Coronavirus online scams: How to protect your data and device

Last week, several homebound people received an attractive e-mail offer: free Netflix subscription for the entire lockdown period. All they had to do was click and fill the attached ‘survey’ and forward it to 10 Whatsapp users. Those who took up the offer are probably ruing it. It was a scam: a phishing e-mail capable of stealing their personal information.

In tandem with the worldwide chaos caused by Covid-19, the virus is now wreaking havoc in the virtual world too, with scamsters using it as a bait for cyber crimes. E-mails— purportedly from renowned health organisations like the WHO, UN and ICMR (Indian Council of Medical Research), or even from corporates—along with websites, messages and apps are being used to steal crucial information.

This is done with lures of various offers of discounts and freebies on products, or listing of safety measures against the virus, and updated information on Covid-19. Mails are also being used to sell fake medical products like masks, vaccines and Covid-19 testing kits, or push work-from home job offers. Meanwhile, the social media scamsters are attracting users to fundraising initiatives for victims of Covid-19 or are inviting investments in companies that are helping fight the virus.

For theft of information, the modus operandi is simple. “Either a malware is dropped on to the device via links and attachments in the mails or ransomware is circulated as part of a mobile app,” says Himanshu Dubey, Director, Quick Heal Security Labs.

The malware can access your mail or banking login and passwords and credit card-related information. It can even track your typing strokes and access crucial data. When the computer or mobile device becomes infected by malware, users can lose confidential information or money since malware gives attackers access to both.

Since most people are working from home and using more time on mobile phones, the incidence of such scams is rising because many of these devices are unprotected. Says Lux Rao, Director, Solutions & Consulting, NTT India: “Remote working is becoming a challenge for security teams as it tends to increase the size of attack surface. This is because of all the networks and computer systems that can be exploited via social engineering to carry out phishing scams, install malware or ransomware using click bait and malicious links.”

What’s essentially spawning these scams is the fear, curiosity and resulting rise in online search about Covid-19. “While over 16,000 new Coronavirus-related domains have been registered since the beginning of January, the number is growing rapidly, with more than 6,000 new domains registered last week, an 85% rise from the previous week,” says Venugopal N, Director, Security Engineering, Check Point Software Technologies.

Of these domains, 0.8% or 93 websites were found to be malicious, while another 19% or more than 2,200 websites, were found to be suspicious. “Domains related to Coronavirus are 50% more likely to be malicious,” he adds.

How to identify fake e-mails
Here are the telltale signs of fraud mails that can introduce malware in your system.

• Phishing e-mail is likely to be from a recognised global or national health care body like WHO, ICMR or a similar UN or government body.
• It could also be from the Human Resources Department of your own company or workplace.
• It may have a similar domain name, identical format and company logo.
• It will contain an attachment or a link, asking you to click on these.
• It could purport to have medical information, warning or precautions, with the wording conveying urgency to open or click.
• It could offer Covid-19 test kits, masks, medicines and safety gear for sale and attractive prices.
• It could have the latest research data and fi gures on Covid-19, and authentic medical information.

How to protect yourseslf
The lockdown situation has added a new complexity because if you have been scammed, filing a complaint and expecting prompt cyberpolice action may not be possible. So, the best way to avoid these scams is to be extra careful.

Do not open any unsolicited e-mails and click only on those that are from known and trusted sources. It’s critical that you don’t click on any links and attachments with mails. Also check all mails for authentic URLs, domain names and spelling errors. If you need any information, go to the offi cial websites of organisations. “Enforcing strong passwords, turning on personal firewalls, spotting unusual computer activities, and avoiding clicking on unsolicited e-mails can help form the first line of defence” says Rao.

In case of financial transactions, you should cross-verify with the recipient before making the payment.

Be especially careful about the apps that you download and install because they can carry ransomware. “Many apps pretend to have critical information on Coronavirus, be it safety measures or the way it works. The moment you open the app, it will lock your phone and will ask you to pay to unlock it,” says Dubey of Quick Heal.

“While working from home, make sure you have a secure VPN connection to the corporate network, and restrict the access rights of people connected to it,” advises the spokesperson for Kaspersky. While downloading files, ensure that you choose only trusted and legitimate file extensions. The file should have an .avi, .mkv or mp4 extension. Do not download the file if it is an .exe. You should also have multifactor authentication and encryption. It’s also important to segregate your personal and work-related data.

Besides, all devices, including your mobile phones, desktops and laptops should be protected with an antivirus security software. Get the latest version of operating systems and upgraded security patches. Get a comprehensive antivirus suite so that it can protect your device from threats via e-mail, Internet and apps, and allows you safe financial transactions, especially when you are going to rely on home delivery.

Organisations can also implement a variety of measures to protect their data and devices such as creating remote working policies, increasing monitoring and audit.