Scammers know you are wary of pandemic-themed phishing now …
After a year of being exposed to pandemic-related scams, phishing and malware, internet users have become slightly more alert and savvy when being baited with nerve-wracking email headings and ads.
Imagine checking your email inbox and receiving any of these headings from your IT department, department heads, colleagues or business associates:
- Password Check Required Immediately
- Revised Vacation & Sick Time Policy
- COVID-19 Remote Work Policy Update
- COVID-19 Vaccine Interest Survey
- Important: Dress Code Changes
- Scheduled Server Maintenance — No Internet Access
- De-activation of [[email]] in Process
- Test of the [[company name]] Emergency Notification System
- Scanned image from MX2310U[[domain]]
- Recent Activity Report
The words are crafted to grab your attention and make you ‘skip to the chase’—click on whatever links are in the message to correct the ‘mistake’ or stop some imminent inconvenience in your work!
According to Stu Sjouwerman, CEO, KnowBe4, with the pandemic raging for over a year now, cybercriminals are having less success with phishing attacks leverage the global crisis. Now, there is a steady increase of such users falling for security-related email scams instead. “The bad guys go with what works, and in Q1 2021, nearly a third of the users who fell for a phishing email had clicked on one related to a password check. Always check with your IT department through a known good phone number, email address or internal system before clicking on an email related to checking or changing a password because it only takes one wrong click to cause monumental damage.”
If pandemic themes fail, use these
So what do you do when your victims are now impervious to your scams that leverage on the pandemic? Go for the perennial favorite themes of course!
Password- and security- related themes are holding their ground as good baits. So are themes around work-related warnings; potential prizes and rewards; e-commerce order-related problems; software update or bug fixes; social media fake news or gossips; and issues that affect money, income, work performance and boss-to-employee relationships, as epitomized in this list of common and effective phish-bait:
- Microsoft 365: Scheduled Server Backup
- IT: IT-Help Ticket Survey Invitation
- Warning: Your E-mail account has just sent 260 E-mails
- Amazon Prime: Action required – Card on file has been declined
- License Update
- Google: Take action to secure your compromised passwords
- Apple: Prize winner! We need your confirmation
- Zoom: You missed a Zoom meeting
- HR: Your payroll details need updating
- Facebook: Important message regarding your Facebook profile
On messaging platforms, you can also be randomly targeted with unsolicited greetings from scammers who have hacked your contacts’ accounts or found phone numbers to use for impersonation. Messages informing you out of the blue that “LinkedIn Password has been reset”, or “You appeared in new searches this week!” sure sound inviting!
Fight perennial baits with perennial safeguards
While popular baiting themes are constantly being created to lure victims, there have always been popular tips and guidelines to avoid falling into cyber traps. There are also mitigative measures to take even if you do inadvertently fall through the initial levels of the multi-process phishing process.
- Observe basic cyber hygiene that keeps your data backed up, your finance assets locked down by multi-factor authentication security, and your immunity from ransomware untouchable.
- Assume everything out of the normal is clickbait, so that you will be in a defensive mood when checking any message for signs of authenticity. When in doubt, go offline and find ways to verify the message’s provenance.
- Guard your personal data, login credentials, and time-limited second-factor codes with your digital life! Anything online that requires logging in, providing personal information and filling-in any forms should raise alarm bells in your mind.
- Remember that, no matter how severe or urgent any message is, if you panic and start clicking on every link forced onto you, the subsequent damage may be multiple-times even more severe. Instead, take a deep breath and verify the situation with real people on authenticated communications channels.
- Rein-in your vanity and greed: even solicited authentic online ads, lucky draws, giveaways, and surveys can be rigged to mine data about you that can be leaked or stolen. Prudence is the best policy!
- No matter how well you protecting your online persona, you are not safe until all your family, friends and contacts are safe. Make it a point to remind them of basic cyber hygiene and encourage them to stay alert.
Perennial mitigation measures
- If all else fails, and you have already clicked on a link that has triggered alarm bells, stay calm. Panic and over-reaction can worsen any situation. Now is not the time to be embarrassed or ashamed to disclose the mistake to the people who can help.
- If a smart device or computer is involved, take it offline as soon as you can. Use another internet access point and device that is known to be safe.
- Once any personal information has been submitted to a phishing website, make sure to calmly delink all online services, platforms and software that require that personal information. That means, change all log-in passwords on the affected systems, and inform the necessary administrative people of those systems (banks and firms you have a business relationship with) to gain indemnity if subsequent damage is inflicted on one or more parties as a result of your mistake.
- If you are not alone in the phishing scam, contact everyone you think could be involved as well. Protecting them can protect you!
- In the aftermath, monitor all financial assets vulnerable to the use of the phished information—as well as all online services involved. If you have done your due diligence in information the authorities and website managements of your situation, indemnity and limitation of damage can be taken as a given.
Remember, the personal information you lost to scammers and hackers may not be used against you and the online services involved immediately. However harmless that information you provided to them, it can be used to build a profile of your online persona for subsequent exploitation much later on.