The current COVID-19 outbreak has been taking a toll on our health, our lifestyle, our economy and system. Despite this, hackers and cyber-criminals take advantage to scale up their attacks. In March alone, Luxembourg and the rest of the world have been confronted with a deluge of the phishing attempts and other cyber fraud schemes. This is a fact. Surveillance of global phishing activity surrounding the coronavirus outbreak revealed a 667% increase in phishing attempts compared to February.
Unfortunately, this health crisis has generated the perfect environment for hackers and cyber-attacks to thrive. Businesses are disrupted. They had to change their opening hours or to close completely their doors to the public. Their employees work now from home, some on unsecured computers or networks. Consumers seek assurance and comfort while trying to adapt to a new way of living. Unsurprisingly, fraudsters find easy preys in these unprecedented circumstances.
Here are some good practices based on WHO recommendations on how to identify phishing attempts and avoid falling into these digital traps:
1. Verify the sender by checking their email address.
You may receive emails recognised organisations or businesses you may have heard of. In the From field, the sender’s name seems correct, but once you hover over it, the full email address is different from what you would expect to see. This is very common in phishing attacks. Messages and email addresses look legitimate, coming from a trusted source, while in fact they are not. What should you do?
- Check the full email address.
- Pay attention to the domain name as well. Sometimes, the email address may end in .org instead of .com.
- Compare it with previously received messages (if you have already exchanged with the respective sender).
- Contact the respective company only via official communication channels (secure message in your web banking app, by phone or contact form on its respective website that you typed directly in your browser).
2. Check the link before you click.
Most of the phishing emails ask you to take some sort of action and click on a link. This can be to update your personal data, to send money to someone in distress, buy something increasingly sparse (like a face mask) or to check the newly updated terms and conditions. Behind the link, there may be a malware or a spoof website (a website page that very well look like a legitimate one).
What should you do? Restrain yourself from clicking on the link. Sometimes, it is easy to identify the link as an illicit one by simply hovering over and looking at its name. If you have doubts, then access the referenced website from your browser, by typing the name in the search bar.
3. Scrutinise the content.
As mentioned before, these types of emails pressure the reader in making decisions and take actions. Regardless of what is written, take a step back and think about what they are asking you to do. Is their request appropriate? Despite the sense of urgency, are you comfortable with it? Why would they need this kind of information from you?
Bear in mind, that no legitimate company will ever ask you to provide your personal information such as username and password. They are strictly confidential.
4. Look for spelling and grammatical mistakes.
Phishing emails often include spelling, punctuation, and grammar errors, so read carefully everything.
5. Beware of generic greetings.
Since phishing emails are bulk mailings sent to large number of persons, they will rarely use your name. In fact, your email address may be in the BCC section of the email and not in the TO one, as it should normally be. Greetings such as “Dear Sir or Madam” or “Dear client” are a good indication that you are being phished.
6. Observe the overall look and feel of the email.
Legitimate companies use customised email templates, including corporate banners, colours, logos, signature names. If the email is rather plain and simple, then that should raise you a couple of red flags.
If you receive or have identified a phishing email, please report it to the concerned company via secured communication channels. Then delete the message without forwarding it to anyone else.
Realistically speaking, cyber-attacks and phishing attempts will continue to happen even after the COVID-19 outbreak will be over, but we can take the opportunity to internalise and apply the right practices to ensure we do not get fooled by fake emails or spoof websites.
At LuxTrust, your security and privacy are our priorities. If you notice your device missing or unlawfully used or you receive doubtful communication involving sharing your LuxTrust credentials, please contact our Customer Support Desk at +352 24 550 550 or by email: firstname.lastname@example.org.