Cyber-criminals often use current events to trick businesses and individuals into disclosing their confidential information, and the COVID-19 pandemic is no exception. The Federal Bureau of Investigation (FBI) and Centers for Disease Control and Prevention (CDC) are warning of phishing emails and malicious websites that appear to provide information about COVID-19, but actually are designed to steal your personal information or encrypt your files for a ransom.
- Phishing Emails: Posing as the CDC, World Health Organization, or another legitimate organization, cyber-criminals have been sending phishing emails that instruct recipients to open a link or Word document for details on how to protect against COVID-19. In actuality, opening the link or document will install malware designed to collect the user’s personal information or to encrypt files on the user’s system and network and demand a ransom payment to recover the files. These fraudulent emails take many forms. In one example, according to the CDC, the email says it’s from the CDC with the subject line “Flu pandemic warning,” which should be a clue to the fraudulent nature of the email as widespread reports have said COVID-19 is not the same as the flu. The body of the email has multiple grammatical errors and misspellings, typical of phishing emails. It purports to provide statistics on the number of people affected, followed by a link for “Directions” on how to stop the spread of the disease. The “Directions” link, of course, is what the criminals want you to click on. Don’t click on it.
- Malicious Websites: There have been numerous reports of websites that purport to provide “real-time” tracking of COVID-19 cases around the world. According to the FBI, criminals set up these websites to deploy ransomware on systems and devices that visit the websites.
These warnings from the FBI and CDC remind us of the importance of proper “cyber-hygiene.” For example, don’t open unsolicited email from unknown sources. Hover your mouse over links to see where they actually lead, and don’t click if you’re not sure. Be wary of attachments. Don’t visit websites with suspicious domains (e.g., “.com” when it should say “.gov” for a governmental agency). Don’t disclose login credentials, payment card information, social security numbers, or other personal information in response to an email or on an unknown site. And otherwise use common sense: If it seems suspicious, you’re probably right.
These matters apply to businesses and individuals alike, and all should take measures to protect against these kinds of scams.