Phishing Attacks during Covid-19

The COVID pandemic has tested everyone; psychologically and physically but there are some people who have exploited it to make money and fame. Phishing is still one of the most common forms of cyber-crimes, but it is being merged with one of the most developing fields and that is ransomware.

What is phishing?
Phishing is when a cyber criminal contacts you by email, but pretends to be someone that you know or trust such as your bank, your work, your PayPal account, Microsoft, the Inland revenue or even the police. Because you might believe it is a legitimate message from someone you know, you are more likely to give the cyber criminal sensitive data such as your bank details, credit card information or passwords. In an email, there will often be a link that you are asked to click on to address an urgent problem.

What is Spam?
Other than a questionable meat in a can that became a staple of wartime Britain, Spam is unsolicited messages sent in bulk from a sender or a company. Just under half of all emails sent are thought to be spam, and in some estimates that could add up to around 107 billion spam emails sent out each a day globally. Most spam messages are irritating advertisements, but some spam messages are harmful and contain phishing or malware.

NEVER CLICK ON A LINK IN AN EMAIL, SOCIAL MEDIA MESSAGE OR TEXT UNLESS YOU ARE 100% SURE IT IS SAFE AND YOU HAVE EXPECTED TO RECEIVE IT.

By clicking a malicious link, you could inadvertently instigate a download of malware or ransomware to your computer or your entire home or work network. Malware and ransomware are software designed to do harm.

How to identify phishing e-mails
Unfortunately, phishing e-mails have got a lot more intelligent and convincing, with the more at-risk portion of society not recognising the differences. There are some ways to check without opening the e-mail at all.

E-mail subject

The subject of the e-mail is usually something to pull you in, to alert and cause anxiety. A common one in 2020 is “are you from (insert your town)?” or “You are in DANGER!!!!” They seem to be very informal, and often have a rather non-uniform structure. Always examine and review your e-mail subjects before opening them.

E-mail sender
The sender of the e-mail usually tries to make the address convincing e.g. [email protected]. Firstly, most corporations use .com as an address or if based in the UK it is .co.uk or .gov.uk. If the subject and the e-mail are suspicious do not open it.

E-mail content
If you hover above the e-mail with your mouse, a box appears with what is in the e-mail dialogue, it will probably be text that is geared to scare the reader with some alarming news that requires urgent action. Phishing emails rarely use your name, instead addressing you as valued customer or such like. These are all clues that this is a scam email.

DO NOT CLICK HYPERLINKS UNLESS YOU TRUST THE SENDER 100% AND WERE EXPECTING THIS MESSAGE

Types of Phishing Attacks
It is commonly thought that phishing occurs only in emails, but it is now being modified to other platforms such as SMS, social media and phone calling. The most at risk people are the elderly and people who are neuro a-typical.

Vishing
Vishing is becoming more common and takes place as a phone call. The attacker might ask you, “were you in a car crash?” taking the chance that you have been. These attacks are usually used to retrieve information for more organised groups, and any information that can be procured will help target you in a more sophisticated attack.

In a Vishing attack or con phone call, a criminal pretending to be a bank representative may try to con someone into moving large sums of money to a ‘safe place’, a criminal pretending to be Microsoft may con someone into allowing them to remote access their computer to ‘fix’ a problem. Many vulnerable people have lost their pensions and life savings to these scams, or had their computer encrypted to make it unusable unless they pay a ransom.

To prevent this, only answer calls that you are expecting or from recognised callers. If you accidentally answer the phone to someone you don’t know who is asking about your life or accounts, just hang up and block the number.

Smishing 
Very similar to vishing but done in SMS or  text message format. They will have links or messages to try and incite a response but do not answer these. Do not click the links, just delete them immediately.

Spear Phishing
Whilst phishing is based on deploying a phish on a large indiscriminate group, a spear phish is based on targeting a specific person in an organisation or an individual. These messages are usually carefully constructed with aspects of the individual’s personal and work life to goad a response. This is a targeted attack and the phisher will spend a lot more time to procure the information. The aim of these attacks is knowledge, usually as a way to get ransomware or a virus into the system. These can be very convincing, so stay on alert.

If in the workplace, you receive an unorthodox email from a colleague, contact them with their office number or go and talk and them to check it is legitimate.   New members of staff can be especially susceptible to spear phishing attacks which is why cyber security training needs to start on day one.

Whale Phishing
Whale phishing is like spear phishing but it targets only the senior members of the organisation. It has exactly the same intentions but a very specific vector. Head of HR is a common target for whale phishing.

Awareness is your best line of defence
If you receive an email, a text message or phone call from someone who says they are your bank or any other institution, always be suspicious. A legitimate company will never phone or email you and ask you for your passwords or bank details. If you are in doubt, delete the message and go to the company’s website and find their phone number. Call them to check that they have been in touch with you.

There are no technical controls that you can put in place to address phishing. This is very much a people problem and the attackers are conmen. These conmen take advantage of busy and stressed human beings who are likely to make mistakes. They deliberately put pressure on the victim by creating some kind of urgency, telling you that your bank account is in danger, you have a huge fine or that your PayPal account has been frozen, and then they use that emotional disturbance to enable you to make a poor and rushed decision. Another name for this type of cyber attack is social engineering, because attackers are manipulating people rather than technology. The way to protect users from phishing attacks is education and awareness.

How to prevent spam

Spam Filters
Most email providers such as BT or Chrome have a naturally inbuilt spam filter. Google Chrome’s filter is one of the best and you do not need to pay for a spam filter at home. Unfortunately, some spam gets through, this is usually due to the sender making a very convincing e-mail address that bypasses it.

Reporting spam
If you find any suspicious e-mails, please follow this link;
https://www.ncsc.gov.uk/information/report-suspicious-emails

Protecting the vulnerable
The vulnerable are by far the most prolific victims of spam and phishing, so, if you have anyone in your life that you are worried about, talk to them in light conversation about emails, text messages and phone calls they receive. Discuss how phishing works and how it effects everyone. You want to make sure that they are aware of this crime and so more protected. The effects of cyber crime are very destructive both financially and emotionally.

The next blog will explore Ransomware.