It’s important to understand that criminals are engineering their approaches to play on fears and get people to give up sensitive information or, increasingly, get access to their devices, which contain the same sensitive information.
In these uncertain times, one thing we can be certain of is getting an email, a text message or perhaps a phone call which entices us in with just the mention of the words Coronavirus or COVID-19. On 16 February, the World Health Organisation (WHO) warned about fraudulent emails that were circulating purporting to be from them and closer to home many medical professionals have received fraudulent emails claiming to be from the NHS. These messages claimed to have information on the spread of the Coronavirus, offers of support and assistance, links to a cure and details of an important health survey.
These are just two examples of what is circulating. Criminals always tend to use the name of large ‘trusted’ organisations and it’s not surprising to see the likes of Amazon, Google, Apple, BT, TalkTalk, HMRC, NHS and WHO commonly used to add a false layer of legitimacy to the various communications.
The ultimate goal of these communications are the same, the criminals want to ‘phish’ information from the victim. This could be simple details such as a name, address, telephone number, or more elaborate details such as banks account details, card numbers, PINs, emails addresses and passwords. There are also more complex methods using attachments on emails to install malicious software onto the victims’ device.
Just consider for second how much information a criminal could glean on each of us from a look through our emails. Here they will likely be able to see who we bank with, who our utility providers are, names of family members and their contact details, who we have booked holidays with, where we shop, what social media we use and much more. Imagine the scenario. The phone rings, it’s your Bank and due to the Coronavirus your money needs to be moved to another account to keep it safe. They know your name, your address, your contact info and that you recently made a purchase on an online retailer so you will assume that it is indeed your bank.
This kind of scenario is without doubt a scam and has been seen for many years, but the current fear around the Coronavirus is helping the criminals gather much more information and ultimately commit more crimes against us.
To protect yourself and remain safe from these types of scams keep a few things in mind:
- Consider the source of an e-mail, text message or phone call before you engage – does the email address look genuine, are links going to ‘secure’ website and if there is an attachment, is it expected? Unexpected emails that contain attachments such as zip files or macro enabled Word or Excel files can often contain malware.
- In an email, consider the content – is it addressed you by first name, or just ‘Dear customer’, ‘Dear user’, ‘Dear (insert email address here)’. Who is it from, not just the name that is displayed, but also the e-mail address behind it? An example being ‘firstname.lastname@example.org’ could be a criminal trying to cover their tracks, as the genuine email address would look more like email@example.com.
- Don’t share personal or sensitive information – even if the caller claims to be from an organisation whom you recognise. Just because they may know a little about you does not mean they are who they say they are. Legitimate organisations will never ask you for PINs, passwords or codes which might have been received by text message or to provide codes to approve payments (or refunds).
- Hang up – call back the organisation they claim to be from to verify the caller is genuine. It is a good idea do this from another line if you can or call someone you know before making the call to ensure the criminal is not still on the line.
- Don’t be rushed – criminals will be keen to keep you engaged on the phone and their instructions. They will want you to act straight away and may threaten you with a fine, the loss of all your funds or arrest if you don’t comply – these are all things that only a criminal would do.
- Don’t provide remote access to your devices – criminals are increasingly using legitimate applications such as TeamViewer, QuickSupport and AnyDesk to gain access to their victims devices. They cannot do this without the victim giving them access – often by divulging a code that these applications provide. If you are contacted by an organisation and asked to download any kind of ‘remote support’ application, you should exercise extreme caution and consider if this caller could be a criminal.
NIFHA and Danske Bank are both member of the Scamwise NI Partnership which provides regular updates on the latest scams and guidance on how to protect yourself from them. Follow Scamwise NI on Facebook or on the NI Direct website.