Catches of the month: coronavirus phishing scams

There’s been one thing on our minds the past couple of month: coronavirus. It appears that cyber criminals are the same, focusing all their efforts on scams that capitalise on the panic.

One of the biggest risks is phishing scams – malicious messages that appear to be from a trusted source.

The number of reported phishing attacks has risen by more than 600% since February, with the majority of those cashing in on people’s uncertainty and fears over the pandemic.

If you’re not sure how phishing works, or you want to know what types of messages to look out for, keep reading.

How do phishing scams work?

Phishing attacks can come in many forms, but they all have the same purpose: to trick the recipient into handing over their personal details or to infect their systems with malware.

The scammers do this by including a link to a bogus website that imitates a genuine site, contact detail (such as an email address or phone number) or by attaching an infected file to the message.

Phishing attacks are usually delivered by email, but they also occur on instant messaging platforms, by text (smishing) and over the phone (vishing).

So what does a phishing scam look like? Let’s get started with an email a member of our team recently received:

This is about as basic as a phishing scam can get, and we hope you’d recognise it was one. For one, the message is addressed generically to “Facebook/Intagram user” – and the social media giant has apparently forgotten how to spell “Instagram”.

Then there’s the pretext of the message: Facebook has decided to award one of its users $1 million as compensation for coronavirus. You’d have thought that if this was a real giveaway, you’d have heard about it before now – probably along with angry comments about why the money wasn’t donated to healthcare facilities.

But as elementary as this message is, it provides a useful nuts-and-bolts example of phishing, along with the tricks that criminals use.

Already you can see four big giveaways: it contains grammatical errors, a generic greeting, implausible content and a request to hand over personal information.

There’s also the bait-and-switch for where to send that information. That is to say, the message claims to be from Facebook, so you’d imagine the return email address would be something ending in “@facebook.com”, rather than a Gmail account.

All this seems simple enough to spot, but things get trickier when the scams are more sophisticated. In the next section, we review some of the more believable scams you should be looking out for.

UK government payment scam

At first glance, this text message – which many people across the UK received last month – looks authentic:

The message claims that the UK government is paying all residents £258 to help them during the disruption caused by COVID-19.

That doesn’t sound too far-fetched, and it is in a similar format to the nationwide text that the government sent when the UK went into lockdown.

Eagle-eyed readers will notice that the email address should read “covid-19-relief” – and would be a “.gov” address – but for many, the promise of free money will tempt them into clicking.

If they do, they’ll be directed to a website imitating the UK government’s, which asks them to submit their name, address and bank account details.

See also:

• Catches of the month for March 2020
• Catches of the month for February 2020
• Catches of the month for January 2020

You’ve been fined for leaving the house

Both scams we’ve seen so far have tried to lure victims with the promise of a reward, but criminals are just as likely to use the threat of punishment.

Take this scam, which plays up the government’s warning that those who don’t follow lockdown protocol may receive a fine:

Ignoring the fact that the fine is £30, not £250, this is otherwise an effective phishing attempt.

It’s grammatically correct, it states that it’s from “.GOV.UK” – just like the legitimate text message you would have received regarding lockdown – and there’s nothing about the contact details (in this case, a phone number) that immediately points to the fact that it’s not legitimate.

Granted it’s an 0800 number, which are normally used for marketing purposes, but you can disregard that discrepancy for the same reason you’d disregard the incorrect fine amount. Many people will be so rattled by the accusation that they won’t rationalise these errors, instead immediately responding to the message.

Once the victim is on the line, the scammers have done the hard part. From there, they simply need to find a plausible reason why the fine is as large as it is or threaten the victim with a larger penalty if they don’t pay up immediately.

Although these intimidation tactics might seem obvious now, you’d be surprised how effective they are when victims are caught up in the moment.

There’s a reason phishing is one of the biggest cyber security threats; don’t blindly assume that you’ll recognise a scam where so many others won’t.

One virus is enough

Phishing is just one of many security problems that the coronavirus pandemic is causing organisations. With employees working from home and not protected by the office’s security systems, the threat of cyber attacks is greater than ever.

When you factor in the uncertainty of the pandemic, the prospect of depleted workforces in the coming weeks through illness or furlough, and the fact that cyber criminals can continue to operate from the safety of their homes, cyber security should be a top priority.

We’ll continue to give regular updates and advice on our blog, but you can also find solutions to help you through this crisis by visiting our website.

Nobody knows what the full effect of the virus will be, but one thing’s for sure: you have enough to worry about without the threat of a cyber attack or data breach.