. Hover over links without clicking to reveal the true URL, which in the case of phishing, will generally be completely different than the URL in the text of a message. 

Carefully Real Email Addresses

One phishing scam going around has an email address that at first glance appears to be from the Gates Foundation. But on closer inspection, there is an easily missed typo (info@gatesfonudation.org) that reveals it’s a fake.

Scammers will often spoof emails from real organizations. Viewing the message source can reveal the true email address the message is coming from.

Visit Sites Directly, Not Though Email Links

If you want to see a map of coronavirus cases, find a legitimate site online and visit it directly, instead of clicking on a link in an email.

The same is true of shipping tracking for unexpected packages and similar emails. Phishing emails will often try to trick you with links to fake sites or login pages using the logos of well-known companies. Instead of clicking the link, visit a website directly.

Always Double Check Unexpected Emails

If you receive an email that you didn’t expect coming from your “HR Department” or a colleague, double check with them by phone or in person to see if it’s legitimate before taking any action.

Scammers often go after account logins and once they compromise an account, they’ll often send phishing emails from that email account hoping to catch other users in their scam.

Put Safeguards in Place to Stop Phishing in Its Tracks

RCOR can help your company with anti-phishing tools that can keep dangerous messages out of user inboxes and direct users from malicious URLs.

Contact us today to schedule an IT security consultation. Call 919-263-5570 or contact us online.