11 Best Ways to Stop Scammers with Security Awareness
Jan 08, 2021
With the spread of novel COVID-19 across the globe, there’s been a growing spike in digital scams including phishing and malware activity. Threat actors are ramping up their efforts and leveraging public fear and interest in the disease for financial gain.
How Are Scammers Taking Advantage of COVID-19? How Can Security Awareness Help?
There are currently over 40,000 domain names using the word COVID-19, many of which are fake websites disguised as dedicated healthcare reporting sites, according to domain security research groups. Many threat actors claiming to be associated with the World Health Organization (WHO) and other reputable medical and healthcare agencies are providing communications and news stories that appear valid, but include malicious links and downloadable apps that install malware. People’s panic and curiosity to know more enables attackers to use their malicious motives under the cover of catchy news bytes.
The Federal Trade Commission has reported the loss of $13.4 million due to COVID-19 related scams in 2020. Everyday, Google blocks about 18 million COVID-19 related spam emails. Scam calls (also known as vishing) are getting more convincing with the help of artificial intelligence. Reports state that nearly $19.7 billion was lost to vishing attacks in the year 2019, and experts believe this number will only increase during the pandemic.
What COVID-19 Scams Are Being Reported?
The COVID-19 related attacks that hackers use take advantage of a wide range of psychologies during the pandemic and lockdown:
- Phishing with blood/plasma/saliva from COVID survivors: These dangerous substances found "for sale" on the dark web are being spread through phishing emails. This is highly dangerous if hackers are successful. In addition to money lost, there is a potential health risk and possible spread of infection.
- Expedited stimulus checks: Though the U.S. government has promised to provide stimulus checks to all citizens, in many cases the process of sending the money has been slow. Hackers, in their phishing emails, are promising to expedite the process.
- Fake COVID-19 miracle cures and testing kits: Threat actors are sending phishing emails about coronavirus cures and tests that are not approved by health authorities.
- Tech support scams: As millions of employees are now working from home, tech support scams are on the rise. Vishing (phone) attacks are at the core of such scams and tend to extract critical information about your computer.
- Financial phishing: With a hurt economy and financial sector during lockdown, there has been a greater abundance of phishing emails promising no-risk investments.
- Mimicking a boss using artificial intelligence (AI): Vishing attacks are spoofing people to appear as if the call is coming from a boss or coworker. AI allows hackers to study previous conversation and mimic voice, speech pattern, and tone.
- Phony small business loan sites: As many small and medium businesses are suffering due to the pandemic and on verge of closing, fake sites offering business loans have also emerged as phishing attacks.
- Donation scams: As many legitimate groups are collecting donations for much needed causes during the pandemic, fake charity donation sites are on the rise. This has become the most common type of phishing attack as it is often difficult for individuals to differentiate between real nonprofits and phony sites.
The attempt to prey on the altruistic nature of people is causing real damage. Incidences like the phishing email reported by The Sydney Morning Herald requesting bitcoin donations from hackers disguised as CDC volunteers, is one key example.
In the wake of such attacks, the World Health Organization (WHO) has released a notice regarding phishing and other online scams:
- WHO never asks for your username or password to access disease and safety related information.
- It never mails attachments you did not ask for.
- It never asks you to visit a link outside of who.int.
- It never charges money to apply for a job, register for a conference, or reserve a hotel.
- It never conducts lotteries or offers prizes, grants, certificates, or funding through email.
What Is phishing?
phishing attacks are the foundation for a majority of advanced and potent malware attacks. Though follow-up attacks form the important part of any cyberattack, their ability to cause damage to a system depends upon the success of the phishing scam. Every day Google blocks more than 100 million phishing emails (related to coronavirus and other topics) as hackers try to steal money and personal information.
How Is Phishing Typically Done?
- Whaling: Whaling is the next step up in spear phishing attacks, targeting senior executives and other high-profile employees in an organization, such as managers or above.
- Spear phishing: Personalized phishing attempts created for a specific person or organization are called spear phishing. Unlike regular phishing, threat actors generally conduct reconnaissance, gathering information about their victim in order to look less suspicious and increase their probability of success.
- Clone phishing: Clone phishing is a type of phishing attack involving extensive reconnaissance into previously delivered emails or attachments, and the phishing email is developed based on that. Once leaked, the email or documents are used to create an identical or cloned email. The attachment or link from the previous email is then replaced with a malicious URL or malware, and then sent from an email address similar to the original domain. It appears as a resend of the original or a follow up.
