No sooner was the Coronavirus pandemic announced than other viruses became apparent – a rash of cyber attacks launched by criminals eager to capitalise on the panic and to cash in on people’s understandable uncertainty and anxiety about the disease. Most concerning of these to small and medium-sized business owners are the Coronavirus phishing scams – and how not to get caught out by them.
This criminal activity is called ’phishing’ for a reason. It’s a spin on the word ‘fishing’ because criminals dangle a fraudulent ’lure’ in front of you (usually a legitimate looking but fake e-mail leading to a legitimate looking but fake website) in the hope that you will ’bite’ and provide the information the bad guys have requested – such as credit card and account numbers, passwords, usernames and so on.
It’s frightening to note that since February 2020 and the Coronavirus pandemic being announced, the number of reported phishing attacks has risen by more than 600%.
Learn more about Coronavirus phishing scams and how not to be caught by them
If you’d like to know more about Coronavirus phishing scams, how to spot them, how to protect your small to medium-sized business (whether your team are working remotely or not) and how not to be caught by one, you’re in the right place. In this blog post we’ll give you the hook, line and sinker on phishing attacks. Below you’ll discover:
- Why it could happen to you or one of your team
- How to spot and stop a phishing scam?
- Be cautious of more credible threats
- The telltale signs a message is actually a scam
- Put the odds of staying safe on your side
- What to do if the worst happens
- Be safe now, not sorry afterwards
Why it could happen to you or one of your team
Essentially then, a phishing scam is a malicious message that appears to be from a legitimate and trusted source to encourage the victim to part with confidential information or let malicious malware into their systems.
It’s easy to look at some of the crude, inept and obviously fraudulent attacks and think ‘I wouldn’t be daft enough to fall for a scam like that!’ However, countless sane, sensible and savvy professional people do as these phishing attacks are ever-evolving becoming more sophisticated and more difficult to detect.
What’s more, we’re all busy people and rarely read a text or e-mail properly, scanning over content, anxious to get on with the next task. That’s when mistakes and errors of judgment get made.
And human error is pivotal here. Your cybersecurity defences are only ever as strong as the weakest link and research shows the weakest link for a small to medium-sized business is its employees, however inadvertently. That’s why staff training and awareness is mission critical when it comes to preventing phishing attacks – a subject we’ll return to later.
How to spot a phishing scam?
Phishing attacks can come in many forms but they all have the same purpose. They’re usually delivered by email, but they also occur on instant messaging platforms, by text (smishing) and over the phone (vishing).
One recent and rather crude phishing scam was discovered in the form of a Facebook message which contained many of the basic ‘errors’ that would make it clearly identifiable for what it was. These telltale signs included:
- It had a generic greeting to the ‘Facebook/Intagram user;’ it was not addressed to specific users when those social media platforms know and regularly use first name and surnames.
- One of the social media giants mentioned had apparently forgotten how to spell its name i.e. ‘Instagram’ not ‘Intagram’.
- The incredible and frankly unbelievable message (or ‘hook’) which claimed Facebook had decided to award one of its users $1 million as compensation for Coronavirus.
- The message claimed to be from Facebook, so you’d expect the return e-mail address or URL link to end in ‘@facebook.com,’ instead the return e-mail address went to a Gmail account.
So, the five big giveaways that scream ‘Phishing Scam’ were all present and correct in the above Facebook/Instagram message: grammatical errors, a generic greeting, implausible content, incongruent return e-mail address or web link and an eventual request to hand over personal information.
However, if all this seems simple enough to spot and stop it gets more difficult as the scams get more sophisticated – as the attack below demonstrates.
Be cautious of more credible threats
An excellent example of a far more sophisticated phishing attack occurred last month here in the UK, with what seemed to look as authentic as the government text message that preceded it.
You may recall millions of people in London and beyond received a legitimate government text message that read ‘GOV.UK CORONAVIRUS ALERT New rules in force now: you must stay at home. More info & exemptions at gov.uk/coronavirus Stay at home. Protect the NHS. Save lives.’
One scam phishing message was designed to look just like the above official government text message, reading ‘We would like to inform you that you have been recorded as leaving your homes on 3 occasions yesterday. A fine of £35 has been added to your gov.uk account. For further information please visit gov.uk/coronavirus-penalty-payment-tracking. Protect the NHS. Save lives.’
Another, again designed to look exactly like an official government text message, read ‘URGENT: The UKGOV has issued a payment of £258 to all residents as part of its promise to battle COVID 19. TAP here https://uk-covid-19-relieve.com to apply.
