Coronavirus email scams are trying to cash in on your fear
By Sara Morrison
If you didn’t have enough to worry about with the new coronavirus, here’s one more thing: Scammers are using the outbreak to steal your information through phishing attempts or to lure you into downloading a different kind of virus. Cybersecurity firm Check Point announced today that over 4,000 coronavirus-related domains — that is, they contain words like “corona” or “covid” — have been registered since the beginning of 2020.
Of those, 3 percent were considered malicious and another 5 percent were suspicious. Three percent might not seem like much, but according to Check Point, this means that a coronavirus-related domain is 50 percent more likely to be malicious than any other domain registered during the same time period. Check Point believes many of those malicious sites will be used in phishing campaigns. Phishing emails are ones that appear to be from a trusted source, tricking you into providing sensitive information, downloading malware, or clicking a link to a website that can do either.
It’s common for scammers to take advantage of emergencies — moments when people are scared, desperate, and at their most vulnerable — to propagate scams. The coronavirus epidemic is no different, and bad actors all over the world are finding ways to use coronavirus warnings as a veil for malware attacks. As the outbreak spreads across the US, computer users in the country will likely become a more frequent target.
“National emergencies and/or disasters add a fear factor that acts as one more hook for hackers to get what they need,” Ron Culler, senior director of technology and solutions at ADT Cybersecurity, told Recode. “When fear is added to any targeted campaign — be it a legitimate or scam campaign — the effectiveness of that campaign is increased.”
A few days ago, the World Health Organization (WHO) put out a warning about phishing attempts via emails from apparent WHO representatives. The agency is getting reports of coronavirus-related phishing attempts on a nearly daily basis, according to the Wall Street Journal. Meanwhile, cybersecurity firm Proofpoint has also found a rash of WHO-branded phishing attempts as well as coronavirus-themed phishing emails from other health-related organizations. Some of these phishing attempts even appear to come from internal company emails.
Check Point said that the “most prominent” coronavirus phishing campaign in January came from emails pretending to be from a Japanese disability welfare service provider. The emails included an attachment that claimed to say where the virus was spreading to Japanese cities; it actually contained a computer virus that would spread to the victim’s computer. Another scam campaign targeted Italian organizations; it was an email from someone pretending to be a doctor for WHO’s Italian branch. The email included a file that was supposed to be a document with precautionary measures but was actually malware. One big clue that the email was from a scammer? It came from a non-who.int email address.
“We regularly observe campaigns with extremely topical lures, like the coronavirus, in hundreds of thousands to millions of socially engineered emails every day,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told Recode. “This information is legitimately being distributed by organizations to inform their employees and partners, thus giving threat actors a place to mix in their malware lures among the legitimate informational messages being sent.”
Proofpoint has taken to posting threats on its Threat Insight Twitter account as it comes across them because there are too many out there for blog posts to keep up with.
“Campaign volumes have ranged from a dozen to over 200,000, and the number of campaigns is trending upwards. Initially, we were seeing about one campaign a day — we’re now observing three to four a day,” DeGrippo told Recode. “This increase underscores just how appealing these types of topical campaigns are for threat actors.”
So, how do you avoid getting infected with a coronavirus computer virus? First, pay attention to who is sending you the email. And pay close attention, because phishing emails from fake Centers for Disease Control and Prevention
representatives have been found that come from “cdc-gov.org,” rather than the correct “cdc.gov.” If you’ve received an email from someone claiming to be the WHO but it doesn’t come from an email address ending in “who.int,” it’s almost certainly a scam. So don’t open the email, and report it to WHO.
But a legitimate email address is not a guarantee of safety. The address could have been spoofed, or the email could be coming from an account that has been hacked. So you should also pay attention to what the email is asking you to do. An email that asks you to provide an account password, bank information, or Social Security number, for instance, is a massive red flag. You should never be asked to provide those over email.
Another big red flag is odd-looking attachments. You should always be very careful about opening attachments, especially if they come from an email address you don’t recognize. Make sure you know where a link is taking you to before you click on it — you can do this by hovering your cursor over a link for a few seconds until the link’s URL pops up — and that the link leads to a site you recognize. Don’t enter any sensitive information if you aren’t sure the site is legitimate. And if the link is promising you a coronavirus cure, really, seriously think about whether that’s even possible given that, as of now, one does not exist and, if it did, it would not be distributed via random emails with links to websites.
All that inevitably gets to what might be the most useful of WHO’s tips to prevent a phishing attack: “Do not rush or feel under pressure.” This can be hard to do when you’re terrified of a global pandemic, but it may be your best protection against social engineering scams.