Your COVID-19 guide on how to identify phishing attempts

Your COVID-19 guide on how to identify phishing attempts

It seems that scammers can’t stoop any lower. They are even taking advantage of the viral outbreak that's been causing chaos worldwide: now, 3% of all the world’s spam is COVID-19-related, impersonating organizations like the World Health Organization (WHO) or the United Nations. It's an oft-used tactic, adopting the latest sensational news to prey on people’s fears and sense of urgency.

Just recently emails purportedly coming from the WHO have spiked. The emails promise information and other assistance to avoid being infected. Many of these emails are phishing attacks that deliver ransomware or other malware. What’s worse they are able to use the WHO’s official email address, due to the WHO’s inability to address this vulnerability in email security.

Phishing has become a staple internet scam, with effects that range from stolen bank credentials to massive data breaches and ransomware downing public services. Fraudsters use email to deceive targets into downloading malware or giving away confidential information.

According to Verizon’s 2019 Data Breach Investigations Report, 32% of all cyberattacks involved phishing. Fortunately, though the content of the phishing email may change to fit a global crisis, there remain telltale signs to watch out for. Follow these best practices to avoid getting scammed.

Don’t trust emails from public domains

Always take note of the domain name in the sender’s email address. A legitimate organization or business will never use a public email domain such as @gmail.com.

Reputable organizations from all industries will have their own email domain or company accounts. A quick and convenient way to verify these addresses is by entering the company’s name into a search engine.

Download our free eBook!

Learn about affordable cyber security solutions that keep your business safe from malware and data breaches by reading our free ebook: 3 Essential types of cyber security solutions your business must have

Download now!

Don’t be misled by display names

Scammers can fool recipients into paying less attention to suspicious domain names. One way is by impersonating a legitimate organization in the email’s display name.

Anyone can easily select their display name, and phishers can use the name of any legitimate organization, from PayPal to the World Bank. To further convince the recipient of the validity of the message, the scammer may use email addresses very similar to the ones used by the organization being spoofed, like “paypal@helpdesk-server-752.com”.

To further bring home the scam, they may also use the organization's logo to appear authentic.

Look for carefully hidden misspellings

Any scammer can buy a domain name from a registrar and imitate an organization’s name with clever misspellings. Compare 123media.com to 123rnedia.com. Upon closer inspection, you’ll notice that’s not an “m” in the second domain name but “r” and “n.”

Hackers use misspellings like these to fool employees, vendors, suppliers, and partners of the imitated organization. And for hackers who send thousands of phishing emails and think steps ahead, it does not matter if the phishing attempts succeed at stealing data or delivering malware.

With each attempt at the email directory of a target organization, they weed out careful employees and contacts, so that the more reckless ones remain.

Take note of grammatical mistakes

The reality is that many of these scammers are either not very good writers or are not native English speakers. To make their messages look convincing, they will often use online translation services or spell checkers.

These tools may give them the right words and spelling, but they will be full of grammatical errors. The copy will either sound unprofessional or rife with the kind of mistakes that people learning English make.

What if these mistakes are simply mistakes? If you don’t know the sender, be extra vigilant and ask yourself these questions about the grammatical errors:

  • Is the error a common typo, like one made by accidentally hitting an adjacent key?
  • Is the mistake one that a native speaker normally wouldn’t make, like using words in the wrong context?
  • Does the message look like a template?
  • Are the mistakes consistent with previous messages from this sender?

Here's one thing to remember: legitimate businesses spend a lot of money to make their websites and emails look and sound professional, so sending a message with grammatical errors is an unlikely thing for them to do. If you need to ascertain the sender's identity, contact them using a method other than email -- in person, if possible, or via phone.

Beware of emails that urge you to act fast

Messages like “Act fast!” or “Warning. Update your account” prey on the fear that inaction will lead to an unfortunate outcome (i.e., you can lose your account, or you will be fined). Scammers impersonate companies such as Windows, Netflix, and Apple, knowing people won’t tolerate inconveniences in these services.

The truth is that legitimate organizations will not rush you or your employees, nor will they threaten you in an email.

Spear phishing is another strategy phishers use to push recipients to act quickly. Scammers will study particular individuals to message them as people they know, often a boss or a senior colleague. They count on the target dropping everything to accommodate the boss’s urgent request, often a payment to a spoofed bank or vendor.

Take note of these other red flags

Take a quick look at our article, “Common Phishing Scams and Signs”. We’ve prepared seven easy-to-remember phishing signs for your security policy. Include them in the security training of your employees and keep your organization protected from phishing.

At NetQuest, we’re with you to keep you and your employees moving forward through these uncertain times. We know you need to keep your data secure and your IT infrastructure flexible, as you support both your customers and your employees. Our solutions and expertise are at your disposal. Find out how.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts




Improve your overall cybersecurity posture by empowering your workforce to recognize and prevent social engineering attacks. Our FREE eBook will teach you how to design and implement a cybersecurity awareness training program that works.Learn more here
+ +