Times of anxiety, uncertainty, and fear can become fertile ground for cybercriminals. As news of the spread of the new coronavirus and the resulting disease COVID-19 inundates the internet and the airwaves, cybercriminals are taking note and leveraging the outbreak as a new opportunity to launch phishing attacks against individuals and organizations. For example, HealthcareITNews reported extensively on a series of coronavirus based phishing attacks using the topic of “unreleased cures” to deliver keylogger malware to victim’s computers.
Phishing attacks often mimic the names of known companies, organizations, and people to make a message appear legitimate. Emails about the new coronavirus that appear to come from legitimate sources—including the World Health Organization (WHO), Centers for Disease Control (CDC), state health authorities, or county health authorities—may be phishing attacks designed to exploit concerns about the virus to steal user credentials and personal information, install malware, and leverage stolen data to steal money.
In the education realm, a clever attacker would likely pretend to be a district superintendent, school board, or other known official and send a message about coronavirus to convince educators, administrators, students, and parents to act on the message. Because these attacks can be specifically targeted, educators must monitor and critically analyze incoming emails for phishing attacks.
How can educators spot and handle a phishing attack?
- Read the email carefully, and think before you click. Phishing attacks leverage fear and anxiety by creating a sense of immediacy and a call to action. Look for phrases designed to make you act immediately and/or to cause fear. Also look for spelling and grammar errors, statements that don’t make sense, and other hints that the sender did not generate the email.
- Check the email address and hover over all links, but do not click them. Phishing attacks will often use email addresses or URLs that are like but not the same as the original. For example, the email may be @cdc.gov.net instead of the official @cdc.gov. Additionally, the email or website address may appear correct, but when you hover over them, a different address is revealed.
- Avoid downloading attachments that purport to be educational materials about the coronavirus. Multiple antivirus and malware-prevention companies are reporting coronavirus-themed phishing attacks with infected .pdf, .mp4, and .docx files designed to install malware, including the Emotet trojan software, which can be challenging to detect and remove.
- Go to the organization’s official website by looking it up online, not by clicking on a link in the email. See whether the same message is on that organization’s website.
- Contact the sender to confirm the message is accurate before taking any action. For example, if an email appears to be from the district superintendent but contains numerous spelling and grammar errors uncharacteristic of that person, confirm with the superintendent’s office that the email is legitimate, before taking any action.
- Report the phishing attack to the information technology department and/or to the Federal Trade Commission’s Anti-Phishing Working Group at [email protected]
How can educators protect equipment and data against phishing attacks?
- Make sure that computers have antivirus/antimalware software installed and that it is set to update regularly. If an educational organization (school, district, etc.) owns and manages the devices, ask the information technology staff to confirm that systems have been equipped with security software.
- Double-check devices (computers, tablets, and smartphones) to make sure systems and applications are automatically receiving operating system and software updates. This will help keep your devices up to date with current patches.
- Follow the information technology department’s guidance on how to back up critical electronic files and documents. These files are at substantial risk of being destroyed by malware if a device becomes infected. Backups provide the ability to recover and restore lost or damaged data if an attack is successful.
The new coronavirus is a serious concern in terms of both public health and digital consequences and should not be taken lightly. Unfortunately, cybercriminals are eager to prey on people’s concerns about a biological virus affecting thousands of people worldwide, so they can spread computer viruses to damage, destroy, or steal personal data. While there is no vaccination for phishing attacks that spread malware, using the guidelines above to practice good digital hygiene can significantly reduce the risk of catching and spreading digital viruses and malware.
An experienced information technology and information security professional, Amy McLaughlin has over twenty years’ experience building, implementing, and securing information systems, including 10 years experience in K-12 and higher education. As a Certified Information Security Manager (CISM) she has been responsible for protecting data covered by a broad range of federal and state regulations including HIPAA, FERPA, and IRS 1075. She holds a Master of Science in Information Technology Management and a Master of Arts in Marriage and Family Therapy. Amy currently serves as the Director of Information Services Student Health Services at Oregon State University and the Project Lead for the CoSN Cybersecurity initiative.