The pandemic has been a boon for cybercriminals. Hackers, scammers, and spammers seem to be thriving as the rest of society practices social distancing, and businesses adapt to working from home. Agencies across the globe are reporting unprecedented rises in cyber scams of all kinds, particularly those exploiting our increased interest in COVID-19 related news, programs, and services.
According to Mental Health Research Canada, Canadians are feeling unprecedented levels of anxiety. After months of juggling working from home, childcare, teaching, and for many, elder care as well, mentally and emotionally fatigued Canadians are now reporting high levels of nervousness about returning to work and school. The uncertainty, exhaustion and overwhelm has Canadians more psychologically distressed and susceptible to cyberthreats than ever. Throw in working from the kitchen table, a lot more time on devices, and home networks with few security defenses and you have a perfect storm of vulnerabilities.
The good news is that heightened awareness, a basic understanding of common cyber attack-techniques, and staying up-to-date on the threats-du-jour can go a long way in protecting individuals, workers, and businesses from fraudsters. That said, cybercriminals are exceptionally adaptive and quick to respond to whatever is dominating the news cycle or public consciousness, so new cyber scams are emerging all the time. Given the current focus on re-opening the economy and apprehension around returning to the workplace, it’s prudent to anticipate new rounds of threats leveraging these themes, as well as whatever comes next.
Here’s a brief guide of known COVID-19 scams to lookout for, as well as some simple precautions you can take to protect yourself.
Known COVID-19 Cyber Scams and Threats
- Fake online stores, digital ads and phishing emails selling things hand sanitizer, face masks or other PPE, cleaning supplies, household decontamination services, priority testing or vaccinations
- Phishing emails or text messages that impersonate federal, provincial or municipal government departments with clickable links or malicious attachments, particularly anything related to benefits distribution or stimulus payments
- Phishing emails or text messages purporting to have information or special services relating to the virus such as lists of who’s affected in your area, COVID-19 preventatives or cures, investment opportunities, even tech support scams
- Phishing emails or text messages threatening to cut of services like hydro or power for non-payment
- Spoofed charity or non-profit websites offering free supplies like masks in exchange for a donation
- Spoofed government websites (e.g. CRA) attempting to collect personal or financial information, particularly relating to benefits distribution or stimulus payments
- Spoofed healthcare websites (Public Health Agency of Canada, CDC, WHO) spreading false, misleading, or dangerous information about COVID-19, or seeking to collect health numbers
- Robocalls, as well as unsolicited phone calls by live agents, from your bank, government agencies or financial advisors asking for personal or financial information, as well as businesses seeking to sell you products or services related to the virus
Recognizing the Signs of Possible Cyber Breach at Home
With an uptick in everything from spam emails to robocalls hitting remote workers, some of us will make mistakes – after all, we’re only human.
Whether that takes the form of distractedly clicking a bad link or opening an email attachment, recognizing the signs of a cyber breach early can help with mitigation. If you notice any of these things, contact your IT administrator ASAP.
- New programs that you don’t remember installing
- Increase in the frequency of pop-up ads
- Changes to your browser or homepage look
- Slower computer processing
- Loss of keyboard or mouse control
- Locked out of online accounts / passwords no longer working
- Fake emails sent from your account
- Tech support scams – there have been reports of bad actors posing as external tech support consultants and requesting remote access control of computers to provide technical support services
Ways to Protect Yourself
Being threat-aware, as well as taking some simple, proactive IT measures, are your best defense against cyber threats and scams, coronavirus related, or otherwise. Here are some precautions for staying safe online and thwarting threats.
Spotting Malicious Emails
- Make sure that the sender’s email address has a valid sender name and domain name (e.g., does the domain name match the brand/company; does it use an unfamiliar TLD or ccTLD extension; does it contain a misspelling, lots of “dots,” jibberish text, or omit certain parts)
- Check any hyperlinks by hovering over them (not clicking!) to see a preview of the URL it will open and assess its legitimacy
- Take note of grammatical errors, typos, and oddly worded sentences – these are often a sign of fraud
- Does the email use fear, urgency or threats? Does it contain offers or deals that seem too good to be true?
- Also be cautious of emails from unknown senders or familiar people who do not usually communicate directly with you (e.g., your CEO, doctor, or a political representative)
Recognizing Fraudulent Websites
- Assess the domain name/URL – once again, is it spelled correctly, does it look as expected, etc. (see tips listed above)
- Does the information on a WHOIS lookup of the domain align with the information used for the legitimate international website of the brand? How many years has the domain name been registered for?
- Does the website use HTTPS or an SSL certificate? (This is not foolproof, some professional scammers use SSL certificates to appear legitimate, but it can help weed out a lot of fakes)
- Does it contain poor grammar and spelling?
- Does it contain low-resolution graphics and images?
- Do the offers, deals, or claims seem too good to be true?
- Type or copy-and-paste the domain name into Google to see what type of search results it returns. Are there other legitimate websites linking to it? If not, that’s yet another red flag!
Strengthening Your Data Security and Home Network
Practice safe digital hygiene:
- Use long, complex and unique passwords (think 15+ characters including letters, numbers, and symbols)
- Make your life easier by using a password manager
- Turn on two-factor or multi-factor authentication wherever you can, including your email and accounts with service providers
- Review your privacy and security settings on active social media accounts, and wherever possible, delete old and unused accounts
- Store your data securely and make sure you are running regular backups (and don’t forget to test your backups on occasion to make sure they are working properly)
- Also, remember that no government agency or bank will ever call to ask you to verify or provide personal information
Protect personal devices and home wifi:
- Regularly update your mobile devices, computers, wifi routers and software applications like anti-virus and anti-malware
- Whenever possible, use separate devices for work and personal use
- Don’t share your work devices with others in your household
- Regularly power down work computers when they are not in use so that they are less susceptible to intrusions or attacks
- Use a VPN to securely connect to work applications when working remotely and accessing important systems
- Change the default passwords on your wifi router
- Take advantage of reputable free tools like CIRA’s Canadian Shield Cyberthreat Blocker, D-Zone DNS Firewall, and free cybersecurity training for remote workers
If you made it this far, your cyber threat spidey senses are already probably sharper than when you started. And if some of the tips and precautions presented here feel beyond your grasp, trust your gut reaction and common sense. If you’re being asked for personal information of any kind, or something about an email or application feels suspicious, remember the following: don’t click, delete, and report it.