Cyber criminals exploit times of uncertainty by playing on a basic human emotion—fear—and the anxiety-producing nature of the new COVID-19 outbreak has given bad actors the opportunity to take advantage. The world is facing new challenges, and it is natural for individuals to be vulnerable. Fear as a form of social engineering has always been common for cyber criminals, because people are known to let their guard down during trying times.
Over the last few months, cyber criminals have been sending out scam emails and setting up malicious websites to try to make money from the pandemic. Messages have impersonated the Centers for Disease Control and Prevention, the World Health Organization, and other health and government agencies. More recently, however, federal agencies have taken notice. For example, the FBI has issued an official alert regarding a range of scams including fake CDC emails, phishing emails, and counterfeit treatments or equipment. Additionally, the Department of Justice filed its first enforcement action against COVID-19 fraud: a temporary restraining order against a website offering a fraudulent coronavirus vaccine.
With federal agencies on notice, how are cyber criminals still passing fraudulent information as legitimate? Nefarious actors have been sending emails with safety guidelines and prevention tips that include links or attachments, in hopes of tricking people into thinking that they are legitimate emails. For example, cyber criminals have been sending emails impersonating the WHO.
How can an individual recognize such emails as fakes? Reviewing the email reveals grammar and spelling mistakes, as well as incorrect naming of the virus itself. The danger of an email like this is that once a user clicks the link, it prompts the download of malware designed to steal banking credentials or even the download of a keylogger, which records everything a user types, including usernames and passwords.
One particularly sophisticated scam includes an interactive dashboard of coronavirus infections and deaths. The dashboard has been published on websites and links to it have been included in phishing emails. It mimics a dashboard produced by Johns Hopkins University, which lulls people into a false sense of security.
Cyber criminals manipulated the dashboard so that if an individual clicks on the malicious version, it downloads malware designed to steal passwords, credit card numbers, cookies, and browser-based data. It could also take unauthorized screenshots, and steal other types of information. While a reputable dashboard like the one from Johns Hopkins can be a valuable resource, it’s always best to navigate directly to the website instead of accessing it through a link in an email.
In an additional effort to make emails and websites appear legitimate, cyber criminals have been registering domains related to the coronavirus or government agencies. They understand people may look quickly at an internet address but not know whether it is legitimate. Bogus websites may have “coronavirus” or the name of a government or health agency as its URL. However, the internet address may be misspelled or have the wrong extension (i.e., www[.]who[.]com, instead of the legitimate www.who.int). Individuals should ensure they have navigated to the legitimate website by confirming the correct URL, and never click on a link in an email, which may open a malicious site or install malware.
Cyber criminals have also been using phone calls, text messages, social media, and even fax messages in attempts to scam people. The public must be especially aware of cyber criminals exploiting the charitable spirit of the time, and use caution when deciding to donate to charitable organizations.
Tips to keep in mind:
- During a crisis, cyber criminals know that people are always looking for new information, and they exploit this tendency in an attempt to steal money, passwords, and information.
- Treat all emails regarding COVID-19 with caution.
- If an email is received requesting money for coronavirus testing, do not trust it—it is a scam.
- Instead of clicking on a link, navigate to the webpage on the internet.
- Government or health agencies will never request an individual’s personal bank account information, PIN, Social Security number, or password in an email.
- As with all suspicious emails: think before clicking.