Being confined to your own home during the current lockdown measures means you may not be too concerned about your home security for the time being.
But be warned an increasing number of malicious cyber scammers are exploiting the current COVID-19 pandemic for their own objectives and attempting to break in to your computer software.
NCSC (National Cyber Security Centre)
In the UK, the NCSC (National Cyber Security Centre) has detected more UK government branded scams and emails relating to COVID-19 than any other subject. Scams pretending that they come from well known organisations, scan for vulnerabilities in software and remote workshop tools.
Although, from the data seen to date, the overall levels of Cyber Crime have not increased the NCSC are seeing a growing use of COVID-19 related themes by malicious cyber actors.
Working from Home
At the same time, the surge in home working has increased the use of potentially vulnerable services, such as Virtual Private Networks (VPNs), amplifying the threat to individuals and organisations. Cyber criminals are targeting individuals, small and medium businesses and large organisations with COVID-19 related scams and phishing emails You should remain alert to increased activity relating to COVID-19 and take proactive steps to protect yourself and your business.
What is phishing?
Phishing is when criminals try to convince you to click on links within a scam email or text message, or to give sensitive information away (such as bank details). Once clicked, you may be sent to a dodgy website which could download viruses onto your computer or steal your passwords.
Given the current coronavirus (COVID-19) situation, cyber criminals are sending emails that claim to have a ‘cure’ for the virus, offer a financial reward, or encourage you to donate. Like many phishing scams, these emails are preying on real-world concerns to try and trick you into clicking.
These scam messages (or ‘phishes’) can be hard to spot and are designed to get you to react without thinking. If you think you have clicked on a bad link, don’t panic – there’s lots you can do to limit any harm.
What to do if you’ve already clicked
If you’ve already clicked a link (or entered your details into a website), take the following steps:
- If you’re using a work laptop or phone, contact your IT department and let them know.
- If you’ve been tricked into providing your banking details, contact your bank and let them know.
- Open your antivirus (AV) software if you have it and run a full scan. Allow your antivirus software to clean up any problems it finds.
- If you’ve provided your password, change the passwords on all your accounts that use the same one.
- If you’ve lost money, tell your bank and report it as a crime to the UK’s reporting centre for Cyber Crime. By doing this, you’ll be helping the NCSC (National Cyber Security Centre) to reduce criminal activity, and in the process prevent others becoming victims of Cyber Crime.
Tips for spotting tell-tale signs of phishing
Spotting a phishing email is becoming increasingly difficult, and many scams will even trick computer experts. However, there are some common signs to look out for:
Authority – Is the sender claiming to be from someone official (like your bank, doctor, a solicitor, government department)? Criminals often pretend to be important people or organisations to trick you into doing what they want.
Urgency – Are you told you have a limited time to respond (like in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
Emotion – Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.
Scarcity – Is the message offering something in short supply (like concert tickets, money or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.
Current events – Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you.
Your bank (or any other official source) should never ask you to supply personal information from an email. If you have any doubts about a message call them directly. Don’t use the numbers/emails in the email but visit the official website instead.
Spotted a suspicious email?
The message might be from a company you don’t normally receive communications from, or someone you do not know. You may just have a hunch. If you are suspicious, you should not open it delete it immediately.
Make yourself a harder target
Criminals use publicly available information about you to make their phishing messages more convincing. This is often gleaned from your website and social media accounts (information known as a ‘digital footprint’). You can make yourself less likely to receive phishing emails by doing the following:
- For your social media applications and other online accounts, review your privacy settings.
- Think about what you post (and who can see it).
- Be aware what your friends, family and colleagues say about you online, as this can also reveal information that can be used to target you.
- If you do spot a suspicious email, flag it as Spam/Junk in your email inbox. Tell your email provider you’ve identified it as potentially unsafe.
What is a vishing attack?
Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information. Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public’s misplaced trust in the security of phone services, especially landline services. Landline communication cannot be intercepted without physical access to the line; however, this trait is not beneficial when communicating directly with a malicious actor.
What is a smishing attack?
Smishing is a form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number. This integration of email, voice, text message, and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.