- Link manipulation: As mentioned above, the method of using technical deception to make a link appearing to belong to the legitimate organization is defined as link manipulation. Misspelling the URLs or using subdomains are the most common ways to administer malicious websites into the phishing process. Another common trick is to make the displayed text for any link as legitimate using hypertext markup language, i.e, when you scroll over to the link it displays the trusted website name.
- Filter evasion: It is essential for phishing emails to evade mail filters that generally mark them as spam. The general evasion method involves clone phishing or use of images instead of text, hence making it harder for anti-phishing filters to detect them, as they commonly rely on the word in their repository classified for phishing and spams.
- Website forgery: As the name suggests, website forgery occurs when scammers create fake websites that look exactly like the original, sometimes using JavaScript commands to alter the address bar of the malicious website to that of the original. Sometimes existing flaws in a trusted website's scripts are used against it by the attackers to hijack the webpage. These types of attacks are also known as cross-site scripting and prompt the user to sign in at the legitimate web page, where everything from the web address to the security certificates appears correct but in reality the website is embedded with malicious software, making it very difficult to identify without professional knowledge.
- Covert redirect: Covert redirect is a more sophisticated method of phishing attacks that makes use of a legitimate website, but eventually redirects the user to a malicious website. Sometimes the malicious browser extensions are used to redirect users to phishing websites covertly.
- Social engineering: Social engineering involves social reasons to prompt a person to click on malicious links or attachments. For example, COVID-19 has aroused the interest of many people in reading news and updates related to healthcare, and in response, many threat actors have developed fake news, blogs, health updates, or maps to lure people into clicking those links.
- Voice phishing: Not all phishing attacks require a fake website or email. Calls or messages that claim to be from a bank or a legitimate organization prompting the users to reveal their account numbers, PIN, password, etc., could be termed as Vishing or voice phishing.
How to Mitigate Phishing Attacks with Security Awareness?
The prevention of phishing for a non-technical person is improved with anti-phishing education and awareness provided by many reputable organizations such as OhPhish, which provides education and training for an organization’s employees against phishing attacks. Only understanding phishing theoretically is not sufficient because, even if a person knows phishing is done via malicious/spam emails, one cannot possibly differentiate between a benign and malicious email. Thus, practical experience of phishing attacks and how to tackle them is very helpful. OhPhish solutions provide virtual simulations for phishing attacks by sending employees phishing emails and monitoring their response to it, based on their result-tailored education and mitigation knowledge.
As the user her/himself is the first line of defense against any cyberattack, the know-how to tackle phishing attacks is highly important. Anti-phishing education could not only help to educate the employees of any organization on ways to recognize and tackle phishing emails, but offer the advice and training of security experts along the way. The training of IT people regarding different types of phishing modes can be done as:
- Precautions to follow for remote workers on cloud and VPN access.
- Compilation of security policies and guidelines that help in educating workers on phishing.
- Educating IT security professional on handling and mitigating phishing attacks.
- Training for security responsibilities in the event of phishing attacks.
- Training assistance through a demo simulation for real-time phishing attacks.
How to Avoid Phishing Attacks with Cybersecurity Awareness Training?
- Do not open any suspicious emails that you have not subscribed to.
- Check the domain name at the end of the mail id.
- Always use the customer care numbers from official websites only.
- Do not visit any website that does not have https: at the beginning.
- Regularly scan your email and PC with antivirus or anti-phishing tools.
- Reconfirm all money related emails or calls with appropriate authorities such as banks or government helpdesks.
FAQs
A. Spear phishing emails are a targeted approach, where the attacker targets either a single recipient or a bulk of recipients based on the same characteristics.
Read more: https://blog.eccouncil.org/spear-Phishing-101-how-it-differs-from-Phishing/
A. There exists many tools and applications that could help in avoiding phishing. Also, being skeptical of requests for personal information, whether you receive them via email, messenger, text, or phone call, is a must.
Read more: https://blog.eccouncil.org/Phishing-scams-in-2019-and-how-they-can-be-avoided/
A. In these forms of phishing scams, email communication is replaced with telephone calls. Smishing uses text messages to target individuals, while Vishing relies on telephonic conversations.
Read more: https://blog.eccouncil.org/5-Phishing-scams-that-keep-cybersecurity-professionals-up-at-night/