Watch Out for Coronavirus Phishing Scams

On Thursday, as coronavirus infections spread, the World Health Organization classified the outbreak as a global emergency. On Friday, United States officials placed 195 people in a two-week federal quarantine at a California military base after evacuating them from Wuhan, China. Amid international efforts to contain transmission of the virus, online scammers have already begun exploiting the uncertainty and fear.

A sample phishing email from Tuesday, detected by security firm Mimecast, shows attackers disseminating malicious links and PDFs that claim to contain information on how to protect yourself from the spread of the disease. “Go through the attached document on safety measures regarding the spreading of corona virus,” reads the message, which purports to come from a virologist. “This little measure can save you.”

Email scammers often try to elicit a sense of fear and urgency in victims. It’s not surprising that they would attempt to incorporate the coronavirus into that playbook so quickly. But the move illustrates how phishing attempts so consistently hew to certain time-tested topics and themes.

“Unfortunately we see this often in geopolitical events and world events,” says Francis Gaffney, the director of threat intelligence at Mimecast. “This is when cybercriminals seek opportunities to use the confusion that vulnerable people have. They’ll click on links because they’re not sure.”

Courtesy of Pan Communications

Attackers often tailor phishing scams to seasonal events like holidays or tax season in an attempt to capitalize on anxiety or eagerness. Different attackers will launch different variations of the same scam to steal login credentials, distribute spyware, or collect personal information from their victims. They’ll also try to overtake legitimate email accounts and target a specific group. If an attachment appears to come from a colleague, you’re that much more likely to open it.

The success rate of seasonally themed phishing emails pales in comparison, though, to those pegged to a critical world event. People living through Brexit uncertainty or a natural disaster have disproportionate questions and concerns. Attackers can exploit those fears and doubts by suggesting they have answers.

Very recent history bears that out. In the beginning of January, as tensions escalated between the United States and Iran, scammers sent SMS text messages with malicious links claiming that recipients had been chosen for a US military draft. US Army Recruiting Command, which does not initiate or manage drafts, issued a statement debunking the false texts. And the Selective Service System warned about fraudulent websites that urged victims “register” for the draft and pay a “fee.” The specifics of the ploys varied, but all fed on the same anxieties, attempting to trick young people into entering their information into a form and sending money directly to scammers.

“We’ve seen time and time again that cybercriminals are always looking to exploit highly visible events, because people are more likely to engage with malicious emails when the content includes themes that generate more interest,” says Crane Hassold, senior director of threat research at the email security firm Agari and a former digital behavior analyst for the Federal Bureau of Investigation. “Some other themes we have seen in recent campaigns are the wildfires in Australia and California.”

Beyond phishing scams, public health efforts to get a handle on coronavirus have already been dogged by misinformation and conspiracy theories. On Thursday, Facebook laid out a plan for dealing with the false claims, fear-mongering, fake cures, and misleading advice that flooded the platform. Google, Twitter, and other social platforms like TikTok have also committed to fighting misinformation and boosting credible reporting and advice.

Phishers know all too well that during uncertain times—whether it’s international conflict or coronavirus—people become desperate for information and reassurance. Protecting yourself from falling into these traps can be difficult, but there are some helpful steps you can take. As you’ve probably heard countless times, take a moment to think before downloading attachments or clicking links in any email or message, especially from someone you don’t personally know. If you have to interact, try to confirm that the email address is valid and spelled correctly, or use another method of communication to confirm that everything is above board. Most importantly, trust your gut. If something elicits strong emotions or a sense of urgency—or just feels off—pause to reconsider. Ultimately, though, phishing scams are designed to manipulate and deceive. There’s no shame in getting tripped up.

“The coronavirus has a global audience,” Mimecast’s Gaffney says. “So if you say ‘Coronavirus is now more prevalent!’ people are going to think ‘Oh my gosh, it’s more contagious than has been reported in the news. The news isn’t keeping up with the emails.’ And they’re more likely to click on links, because they are concerned.”

More Great WIRED Stories

Read More