Be vigilant, COVID-19 scams are on the rise

April 6, 2020

Scammers aren’t known for their community spirit and COVID-19 is proving no exception to this. With large numbers of employees working remotely for an extended period, the cybersecurity risks increase. It is even more important now that you ensure you keep good practices in mind, to keep yourself and your business safe.

New websites are quickly being created to disseminate information relating to the pandemic. Unfortunately, many of them will also be traps for unsuspecting victims.

Nexia New Zealand have summarised below some of the more unusual scams that have shown up due to scammers taking advantage of the COVID-19 outbreak, as well as some more common scams that are being adapted to take advantage of our dramatically changing work environment.

Phishing or spear phishing emails
Phishing has been around since the 1990s, but the more recent phenomenon of spear phishing has only been recognised since 2010.

Phishing is the fraudulent attempt to get personal information, such as usernames, passwords and bank account details, to impersonate or defraud victims. The scammer will disguise themselves as a trustworthy entity and may also try to convince you to make fraudulent payments.

Spear phishing is the same as regular phishing emails, however, they are targeted at a particular recipient. These commonly pretend to be from a senior person in your organisation, a friend, business connection or a supplier.

The World Health Organisation (WHO) has warned of emails pretending to be from them. These emails pretend to link to new COVID-19 information or resources. If the user clicks on the link, they are sent to a page that requests you to put in your email address and password.

If you have received an unexpected or unusual looking email you should:

  • Verify the email address of the sender. For example, the WHO domain is “@who.int”. If you receive an email from any email address other than “user@who.int”, the email is not from the WHO.
  • Check the hyperlink of the button or link provided. It may look safe, but it could lead elsewhere. To check this, you can hover your mouse over the link and it will show the actual linked web address. As an example, the following link who.int will actually take you to “https://www.nexia.co.nz/”.
  • Report any suspected scams to your IT provider, CERTNZ, and any other appropriate parties. If you do see any scams relating to the WHO they are requesting that you report it to them.

If you have clicked on a suspected scam link and given out usernames and/or passwords, you should change the password on every site where you have used that password. If this password has also been used for your email address it is important that you change this password, as this could then be used to reset your other passwords using the “forgot password” link on a website.

This is a good time to start thinking about password managers. Password managers securely store your usernames and passwords. You then only need to remember one password to access your password manager.

Like most scams, phishing emails rely on users being rushed or distracted. As difficult as it may be now, taking time to think about what an email is requesting will likely pay off in the long run.

Business Email Compromise (BEC)
BEC attacks usually involve a scammer getting access to the email account of an employee in your organisation or one of your suppliers or customers. They will then instruct you to make a payment, or change a supplier bank account, in an attempt to extort money to an account they control.

There are some simple steps you can take to reduce the risk in your organisation:

  1. Scammers may use phishing or spear phishing to gain email passwords. The steps we have described above can help protect you from this.
  2. If you get an unusual email, take the time to pick up your phone and call the person who is apparently making the request.
  3. Use a complex password (which is not used anywhere else) for your email account.
  4. Adding Multi Factor Authentication (MFA). MFA involves setting up an additional layer of authorisation before you can access your email account.
  5. Keep your devices and anti-virus up to date. Ensure that you are updating your home machines with the latest updates and restarting your work computer each morning to receive security updates. Ideally, all staff members should have at least a free version of anti-virus software on their personal device. Devices that staff use at home could become more vulnerable if employees fail to update their systems regularly.

Text messages (SMShing)
Similar to the WHO phishing emails, we are seeing reports of text messages that are pretending to be from the WHO, or other trusted organisations. These link to malicious websites that either request information or will install malware on your device to steal data.

It is surprisingly easy to make a text appear to originate from a trusted organisation. While each text scam looks different, they often have similar characteristics that you can look out for. These include using an unusually long phone number, the text wanting you to act with a sense of urgency, offering you something if you respond, asking you for your personal details to reactivate an account, etc.

App/Software scams
Recently scammers have been taking advantage in the pandemic by creating applications which track the spread of COVID-19. Downloading such applications will install incorporated malware, designed to steal browser data such as passwords, browser history, and credit card information. It may also let scammers watch you or listen to you through your device.

Ensure that you only download software or an application from a trusted website or store, such as Google Play or iTunes.

Scammers take advantage of limitations in controls, and people who are distracted or in distress, and they are wanting you to feel confused and rushed.  

As most of us are now working from our homes, it is worth taking some time to consider your internal and external fraud risk, and what you can do to minimise or mitigate the risk. As always, our team at Nexia New Zealand is here to assist you or offer advice.

For more information, Nexia New Zealand recommend the following trusted websites.

Leave a comment

Fields marked * are required