Phishing is a type of scam where bad actors cloak their identities and send emails trying to trick recipients into clicking a link or attachment. Hackers know that communication from employers or health organizations about the coronavirus can spark an emotional reaction and compel people to click — and as the pandemic evolves, their tactics are changing as well, cybersecurity experts say.
For example, early on in the pandemic, when many Americans were out of work, digital security firm Aura saw phishing scams focused on unemployment claims increase by 40 times, chief executive Hari Ravichandran said.
Back then, the pandemic was all uncertainty all the time, said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. But now, we’re learning to live with ongoing precautions, and the coronavirus, for many, has gone from a novel threat to a banal reality.
And nothing says “banal” like paperwork. Employers are asking for negative coronavirus test results, return-to-work feedback forms and, in some cases, proof of vaccination. That’s fertile ground for phishing and ransomware.
“This has gone from a panicky cultural mood to something that’s become this rote, operationalized bureaucracy,” DeGrippo said. “That almost makes it easier for the bad actors because people are getting used to: ‘Upload your negative test here, go download this covid form, fill it out.’ ”
Next time you receive an email with coronavirus updates, stop and read closely and check for signs of phishing. Here are four lures to look out for.
Emails asking for proof of vaccination
Many companies now such as Google and Facebook are requiring employees to get vaccinated before they return to work.
Use extra caution if you receive an email asking for proof of vaccination, though. Your vaccination card contains some information that hackers may find useful, such as your birth date.
Proofpoint uncovered major phishing campaigns posing as corporate human resource departments and asking recipients to submit information about their vaccination statuses. Links in these emails probably led to fake Microsoft sign-in pages (such as the one below), with the goal of stealing employees’ log-ins.
Emails from fake health organizations
Before you send any personal information to a health organization that contacts you via email, make sure you can verify its existence and its legitimate need for the information. It’s unlikely that an unfamiliar nonprofit organization needs your name, Social Security number and a copy of your vaccination card, for instance. Criminals try to collect as much information about their victims as possible, Ravichandran said — if it’s not valuable now, they may be able to sell it to bad actors down the line.
“We see a lot of people impersonating government organizations grab this information, and a lot of this information ends up getting sold on the dark web, so there’s an economic and commercial aspect to it,” he said.
Emails saying you’ve been let go
If a particular subject line gets victims to click, cybercriminals will use it more often (just like other data-driven marketers). According to Proofpoint’s research, emails telling employees they are losing their jobs because of the pandemic are a phishing favorite.
“It quite literally is clickbait,” DeGrippo said. “They need you to click on them, so in order to get the person to take the action, you’ve got to escalate their emotional state to one that has them emotional, instead of intellectual — thinking with the smart part of the brain.”
Whether it’s a spreadsheet titled “companywide salaries” or an attachment that purports to be your severance package, the more eager you are to click, the easier it is to make a mistake.
Emails laying out coronavirus precautions or treatment options
One well-known malware campaign disguised itself as an email update on coronavirus protective measures for the office. The senders even included figures about coronavirus infections and deaths in the body of each email, further compelling recipients to open the attachment.
Guard against phishing
Phishing emails look legitimate — to a point. Proofpoint found one malicious campaign with subject lines such as: “covid-19 vaccinations for its mask mandate for the ongoing disaster which.”
Keep an eye out for spelling or grammatical errors, misspelled Web addresses or slightly altered email domains. For example, “firstname.lastname@example.org” may become “HR@company.com.” Read link URLs and sender addresses carefully, and be wary of subject lines that don’t quite make sense.
Always verify requests through a second channel — if HR sends a document you weren’t expecting, for instance, get someone from HR on the phone before opening it. If an unfamiliar community organization sends you a vaccination form to fill out, ask if it’s available on the Web, or whether the organization can send it in the body of an email.
This tends to work because hackers have very poor customer service, DeGrippo said. They don’t want to stop and walk someone through the email designed to steal credentials. Any small barrier of inconvenience will probably make digital thieves move on to an easier target.
Use different passwords for your work and personal email. That way, if one gets compromised, hackers can’t break into the other and use it to compromise more accounts. A good password manager tool should help.
Last, maintain a healthy suspicion of any email that stokes an emotional reaction: fear, worry, anger, even curiosity. The delta variant is frightening, which can make it all the more tempting to click.