Matt Eustace, Head of Content and Data Protection Officer, gives his advice on how to keep yourself and your personal information safe at a time when online scams are, sadly, on the rise.

The best and worst of people surface in situations like the COVID-19 pandemic. On the one hand, we have the NHS having to shut down applications for volunteers because over 750,000 people registered to help as NHS Volunteer Responders in just a couple of weeks. On the other, we’ve seen an explosion of scams targeting those who are most vulnerable at this time, whether because these individuals are isolated from the support of family or friends that they would normally have, or because they are worried about the situation and more likely to grab an apparent lifeline.

I’m writing this to – hopefully – provide some information to help people spot a scam and avoid it. Please feel free to share this post on your own social media or take any of the advice you see here and share it with those you think might benefit. Those who may benefit the most from this advice are perhaps the least likely to be here reading this!

The first thing to say is that all the usual warnings and principles about scams apply – there’s nothing new here just because we’re experiencing a pandemic.

  • Scammers usually target people with an irresistible offer, either something that sounds like it will benefit you, or a threat that, if you don’t do something, things will go badly for you.
  • If someone approaches you and you don’t know who they are, how they got your details or why they would single you out, be very suspicious.
  • If the contact is a threat of some kind, either by phone or email, or even in person, don’t respond directly. Find the contact details for the company or organisation involved from the web and get hold of them that way. Find out if the company has genuinely contacted you and verify that they hold the right details about you.
  • Generally, you shouldn’t reply to unsolicited emails or texts unless you have very good reason to expect the company or individual to be contacting you.
  • If the contact is positive and promises a reward, such as money or a gift, make sure you are reasonably expecting it. If it sounds too good to be true, it probably is.

However, the Coronavirus pandemic has led to an increase in very specific targeted scams. Our security advisers at KnowBe4 have advised us to be mindful of the following targeted scams during this time:

Malicious websites

The purpose of this scam is to infect your device with malware. TO clarify, malware is any kind of software which is designed to cause damage to your computer or its associated network. Watch out for sites such as “coronavirus.com” or “corona-virus-map.com”. Since January, there have been thousands of websites registered containing the word ‘corona’ and many of those are suspicious. Some of these websites distribute malware. When you’re researching Coronavirus online, avoid visiting sites like these which you are unsure if you can trust. Instead, use trusted sites such as the BBC or the World Health Organisation when looking for the latest news and updates on the virus.

Spam emails

These unsolicited emails from unknown contacts attempt to pique your curiosity by using conspiracy-themed words and phrases, such as “censored”, to try and sell you information (such as paid-for videos) or goods that are now in high demand. This might include masks, hand sanitisers or vitamins, for example.

Phishing scams

A phishing scam is usually an unsolicited email that attempts to get you to provide information about yourself, such as a username or password for an online account, or even your bank account details. These scams appear to be from organisations such as the CDC (Centers for Disease Control) or the WHO (World Health Organisation); they are not genuine communications from these organisations. Scammers are skilled at crafting emails that appear to come from these reputable sources, but which contain malicious phishing links or dangerous file attachments. There are also emails being sent out now which claim to have a “new” or “updated” list of cases of Coronavirus in your area. These emails contain dangerous links which you should not click on, as they may infect your device with malware or prompt you to enter personal details as part of a scam.

Fake charities

There are numerous examples of scam emails and websites asking for charitable donations to assist with research studies, funding for doctors, or support for victims that have been affected by the COVID-19 pandemic. Scammers often create fake charity emails like this after global disasters or pandemics, taking advantage of people’s genuine desire to do good and help others. There are plenty of genuine appeals for help and monetary donations which you can find online by visiting well-known charity and news websites.

Fake internal HR or IT communications

For those of us with work email accounts, another major scam involves scammers impersonating your organisation’s HR or IT department by email. The objective here is to steal your username and password. This is often done by asking the recipient to complete an important Coronavirus ‘survey’. When the individual attempts to access the ‘document’ or ‘survey’, they are asked to provide their username and password on a fake site. This compromises their account.

This particular scam can be avoided by agreeing in your company that updates only come from a single trusted source, such as the company CEO, and are always sent at the same time each week. This way, you will know to suspect a scam email when it comes at a different time or from a different source.

What can I do to protect myself?

Remain cautious! Here’s some easy tips to help you protect yourself from scams like this:

  • Never click on links or open attachments from an email that you weren’t expecting.
  • If you receive a suspicious email that appears to come from an official organisation (such as the WHO or the South African Department of Health) to your work or company account, report the email to your security team for them to double check it. If you’re an individual or using a personal account, simply delete any unsolicited emails from sources that you don’t know and already trust.
  • If you want to make a charitable donation, go to the charity website of your choice to submit your payment. Type the charity’s web address in your browser instead of clicking on any links in emails or other messages.
  • Don’t trust anyone knocking on your door, dressed up as a health official wanting to perform COVID-19 tests – they are likely out to scam you!

If you think that your personal financial information has been compromised by a scammer, you should always report this to the police. You should also consider registering yourself with CIFAS, an organisation that informs all banks and financial services companies that are part of its scheme that your personal information may have been compromised. If any of these organisations receives an application for credit in your name, they will contact you to make sure it’s really you. Registration lasts for two years and is £25. In the interests of sharing useful information, CIFAS also has its own recommendations for avoiding falling victim to fraud during the COVID-19 pandemic.

If you think that your username or password for a site has been compromised, change your password as soon as possible. You can also enter your phone number for extra security on your account. If there is a way to do this on the site concerned, they will prompt you.

Finally, given the popularity of online video conferencing services like Zoom now that we are all confined to home, there are growing numbers of individuals targeting Zoom meetings maliciously. This ranges from just disrupting them, to using them to steal information from participants.

You can take a few simple steps to secure your Zoom meetings:

  • Use a new meeting ID for each meeting instead of your personal Zoom meeting ID. Do this simply by scheduling the meeting and choosing ‘Generate Automatically’ for the Meeting ID.
  • Change the settings to stop people joining your meeting before you do (disable ‘Allow join before host’).
  • If you are sending meeting invites outside your organisation, you can require a password for each meeting and give a different one for each meeting.
  • Once everyone you are expecting has joined, you can lock the meeting to prevent others joining.

I hope you found this information useful. Look out for your colleagues, family and loved ones during this time and, most importantly, stay safe.