(Originally published March 19, 2020; Updated September 9, 2020)
As the world continues to struggle with the COVID-19 pandemic, attackers are continuing to take advantage of the crisis. Now, more than six months in, let’s take a look at the latest phishing scams and their impact.
The Federal Trade Commission (FTC) has received over 189,000 COVID-related reports of scams, fraud and identity theft. Losses due to these events have cost U.S. consumers over $132 million. The FTC offers the “FTC COVID-19 and Stimulus Reports” interactive infographic. Consumers can track reporting trends over time, down to the state level.
Software as a service (SaaS) and webmail remain the vectors of choice for most scammers. Business email compromise (BEC) incidents have continued to rise throughout the pandemic, with losses now averaging over $80,000 per incident. Another area of growth in phishing attacks has been via social media platforms – a 20% increase.
Recent COVID-19 phishing scams
Be aware of these new COVID-19-specific phishing attacks that have been reported over the last six months since this article was originally published:
Scammers are sending emails requesting information to complete release of IRS funds, such as those who used the non-filers tool prior to May 17 and were mistakenly not sent their $500/child payment as part of the Economic Impact Payment.
Callers are pretending to be utility companies requesting banking information requesting banking information for overdue payments.
Attackers are sending messages via WhatsApp with the Presidential seal offering payments offering payments for those stuck at home during the pandemic.
Furthermore, many of the phishing exploits on which we reported earlier this year continue to be a threat:
- People are receiving unsolicited work from home job offers via email. Be wary of any unsolicited offer received via email, especially if you did not apply for, or were not interviewed for, a position with a company.
- With the increase in the number of people telecommuting, scammers are sending emails from internal company domains with fake links to work from home policies and procedures documents.
- Individuals are receiving emails claiming to be alerts from the Center for Disease Control (CDC), the World Health Organization (WHO), or other expert organizations with information about the virus. These groups would not send emails of this type. Always visit the websites of these organizations for the most up-to-date information.
- People are receiving information via emails and pop-ups offering vaccinations and other health advice.
- Criminals are taking advantage by running charity scams through social media and phone calls related to the COVID-19 pandemic, soliciting donations for medical treatment or food drives. Do not donate money via Bitcoin.
- There are scams circulating that claim to provide access to government loans, tax refunds or payments. Delete any unsolicited emails that come from supposed government agencies.
- Bogus closure emails claiming to be from universities or schools that have shut down due to the pandemic that contain links to “more information” have been observed.
How to avoid phishing scams
Phishing.org provides a great listing of ten (10) actions to take to avoid phishing scams any :
- Keep informed about phishing techniques. The more you know about what scammers are doing, the less likely you are to be a victim.
- Think before you click! People are worried, afraid, and concerned about the pandemic. They may fail to think before they click on a link to “breaking news” or “cures” for the novel coronavirus.
- Install an anti-phishing toolbar. Usually available as a browser plugin or add-on, these tools can help to identify phishing websites and advertisements. Check with your IT or Security department to see which ones are approved for use in your organization.
- Verify a site’s security. Check to see that the web site URL begins with “https” and that the closed lock icon is displayed. Also, watch the lower left hand corner of the web page as the site page loads to ensure that the URLs match.
- Check your online accounts regularly. We all have that online account that we set up and only visit once or twice a year when needed. One example of this is streaming subscription sites. However, these sites may hold personal and credit card information that a hacker can access and use without you realizing it. Log in to your accounts more often and make sure you update to a strong password.
- Keep your browser up to date. Whenever an update is released for your browser, run it immediately. Check all browsers you may use to make sure they are kept up to date.
- Use firewalls. Using a personal, or desktop, firewall is a critical security component for connections that are always “on.” Your organization should have network firewalls to protect network infrastructure.
- Be wary of pop-ups. Use pop-up blockers in your browsers to avoid these nuisances. If you must close a pop-up window, use the “X” in the upper corner of the window. Also, be wary of email attachments, which can contain malware.
- Never give out personal information. Guard your data as if it were gold, because it is that precious. Your personal data (financial, sensitive, medical, etc.) in the hands of a scammer can not only be used to rob you, but can also be sold for others to use maliciously.
- Use anti-virus software. Keep your anti-virus software up to date and be sure to scan your device on a regularly scheduled basis.
Increased diligence during the pandemic and awareness of COVID-19 phishing scams should not only focus on keeping yourself healthy and safe but also on protecting your data and resources. For more information on how security awareness and anti-phishing training can help your organization, please Contact Us today.