Classic phishing attacks identify an item of information or an opportunity that is appealing to a target audience, and they use that to bait the target into clicking a malicious link or opening a corrupted file. Like a worm to a fish. Hence the term, phishing.
The earliest attacks fed off of a near universal allure – money. Do as I say, and you will receive hundreds of thousands, or even millions, of dollars. As we wised up, the scams became more tailored. Professionals were hit with new client inquiries. Manufacturers received purportedly important alerts from trade associations. Parents’ in-boxes were inundated with phony updates from their children’s schools (yes, this has happened).
There has likely never been a single subject, however, with the same universal appeal as information related to the COVID-19 outbreak. And phishing scammers know it.
One recent campaign identified by security company Mimecast involved the dissemination of a pdf file purporting to contain information on how people can protect themselves against the spread of the virus. Another campaign claimed to contain a link to information on the rate at which the virus is expected to dissipate. The thing that makes either powerful, and even more powerful perhaps than the promise of untold riches, is the fear and anxiety that we are all feeling right now. Fear is opportunity. It causes us to do things we might not ordinarily do, like purchase 100 rolls of toilet paper at 6 o’clock in the morning.
While the vector (route) for attack is substantively unprecedented, the technique of attack is relatively unchanged and the defenses remain clear and common sensical. Here are some reminders of safe email practices to avoid being victimized:
- Don’t give out your passwords to anyone, ever. Seems like something we can take for granted as a given, but so too did the endless availability of TP at your local GIANT.
- Scrutinize all attachments to emails. If the sender is not a known person or entity, be safe. Don’t open it. No matter how interesting or helpful the promised content. A good rule of thumb is to open only those attachments that you are expecting to receive.
- Relatedly, scrutinize senders’ email addresses and signature blocks. Scammers often change little things about email addresses or signature blocks to fool you. By creating a fake email address that closely mimics a legitimate address, scammers do not even need to hack into your network to perpetrate their schemes. Rather, they can transpose two letters and victimize the unsuspecting. Take 10 seconds to hover over and expand the full email address of the sender of any email containing links, attachments or directions to undertake material actions (send money, for example). Take a hard look at the signature block. Scrutinize syntax and grammar too for good measure. Do not just automatically click every link or open every document that looks helpful or interesting, even if it looks really helpful or supremely interesting.
- Use a known phone number to contact the sender. Ensure the email is legitimate, and that the link or attachment is safe.
- Get your corona updates from trusted sources. There is nothing a phishing scammer can tell you that your regulators, health authorities, government officials and trusted professionals cannot. Even as to these sources, however, it is critical that you scrutinize the senders’ information closely, and call to verify anything that looks even remotely suspicious.
These precautionary measures likely represent a bare minimum approach to safe email practices in these challenging times. But they are powerful defenses against an increasingly powerful threat, especially as the world goes remote and the physical distance between us grows. Be safe, virtually and IRL (that’s in real life for those of you who weren’t sure).