There have been recent reports of hackers posing as the Center for Disease Control (CDC) and the World Health Organization (WHO) to bait people into clicking on phishing emails. A phishing email is an email that is sent by hackers, disguising themselves as a trusted individual, prompting recipients to click on a malicious link. Clicking on the malicious link allows hackers to access the recipient’s email account. Although you would think that someone wouldn’t do such a thing during a national crisis, sadly this is not the case; COVID-19 phishing emails are occurring more frequently than one would think.
The COVID-19 crisis has caused many people to click on any information they receive about the outbreak. Adrian Nish, head of threat intelligence at BAE Systems Applied Intelligence, states, “It’s not surprising, we call it the lure de jour. I think a lot of these groups have identified coronavirus as something their targets would be desperate for information on.”
COVID-19 Phishing Emails: How to Avoid Becoming a Victim
Even before the COVID-19 heath crisis, hackers have continually been targeting healthcare organizations. This is mainly due to the lack of cybersecurity tools implemented in healthcare organizations, as well as the sensitive patient information that these organizations handle on a daily basis, known as protected health information (PHI).
Maya Levine, security engineer at Check Point, states that “Check Point has definitely seen an uptick in crimes related to the coronavirus. A huge phishing scam hit over 10% of all organizations in Italy making it seem like it was from the World Health Organization, asking to open a document attached to the message containing a malicious file.”
How to recognize COVID-19 phishing emails:
- The email asks for personal information. Legitimate companies will not send emails that ask for passwords, credit card information, credit scores, or Social Security numbers (and neither will the CDC or the WHO). If an email asks for any of this information, it is not an email from a legitimate organization.
- Sender’s email address doesn’t look genuine. When receiving an email from an unknown entity, it is always a good idea to check their email address. Legitimate companies will have domain emails; hackers may make a few changes to spelling or add numbers to make it look like the email is coming from a trusted organization. Email addresses can be checked by hovering over the “from” address, and carefully checking the spelling.
- It’s poorly written. A good indication that an email is not from a trusted organization is poorly written emails. Emails containing spelling or grammar mistakes are likely phishing attempts.
- It’s trying to force you to their website. Some phishing emails are designed so that anywhere a recipient clicks, will direct them to a malicious website. Legitimate companies will not force you to go to their website; if an email contains nothing but a “click here” button, or something similar, with no other text, it is a malicious email.
- It contains an unsolicited attachment. Receiving an unsolicited email with an attachment is likely a phishing attempt. Legitimate businesses will generally only send attachments when requested. Attachments ending in .exe, .scr, and .zip are considered high-risk attachments.
- Company links match legitimate URLs. Before clicking on any links, recipients should hover over the link to ensure that the link will take them where it says it will. If the link differs from the text, or doesn’t match the context of the email, it is a phishing attempt. Phishing email attacks can be difficult to recognize; whenever receiving unsolicited emails, it is important to confirm the validity of the email before clicking any links or opening attachments. When unsure if an email is a phishing attempt, recipients should contact the company directly through the information found on the company’s website. Any contact information found within the email should be considered suspect.
For more information on how to recognize COVID-19 phishing emails, please click here.