Phishing is a malignant curse and the evil chuds behind phishing campaigns are always seeking a new angle of attack. As worry about COVID-19’s spread increases, and as more people start working and studying from home, we can unfortunately expect related scams to become widespread in the coming weeks and months. As such, it’s now more important than ever to practice safe and defensive online habits.
Lately, our spam folders here at SSL.com are catching phishing emails aimed at exploiting the public’s fear of the ongoing coronavirus / COVID-19 pandemic. A number of tech news websites and security software providers are also reporting widespread phishing and malware from cybercriminals posing as legitimate organizations. Among many others, Dan Goodin at Ars Technica has reported on scammers posing as University personnel and the World Health Organization, and Kaspersky Lab provides details of two phishing campaigns impersonating the US Centers for Disease Control and Prevention.
Emails of this type are intended to dupe recipients into revealing sensitive personal information (such as passwords and credit card numbers), and/or installing malware on their device. For example, a message may appear to come from an employer or school official, but contain a link to a bogus web page with a form that harvests login credentials.
Spotting Phishing Emails
The same basic techniques you can use to spot any other phishing scam apply here too:
- Check the sender’s email address. An address may be designed to superficially resemble a legitimate one, but contain subtle differences. For example, the scam CDC email addresses shown on Kaspersky’s website end with
cdc-gov.organdcdcgov.org, notcdc.gov. - Examine any links carefully. Hover your cursor over any link to see where it leads before clicking. Bear in mind that, like email addresses, scam URLs can be designed to appear legitimate on casual inspection. IF THERE IS ANY DOUBT, DON’T CLICK THE LINK. If you think the message might actually be from a real source like your school, employer, or bank, you can always make a phone call to confirm the message’s contents or log into your online account separately, not via the email link.
- Look for misspellings and other irregularities. Phishing emails often contain obvious misspellings and other basic errors that would not be present in a message from a legitimate business or organization.
- If the email urges quick action, that could be because the sender doesn’t want you to think before clicking. Slow down and look closely at the message content and any links before doing anything.
- Check for a digital signature. If your company or any other organization you interact with has a policy of digitally signing email with S/MIME, you can use this signature as proof of identity when opening an email message. All the same, if you receive a signed email you should STILL verify that the email address shown in the message AND certificate is real before clicking any links.
1. Click the triangle to the right of the sender’s name to Show details.
2. The green check mark and Verified email address message mean that the message has been signed by a trusted digital signature. For more information, click the Sender info link. If the certificate is not trusted by Gmail, you will see the message The certificate is not trusted. For unsigned email, no certificate information will be displayed.
3. Now we can check the signer’s email address, the issuing CA, and the certificate’s validity period.
Coronavirus / COVID-19 Information Sources
Everyone at SSL.com hopes that all of our visitors are able find the information they need to stay safe and healthy during this global crisis.
Both the Centers for Disease Control and Prevention and World Health Organization offer up-to-date information resources on prevention, testing, and treatment of COVID-19. In addition, most national, state, and local health departments can be easily identified via a quick Google search — for example, Texas Health and Human Services.