Phishing in the time of COVID-19
There has been a sharp rise in malware and phishing attacks over the past few weeks, and attackers are capitalizing on the COVID-19 pandemic and on anxious people seeking out new information.
It’s never a bad time to brush up on phishing, but Kaspersky Labs just put out a great piece on debunking COVID-19 phishing emails. Kaspersky is a world leader in security research and we highly recommend checking out their article here!
Here’s an example of the type of phishing email examined by them:
The “cdc.gov” link sends you to a website that looks similar to Microsoft Outlook, and asks for your email login and password. It won’t actually log you in anywhere, it’s just a place for attackers to steal your login details.
So what clued them in on the scam?
-
The e-mail address of the sender. If it ends with cdc-gov.org instead of cdc.gov, the e-mail is phishing.
-
The actual URL of the link. If you hover over the link without clicking on it, you’ll see that the real address it leads to is different than the link description. It won’t really bring you to cdc.gov.
-
The design of the phishing page. The official Microsoft Outlook website actually looks completely different. Of course, no website other than Microsoft’s should ask for your Outlook credentials. If you see such a request, know that it’s phishing and ignore it.
Many of the tips Kaspersky gives in their post are catch-all phishing precautions, so here’s a quick refresher on the basics:
If you receive any kind of message that’s unsolicited or from an unknown sender:
- Don’t share your personal information
- Avoid clicking links
- Don’t download files
Clicking links or downloading files from mysterious emails could infect your computer with malware, or bait you towards websites (like the one mentioned above) where your information may be phished. Rule number 1 is special though:
Legitimate services will never ask you for personal information over email! Security questions like “What is the name of the street you grew up on?” exist specifically so that services can identify you as the account-holder without asking for your username and password.
Get an email from the bank saying you have unauthorized activity on your account? Don’t click the links in that email! Instead, type in your bank’s website yourself, log in, and see if they actually have notifications for you there. Attackers prey on your emotion—they want to cloud your judgement by making you think something is at stake, using tactics like:
- Accusations of being overdue
- Informing you of critical public health updates
- Requiring urgent action from you
Thankfully, most phishing emails and scam websites can be spotted using visual clues alone.
- Look at the wording
- Look at the sender (or the URL, if you think you might be on an scam website)
- Look at the images/logos
Put your skills to the test
You can take those learnings another step forward with this rock-solid phishing quiz that Google released last year:
If you have any other questions about phishing, or other security-related projects, drop us a line at info@newmindgroup.com!