Safety measures in an email purportedly from the World Health Organization (WHO) actually is a phishing scam. Here are the real safety measures we need against it!

With the outbreak of the coronavirus, Sophos, a global leader in next-generation cybersecurity, has identified a phishing scam that uses the coronavirus as its lure.

An email carrying the World Health Organization (WHO) logo has been circulating around, asking people to go through an attached document on safety measures to take to prevent the spread of coronavirus.

Users who clicked on the link would be taken to a clone of the WHO’s home page, with a popup form asking them for an email address and password in order to gain access. Any personal data entered in the form was snaffled up by the crooks, after which the fake site simply redirected the victim to the genuine WHO site as though nothing was wrong.

People who are nervous about the coronavirus situation, or who has friends and family in the key infected regions, or who wants to do the right thing by learning more about preventing the spread of the disease, may end up filling in the popup that requires their email and password.

The clone site
The real site

Fortunately, the spelling errors in the email are a give-away. But we may not always be so fortunate…

Paul Ducklin, Principal Research Scientist at Sophos, shares the following tips:

  • Never let yourself feel pressured into clicking a link in an email. Most importantly, don’t act on advice you didn’t ask for and weren’t expecting. If you are genuinely seeking advice about the coronavirus, do your own research and make your own choice about where to look.
  • Don’t be taken in by the sender’s name. This scam says it’s from “World Health Organization”, but the sender can put any name they like in the From: field.
  • Look out for spelling and grammatical errors. Not all crooks make mistakes, but many do. Take the extra time to review messages for telltale signs that they’re fraudulent – it’s bad enough to get scammed at all without realising afterwards that you could have spotted the fraud upfront.
  • Check the URL before you type it in or click a link. If the website you’re being sent to doesn’t look right, stay clear. Do your own research and make your own choice about where to look.
  • Never enter data that a website shouldn’t be asking for. There is no reason for a health awareness web page to ask for your email address, let alone your password. If in doubt, don’t give it out.
  • If you realize you just revealed your password to impostors, change it as soon as you can. The crooks who run phishing sites typically try out stolen passwords immediately (this process can often be done automatically), so the sooner you react, the more likely you will beat them to it.
  • Never use the same password on more than one site. Once crooks have a password, they will usually try it on every website where you might have an account, to see if they can get lucky.
  • Turn on two-factor authentication (2FA) if you can. Those six-digit codes that you receive on your phone or generate via an app are a minor inconvenience to you, but are usually a huge barrier for the crooks, because just knowing your password alone is not enough.