By: Ken VanAllen, Senior Consultant at Sikich
And just like that, we were all reminded of how quickly everything can change. COVID-19, the coronavirus disease caused by the SARS-CoV-2 virus, has impacted the lives of almost everyone in the country and the world. However, some things never change, like the danger of phishing and clickbait attacks. Millions of us are hunkered down in our homes and distracted by the news, the daily changing economic landscape, the kids, and what for many is a new way of working from home. All of these factors make for a target-rich environment for online scammers.
Phishing schemes feature emails that are carefully crafted to mimic those sent out by banks, service providers like Amazon or Netflix, or employers, and are designed to trick recipients into divulging information that can be used to compromise their accounts. Clickbait scams present the unwary with leading information, sometimes true, in order to get a web user to navigate to a site that either gathers sensitive information or downloads a malware payload in an attempt to take control over a computer or the applications running on it.
Preying on COVID-19 Fear
Of course, attackers are not taking a break during this crisis. On the contrary, they are working overtime! That’s because the primary tool in the online criminal’s toolbox is fear. Fear is the ultimate distraction. Human beings are hardwired to respond to fear automatically, and this instinctual response has to be trained out of us. Cybercriminals prey on this vulnerability by getting our attention—telling us something dire will happen without immediate action.
We’ve all seen emails with messages like:
“…your account has been suspended for suspicious activity and will be permanently disabled in 24 hours unless you review the activity and reactivate your account. To reactivate your account, visit our website at…”
“…your car payment is more than 90 days overdue. If we do not hear from you immediately, we will be forced to start repossession actions against you…”
“…click here to learn more about how you can protect your family from online predators…”
These messages all take on the same form:
- Lead the reader to believe that something bad is about to happen or has already happened.
- Prompt the reader for immediate action (lest things get even worse).
- Steal information or download a malware payload (or both).
The entire process is designed to induce action before the user has a chance to question the validity of the message or consequences of their actions.
COVID-19 Scams
COVID-19 presents scammers with the opportunity of a lifetime. Not in at least a generation have so many people been in such a panic. This fact is not lost on attackers. Examples of scams already reported include:
- Attempts to sell bogus COVID-19 cures and preventative treatments;
- Work-from-home scams targeting the newly unemployed;
- Investment scams directed at those seeking to protect their life savings from market volatility; and
- Malware sites purporting to fast track payment of government relief money.
At times like these, we should all be on heightened alert for phishing and clickbait scams with COVID-19 themes. Take the opportunity to remind your staff and associates to maintain a healthy skepticism:
- Check the sender and sending address on every email.
- Don’t click on anything until you have validated the links and know them to be to trusted sites.
- Watch for grammatical errors. Many scam communications are created by non-native speakers.
- If you are unsure if an email or web link is safe, call your help desk for further assistance.
Consider taking advantage of a slower work environment or downtime to provide extra training to employees.
Things are already stressful enough. Don’t make them worse by falling for well-timed social engineering attacks and COVID-19 scammers.