Scamming by e-mail is a well-known technique, but it continues to wreak havoc, particularly during stressful periods such as that we are experiencing at the moment. Since the start of the health crisis, hackers have displayed an unrivalled ingenuity in setting e-mail traps. No-one is spared, whether customers of a bank, employees of international organisations, hospitals or even an administration, as was the case in North Rhine-Westphalia. Hackers managed to rob this German federal state of between EUR 31.5 and 100 million earmarked as aid for citizens affected by the pandemic!
What can be done to avoid falling into a trap? Before answering this question, we must first distinguish between the three types of e-mail scam commonly used in crisis situations: phishing, spear phishing and scamming.
Phishing is when online fraudsters pass themselves off as from a legitimate organisation by using their name or logo. This may be a humanitarian organisation or one you are familiar with, like your bank, your tax authority or your social security agency.
The messages sent may take various forms, but all play on fear and urgency in order to prompt people to act quickly and without thinking. Thus, in the US, cybercriminals sent messages that seemed to be from centres for disease control and prevention (the main federal public health protection agency) and which purported to alert recipients of a list of coronavirus cases in their region. They were asked to open a page to view the cases and assess the safety risks. Other fraudulent e-mails offered medical advice from so-called experts located near Wuhan in China offering protection against the coronavirus. Of course, the tone of the message called for immediate action, with phrases such as “This small precaution (Ed: click on the link) may save your life”.
Spear phishing pursues the same goal as phishing, except that it targets a specific person or employees of a specific company. Hackers gather information on the victim and send him such a well-tailored personal message that it can sometimes be difficult to distinguish it from an authentic e-mail. The typical example is the e-mail supposedly sent by the Human Resources department of a company to all its employees, asking them to read the infectious diseases management policy carefully (in this situation, the coronavirus). By clicking on the link, the employee downloads malicious software.
Scamming, sometimes known as Nigerian letter scams or 419 fraud (referring to the article of the Nigerian Criminal Code outlawing this type of fraud), is intended to exploit the recipient’s trust by pulling on their heart strings in order to extract money from them. This is the case, for example, with the false charity organisation that will ask you to help finance a fictitious vaccine against the coronavirus for children in China.
Adopt the right reflexes!
Whether it is phishing, spear phishing or scamming, the first rule to follow is to adopt the right reflexes.
Ignore communications that ask you for personal information. Your bank, your social security fund or public administrations will never ask you for this type of information by e-mail.
Don’t answer e-mails that ask for a quick response. Any message that plays on a sense of alarm and prompts you to take immediate action should get you thinking.
Check the address of the sender address and the links contained in the message. Read the message carefully to detect false addresses, incorrectly spelt domains or false hyperlinks. Thus, fake e-mails from CDCs seemed to come from a convincing domain name cdc-gov.org, but the real CDC domain name is cdc.gov.
Avoid clicking on links or downloading attachments in unsolicited e-mails. If you receive messages claiming to be from sources from which you do not normally receive e-mails, there is something fishy going on.
Beware of fraudulent charity organisations or community funding campaigns. Only make donations to credible charitable organisations and to recognised funding campaign platforms.
Be prepared! Use a multi-layered security solution that automatically detects phishing websites and prevents you from accessing them.
If you have any doubts and think you have been the victim of an e-mail scam, contact your bank immediately. Your bank can still be contacted even during this period of confinement.
