COVID Phishing, Smishing and Vishing tactics are escalating
August 17th, 2020
While there may be doubt about who originally said “never let a good crisis go to waste,” there’s no doubt that the COVID-19 crisis has fraud perpetrators delivering on its premise at extraordinary levels.
The continuous media coverage of the global pandemic has heightened public fear, creating new and dangerous byproducts – i.e., COVID-related scams, including phishing, smishing and vishing – that prey on the susceptibility of consumers, employees and small businesses alike.
In addition, the pandemic has caused many organizations to rely more on remote workplace models, such as teleworking, which furthers the reliance on email and other digital communications. Unfortunately, that creates ideal conditions for electronic fraud schemes, exacerbating the potential for scams.
As a result, knowing how to avoid COVID phishing, smishing and vishing scams is critical in mitigating negative personal and business impact. Following is an overview of COVID-related scams and some basic guidelines for protecting against them.
What is COVID phishing?
Phishing is a social engineering attack used to steal user data, including login credentials and credit card numbers. It occurs when perpetrators, pretending to be trusted identities, trick unsuspecting victims into opening personal or business emails and clicking on malicious links or opening infected attachments.
The impact can be destructive, resulting in malware installation, disclosure of financial or other sensitive information, or ransomware attacks that freeze entire corporate systems and networks. COVID phishing attacks could appear to come from such reputable sources as:
- Employers, highlighting recent policy changes in the workplace;
- Major health or scientific organizations, offering tips for staying safe;
- Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO), touting the latest pandemic updates and protocols.
The emails look authentic and often include logos or branding of trustworthy organizations. The following actual phishing examples are courtesy of the US. Health and Human Services website.
Workplace policy emails: One workplace phishing email begins, “All, Due to the coronavirus outbreak, [company name] is actively taking safety precautions by instituting a Communicable Disease Management Policy.” When recipients click on the fake “company policy” link, malicious software is downloaded to their computer.
Health advice emails: Phishers have sent emails that offer supposed advice from “medical experts” to help protect against COVID, encouraging recipients to use a link to download safety-related information.
CDC emails: One fraudulent email, appearing to come from the CDC, encourages recipients to click on a link that falsely claims to link to a list of COVID cases in their area.
What is COVID smishing?
While most are familiar with email phishing scams related to COVID, there are other nefarious electronic methods being employed as well, including text phishing, known as smishing. It’s very similar to email phishing, but instead cybercriminals use short message service (SMS) or text messages to dupe individuals into disclosing sensitive information.
While SMS communications can be critical in allowing organizations to quickly relay important information during emergency situations, perpetrators can also use them to take advantage of those susceptible to these kinds of attacks. One COVID smishing scam (following) appears to come from the Red Cross and promises free face masks from the organization.
What is COVID vishing?
In addition, voice phishing, known as vishing, has been used by fraudsters during the pandemic. COVID vishing can be conducted by voice email, VoIP (voice over IP), or landline or mobile phones, conning individuals into revealing critical financial or personal information. Using a combination of scare tactics and emotional manipulation, vishers even create fake Caller ID profiles (known as ”Caller ID spoofing”), making phone numbers seem legitimate. More frightening is that using VoIP technology, vishers can place hundreds of calls at a time, greatly increasing the risk for negative impact.
How to avoid being a COVID phishing, smishing or vishing victim:
- Don’t respond to texts, emails or calls about stimulus checks from the government. The IRS won’t contact you by phone, email, text message, or social media with information about stimulus checks, or ask for Social Security numbers, bank accounts, or government benefits account numbers.
- Watch for emails claiming to be from the CDC, the WHO or other reputable organizations. Use sites like gov and usa.gov/coronavirus to get the latest information.
- Ignore offers for vaccinations and home test kits. Scammers are selling products to treat or prevent COVID without proof that they work. Most test kits being advertised have not been approved by the FDA and aren’t necessarily accurate.
- Keep an eye out for spelling and grammatical mistakes. If emails, texts or SMS messages include spelling, punctuation and/or grammar errors, they could be phishing or smishing attempts.
- Verify the sender. Most reputable businesses, health organizations or government agencies will NOT ask for any sensitive information through a simple voice, email or SMS message. If in doubt, contact the organization to confirm that it sent the message and verify its dedicated phone number, email address or SMS number.
- Be wary of clicking on links. Most COVID phishing or smishing scams contain an embedded link encouraging you to click it. If you are suspicious of the sender, do not open the message and consider deleting it outright.
- Don’t pick up the phone. Although it’s tempting to answer all phone calls, let them go to voicemail if you don’t recognize the caller, and then decide whether to call back. Also, keep in mind that caller IDs can be faked.
- Hang up on robocalls and don’t press any numbers or respond to prompts. Scammers are using illegal robocalls to pitch pandemic cures and other false opportunities.
- Join the National Do Not Call Registry. Adding your home and mobile phone numbers to this registry is free and tells telemarketers you don’t want their phone calls. Keep in mind, however, that it won’t necessarily stop scammers from calling, but it will provide some relief.
- Do your homework when it comes to charitable donations, especially those related to COVID. Check out the charity’s website to ensure its legitimacy and never donate in cash, by gift card, or by wiring money.
- Protect your devices. Install anti-spam, anti-spyware and anti-virus software and make sure they are always up to date
- Take your time on responding to requests for personal information. There’s no need to act immediately, as scammers use fear to get victims to make hasty decisions. Instead, verify the shared information before taking any action.
How to report COVID phishing, smishing or vishing scams
Reporting possible COVID phishing, smishing and vishing scams is critical in reducing the number of victims and minimizing negative impact. After receiving email, SMS or voice messages suspected of being phishing attempts:
- Contact the organization’s IT department and, if possible, share the following:
- email as an attachment
- screen grabs from your mobile device or computer
- email address, SMS number or phone number from which message came
- who organization claims to be
- other relevant information
- Consider deleting the email or text.
- Notify spoofed organizations so they can help prevent others from being victimized.
- Report robocalls to the Federal Trade Commission (FTC) at donotcall.gov.
- Report number on your caller ID and any number you’re told to call back, which helps the FTC to track down scammers behind the call.
- Even if you think the number on your caller ID is fake, report it. The FTC analyzes complaint data and trends to identify illegal callers based on calling patterns.
If you’ve mistakenly disclosed sensitive information to COVID phishing, smishing or vishing scammers, do not panic. Instead, do the following as soon as possible:
- Change all passwords and sensitive information.
- Contact your bank or credit card company
- Update your personal account information
- Update work accounts, bank accounts and other accounts linked to colleagues, friends and family who could be impacted.
Legitimate sources of COVID-related information
There are a number of national and international sources that provide reliable information about the pandemic. Following are a few to consider when looking for answers to COVID-related questions:
- Centers for Disease Control and Prevention. The CDC website includes the most current information about the coronavirus.
- World Health Organization. WHO provides a range of information, including how to protect yourself, travel advice, and answers to common questions.
- National Institutes of Health. NIH provides updated information and guidance about the coronavirus. It includes information from other government organizations.
For more information about how to protect your organization from COVID phishing, smishing and vishing scams, check out our fraud solution resources here.