As you know, the Coronavirus, or COVID-19, is circulating worldwide. The Information Security Office wants to make you aware that you need to be vigilant about scams, emails, and malware that take advantage of the fear around this illness. In addition to the scams listed here, you can find information about the latest scams on The Cybercrime Support Network.
- Phishing emails that impersonate Zoom or Webex are circulating. Be on the lookout for emails that prompt you to login to your videoconfercing account--they may be trying to capture your user name and password. These emails may claim you missed a meeting, or they may ask you to activate your account. In addition, you may see emails that look as if they are coming from a colleague and stating they are ready for a video meeting, then include infected attachments. As always, do not click on links or open attachments if you were not expecting them.
- Scammers may be after your COVID-19 relief check! See tips to protect yourself from the FTC.
- Hackers are sending infected USB drives through the US mail in packages that sometimes contain teddy bears and gift cards. Always beware an unfamilar USB drive, and do NOT plug the drive in. It will download malware onto your computer.
- Have you heard of "Zoom bombing," in which malicious actors are taking over Zoom conferences? If you want to avoid having your Zoom conference hijacked, check out this warning from the FBI.
- COVID-19 scams are proliferating at an alarming rate. Keep your eyes out for apps that notify you as soon as someone is infected or tell you where to go to buy masks. These are just some examples of the latest hoaxes out there. The best advice is to steer clear of any app that claims to have information on the disease.
- In addition, thousands of COVID-19 sites are popping up. These sites try to trick you into downloading malware or giving up sensitive information, as discussed below. We are seeing this behavior reach its peak. Be vigilant, and ensure an app or site is safe before downloading or using it.
- The FBI has recently issued a warning about these scams, some of which target remote workers. They particularly warn people about a fake COVID-19 vacinne website that tries to steal your payment card data. Also be on the lookout for scams around the pending government payments related to COVID-19: these may specifically target the elderly.
False COVID-19 Global Map
There is a false map circulating that claims to be from Johns Hopkins University and to show the global cases for COVID-19. Information Security has made this map inaccessible from Longwood servers, but if you are using a home computer you can still access it. It would be easy to come across it in a search for global incidences of the illness. Visiting the website infects the user’s computer with an information stealing program which can take a variety of sensitive data.
Here are a few tips to help you determine if a website is fake:
- Check connection security indicators. A website that has an “https” tag is usually more secure—and therefore more trustworthy—than a site using the common “http” designation.
- View certificate details by checking the site’s security status in your browser’s address bar. For most browsers, a “safe” website will display a padlock icon to the left of the website’s URL.
- Pay close attention to the URL. Even if you’ve verified that the connection is secure, be on the lookout for red flags like dashes and symbols in the names or domain names that imitate business names.
- Watch out for invasive and aggressive advertising.
The Cybersecurity and Infrastructure Security Agency (CISA) warns that cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.
Here are some tips to ensure that you don’t fall victim to an attack:
- Be suspicious of any phone call or message that:
- Pretends to be an official or government organization urging you to take immediate action.
- Communicates a tremendous sense of urgency. The bad guys are trying to rush you into making a mistake.
- Promotes miracle cures, such as vaccines or medicine that will protect you. If it sounds too good to be true, it probably is.
- Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scamsfor more information.
- Avoid clicking on links in unsolicited emails and be wary of email attachments. They may contain malware.
- Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
- Emails with COVID-19 in the subject are asking users to provide login credentials to get COVID-19 updates and/or information.
- Some phishing campaigns are requesting donations to help find a cure, thus collecting a user's personal information to include credit card numbers.
For the latest updates visit the World Health Organization or the Center for Disease Control website. Please keep in mind these attacks can happen at work or at home, via email, text messaging or over the phone. Don’t fall victim to bad guys playing on your emotions. If you feel you have received an attack at work, simply delete it or email firstname.lastname@example.org if you have concerns.
As part of the move online after the COVID-19 outbreak, many more employees are now working from home. For guidance on how to protect both your personal information and the university's data while working remotely, see our Working Remotely page.