Here is a screenshot of the phishing scam pretending to be GOV.UK
Neither scam sounds too far-fetched, does it? Especially to a public frightened, confused, locked down and ready to grasp any help, information, and possibly, additional money on offer. Sharp recipients of these texts would have immediately noticed that the fake response addresses didn’t read right, as the government’s website has a “gov.uk” URL, not a “.com” URL.
The differences are subtle, and many may well have missed them, ending up being directed to a website imitating the UK government’s, which asks them to submit their name, address and, of course, bank account details.
The screenshot below is from the official government website, which has has a “gov.uk” URL and HTTPS security.
The telltale signs a message is actually a scam
OK we mentioned the five big giveaways that screamed ‘Phishing Scam’ in the Facebook/Instragram attack outlined above but they’re worth repeating:
- The message – whether e-mail or text – is not addressed to a recipient. Most organisations you deal with will know your first and surnames and will address correspondence to you accordingly, such as ‘Dear John’ or ‘Dear Mrs Smith’ not ‘Dear customer’ or ‘Dear account holder.’
- You know you’ve not attempted to sign into your account (or whatever other transgression or action is being alleged), so why would you respond to a scammer flagging it?
- Spelling and grammatical errors are a dead giveaway, so for example you might see words like Online Banking capitalised throughout a message when they shouldn’t be.
- The e-mail or website address link the scammer has provided, clearly does not look legitimate. You can check this for yourself by hovering your mouse over these links which reveals the real destination website address you’re going to be directed to.
- The frequently incredible and frankly unbelievable ‘hooks’ often used as ‘bait’ to tempt and catch the unwary – such as the above claim that Facebook had decided to award one of its users $1 million as compensation for Coronavirus!
It’s important to note that smarter scammers can make all these telltale signs more difficult to detect and their message more convincing. For example, they can find out recipients’ names and addresses and make a better job of masking their URLs so nothing in a message triggers your alarm.
Put the odds of staying safe on your side
Phishing attacks are becoming more numerous and increasingly more sophisticated and more difficult to spot and stop. You should apply some common sense cybersecurity measures to ensure that your people, business, IT infrastructure, data, IP and confidential financial and customer information are safe and secure.
- Company-wide training and awareness is crucial
Make sure every member of your team, working remotely or not, understands the dangers of phishing scams and the whole host of other risks washing around online. Encourage them to be extra vigilant about unexpected, unrecognised and unsolicited e-mails, messages, texts and social media posts. Emphasise the need for each of them to stop, think and check before clicking on or opening anything they do not recognise. It only ever takes a quick phone call to verify the legitimacy of an unusual request.
- Only use links you know and trust
If you use an organisation regularly (such as your bank) you may well have a bookmark for the website you usually use. If you haven’t, use a search engine and type in the organisation’s name, then use the link provided to go to the legitimate site. Chances are, if the e-mail or text you’ve received is also legitimate you’ll find the same message on the organisation’s home page.
The bottom line is that you should NEVER:
-log into any organisation’s website via a link in an e-mail or text message,
-make any kind of payment to anyone via such a link,
-provide personal information, especially through requests that come at you via e-mail, phone, text or social media message.
Scammers can use very convincing copy but you can be equally canny by checking.
- Utilise the right technology
Ensure you have antivirus protection on any device that’s going to access your network and office computers, and be certain this is fully updated with the latest patches, fixes and versions. In addition, install or activate a web tool that identifies malicious sites for you so you know the right ones from the wrong. Several tools will do this for you and, in fact, every standard browser now has a feature you can use to alert you if a website you are about to click on, or have just clicked on, is safe or malicious.
Another sound investment is to install a device monitoring solution on all the equipment used to access your network, from laptops and tablets to mobile phones, so they can be tracked and remotely wiped clean should they be lost or stolen.
What to do if the worst happens
If you or any one of your colleagues fall victim to a phishing scam – and we sincerely hope you don’t – you and your team should immediately change all the passwords you use to access your devices, applications and systems.
That’s because cybercriminals rely on the fact that people use one password for a multitude of purposes and will rapidly start trying to hack into your other commonly used resources in a process known as ‘credentials stuffing.’
In fact, an effective company-wide password policy is the backbone of any cybersecurity strategy and is necessary to ensure all accounts, applications and devices are secured with strong passwords. To lower your risk profile and enable everyone to create new passwords and control, share and remember them, a password manager is a really useful investment.
Be safe now, not sorry afterwards
Running one of London’s small to medium-sized business during the Coronavirus pandemic is difficult enough without having to worry about phishing scams.
So why not have an informal, confidential and no obligation chat about your cybersecurity concerns with the go to IT support team for London, totality services, and see why we’ve earned a 98% client retention rate.
You’ll also soon discover how we’ve achieved more Five Star ratings – including two Feefo Gold Trusted Service Awards – from Trustpilot and Google than you could shake a mouse at.