Hackers love emergencies and times of general uncertainty. Why? Because people are scared, distracted, potentially desperate, and are therefore vulnerable—making them ideal targets.

As COVID-19 continues to spread and global concern about the pandemic rises, bad actors will be impersonating trusted institutions like healthcare organizations, insurance companies, banks, and airlines in order to steal money, harvest credentials, or install malware on your computer…and that’s just on the consumer side. 

When it comes to business, trusted individuals and brands will be impersonated. For example, hackers will impersonate out-of-office CxOs and popular web conferencing applications, especially as organizations encourage and rely on remote-working.

Internally at Tessian, we’ve shared tips with our employees on how to spot this type of scam and what to do in case you’re targeted. We think it’s important to spread the message and raise awareness with everyone. 

Consumers: What Should You Look For?

1. Hackers will be impersonating trusted brands. Carefully inspect all emails, but be especially wary of those coming from healthcare organizations, insurance companies, banks, and airlines, especially those that ask you to “Confirm you are safe”, “Confirm you haven’t traveled to recently affected COVID-19 countries”, or anything similar. 
2. Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot.
3. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.  
4. While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors or branding inconsistencies either in the logo, email template, or a landing page. 

Employees: What Should You Look For?

1. Hackers will be impersonating people within your organization and third-parties like suppliers or vendors. You should be cautious when responding to any internal email that mentions the sender being out-of-office and any third-party email that comes from a source you don’t recognize or that requires urgent action.
2. Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot.
3. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.  
4. While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors, language or requests that are out-of-character, and branding inconsistencies.

These red flags are all a bit easier to spot when you have a bit more context. Below are just a few examples of phishing emails that you may see over the next few weeks.

The Fraudulent Third-Party

What’s wrong with this email?

• The sender’s email address contains irregular characters and doesn’t match the Display Name.
• Organizations should send internal communications to let their employees know they’ve implemented new tools or platforms. You shouldn’t be hearing about it from the third-party first.
• Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate.

The Out-Of-Office Boss

What’s wrong with this email?

• The sender’s email address is from a freemail domain (@yahoo.com) and not from within the organization.
• The attacker is giving the email a sense of urgency.
• That attacker is using remote-working as a ploy to encourage the target to do something unusual.
• The attacker is impersonating a person in power; this is a common tactic in social engineering schemes.

The Concerned Counterparty

What’s wrong with this email?

• The toplevel domain (.net) is unusual and inconsistent with previous emails from this supplier.
• The attacker is using fear and urgency to motivate the target to act.
• Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate.

The “Helpful” Government Organization

What’s wrong with this email?

• All valid email correspondence from WHO will come from @who.int, not any other variation.
• The attacker is using the fear of COVID-19 to motivate the target to download the malicious attachment.
• Like many other organizations, WHO has stipulated they will never send unsolicited emails containing attachments.

The Proactive Health Insurance Provider

What’s wrong with this SMS?

• The attacker is using fear to motivate the target to act.
• Because no health insurance provider is mentioned by name, you can assume this text has been sent to a large pool of targets.
• Legitimate organizations will never ask you to update your payment details via text.
• The text message contains a shortened link; the target can’t see the URL of the website they’re being led to.

Of course, knowing what these opportunistic phishing emails look like is just the first step. Actually knowing what to do if you’re targetted is what’s really important.

What to Do If You’re Targeted 

1. If anything seems unusual, do not follow or click links or download attachments. Instead, visit the brand’s website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid.
2. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative. 
3. If you’re an employee who’s been targeted, contact your line manager and/or IT team.

We’ve all heard the phrase “prevention is better than cure” and phishing attacks are no exception. While knowing what to do if and when you’re targetted is incredibly valuable, it’s also important that both individuals and organizations know how to avoid being impersonated in the first place. 

How to Avoid Being Impersonated

1. For those of you who are working remotely or are otherwise Out of Office, don’t include any personally identifiable information (PII) in your automated emails or on social media. For example, don’t provide your personal mobile number or email address. Don’t tell people to email a colleague in your absence; this information helps bad actors map connections and relationships within an organization, which can be used to make future phishing emails seem more convincing. Hackers can use this to their advantage to target your colleagues.
2. Organizations should implement SPF, DKIM, and DMARC to help prevent hackers from directly spoofing their domain.  
3. Both brands and senior leadership should advise customers and employees what they will and will not ask for via email, phone, or text. People will then have a better sense of what requests are out of the ordinary and therefore suspicious. 

As we continue sharing best practice tips with our employees to keep them secure while working remotely, we’ll share them with you, too. Check back on our blog for the latest updates.