Hackers are exploiting the Covid-19 outbreak to lure their prey. Besides hand hygiene, we now need greater cybervigilance.

Taking advantage of people who are hungry for constant COVID-19 news, opinions and chatter, hackers and scammers have the following tricks to ensnare their prey:

  1. Leveraging on the fear of COVID-19 to create viral SMSes and social media “public service announcement (PSA)” that contain links to malicious websites, spoofed webpages or fake call centers.
  2. Creating malicious Word, PDF, docx and related types of documents purportedly containing information about any aspect of the outbreak.
  3. Sending out emails or spam purportedly from the US Centers for Disease Control and Prevention or any country’s local health agency, to phish for user IDs and passwords.
  4. Creating spoof charity websites to solicit donations for fighting the outbreak.
  5. Stealing the social media account of people and then contacting these victims’ friends for “urgent help” and using other ploys to steal information.
  6. Hosting purportedly useful websites showing the latest map of COVID-19 incidents with other useful statistics but in actuality hiding credential and payment card skimmer spyware.
  7. Crafting affiliate marketing campaigns to sell personal protection products sourced from China for mere cents but repackaged to sell at exorbitant prices.
  8. Any combination of above combined into fake news articles or social media posts to attract prey.

By now, most people already know to wash their hands frequently, to avoid touching their face and to observe social hygiene practices when or before they experience symptoms. In cyberspace, hygiene has to be observed, too.

  • To quench the insatiable thirst for up-to-the-minute news, anecdotes, TikTok videos, outbreak statistics and so on, stick to the official websites relevant to your country’s healthcare authorities
  • Practice extreme caution when receiving mobile chat app messages containing clickable links. The safest rule-of-thumb is to never click any link regardless. If any link is worth clicking on, then it will have already been made available via safe, established official websites.
  • Know that, no matter how important the COVID-19 information being offered to you is, there can never be any reason for you to enter any log-in ID and password or any personal details that can be used to steal your digital identity.
  • By default, any website that manages to lead you to a third-party sign-on service for convenience, is likely to be a hacksploit. 
  • Fake news and other PSA messages usually contain clickable links and exhort recipients to send them to all their contacts. Legitimate messages invite recipients to authenticate the information by visiting websites by supplying the name (and not URL).
  • Know that even seemingly legitimate-looking URLs can be fake, since even a missing letter, an extra symbol or some strange alphabet in the URL can pass off as the official website’s URL. Which still comes back to the rule of never activating any URL link in any email or message.
  • When in doubt, pull out of the situation by exiting the app and terminating it using the phone/computer task switcher. Check the matter with knowledgeable friends or google the email/sms/PSA text to check if others have already reported the scam online.

For more tips: ‘Lure and decoy’ cyber-threats exploit COVID-19