Tips for dealing with COVID-19-themed phishing attacks

Even before coronavirus infections spiked again across Virginia in early July and threatened to overwhelm healthcare institutions, another menace — COVID-19-themed phishing — was attacking the industry, albeit from another angle: their trustworthiness.

Cybercriminals are exploiting the popularity of coronavirus-related news and people’s trust in their healthcare providers. These bad actors use attention-grabbing email subject lines such as “CDC COVID-19 information,” “Coronavirus alerts for businesses,” and “World Health Organization COVID-19 updates.” These emails contain links to malicious websites or attachments that are laced with malware such as ransomware.

Thankfully, thwarting such phishing attacks is essentially the same as with any type of phishing attack. The FBI recommends that companies adopt the following tips:

• Use an antivirus program to scan an email attachment before opening it.
• Distrust attachments you did not ask for, even if these appear to be from trusted coworkers. Fake or “spoofed” email addresses can be made to look like legitimate accounts of colleagues or superiors, so it’s best to talk with the sender to confirm if they really meant to send you an attachment or not.
• If an email or an attachment doesn’t feel right to you, don’t open it. Even if the antivirus scanner indicates that the attachment is clean, do not open it. This is because new malware programs are always being produced by cybercriminals, and your antivirus software might not recognize these new threats.
• Implement app updates as soon as these become available. These prevent cybercriminals from taking advantage of known vulnerabilities.
• If your email program has a feature that lets you download attachments automatically, disable it. This feature is supposed to make reading emails more convenient, but this also makes it easier for malware to get into your computer system.
• Create an email account with restricted privileges, and read your email there. Some viruses need administrator privileges to wreak havoc on your computer, so this practice will keep viruses at bay.
• Use a cloud-based email security system from a reputable service provider like [company_short]. [company_short] employs AI-enhanced tools to protect your emails against phishing attacks.

In a time when people need information about how to remain safe during the pandemic, bad actors scale up their efforts to impersonate health organizations and NGOs for their own selfish ends. In April, Google’s Threat Analysis Group detected over 18 million COVID-related phishing or malware-laced Gmail messages per day. While Google claims that it filters out 99.9% of such emails that go through its services, that leaves 0.1% that passes through, which is a lot.

Related article: How to secure your work from home staff during the coronavirus outbreak

These malicious emails sow misinformation and disinformation with their false subject lines and inaccurate email messages, divert donations that would have gone to charities, and even foster mistrust of health experts.

Beyond this, hackers have also targeted international health organizations with COVID-19-themed phishing emails. For instance, hackers sent World Health Organization (WHO) officials emails that led to a spoof login page of the WHO website. While the motive for this was unclear, similar phishing attempts in the past have been determined to be intelligence-gathering efforts.

It’s bad enough that the novel coronavirus is pernicious, but it’s made worse by the fact that cybercriminals are taking advantage of the fear and uncertainty it brings. Thankfully, [company_short] is here to thwart phishing and other email-based threats for you. See for yourself how effective our email security tools are by taking advantage of our 14-day no-commitment free trial!