Beware of Covid-19, CDC Phishing Scams: 13 Red Flags

Covid-19 is disrupting and distracting lives and businesses across the globe - the same time, scammers are planning their attacks.

In recent news, hackers are sending out phishing emails to impersonate the CDC (Centers for Disease Control and Prevention) or WHO (World Health Organization). With this developing outbreak, hackers are anticipating the end-user to read and or click a link coming from the “CDC” or “WHO” to learn more about the coronavirus.

These emails could bring you to a landing page where the hacker can steal user credentials, such as emails, usernames, and passwords. These email messages might also have you open an attachment to see the latest statistics in which you’re likely to download malicious software onto your device.

Employee awareness, education and training are going to act as your firm’s best line of defense against these types of cybersecurity scams. Generally, phishing emails share a set of common characteristics employees should beware of:

• Sense of urgency! Beware of any email saying something must be done NOW ‘or else’

• Poor grammar or misspelled words or typos

• Generic sender information, such as from ‘payment processor’

• Domain is not legitimate; for example, a subdomain may be used, or the spelling is incorrect (contains an extra letter than could be overlooked)

• Links! Only click on those that you are expecting. Also, hover your mouse over the link before you proceed to make sure that it is taking you where it claims to.

Also, be aware that landing on the wrong website can expose a firm to risks, so be on the lookout for these signs that could signal it is a malicious site:

• Check the web address for misspellings, extra words, characters or numbers that seem off or suspicious

• Roll your mouse pointer over a link to reveal its true destination, displayed in the bottom left corner of your browser

• If there is NO padlock in the browser window or ‘https://’ at the beginning of the web address to signify that it is using a secure link, do not enter personal information on the site

• Be wary of websites that request lots of personal information

• Avoid ‘pharming’ by checking the address in your browser's address bar after you arrive at a website to make sure it matches the address you typed

• Be wary of websites that are advertised in unsolicited emails from strangers

Remind your employees now to be ultra aware and to follow company policies. Looking ahead, the most effective way to train employees on phishing dangers, however, is through the act of actually phishing them. Managed phishing services are rising in popularity, as they effectively use phishing email simulations to test existing knowledge and also provide in-the-moment education to ensure users are best equipped to thwart cyber attacks.

We encourage you to review guidance for the US and UK governments:

• CDC’s Interim Guidance for Businesses and Employers to Plan and Respond to Coronavirus Disease 2019 (COVID-19), which is available here: https://www.cdc.gov/coronavirus/2019-ncov/community/guidance-business-response.html

•  UK Gov's COVID-19: guidance for employers and businesses, which is available here: https://www.gov.uk/government/publications/guidance-to-employers-and-businesses-about-covid-19

More articles on investment firm cybersecurity best practices:

• Here's How to Avoid IRS Phishing Scams During Tax Season

• Preventing Cybersecurity Threats with Email Phishing Simulations

• Why You Need to Be Phishing Your Employees