Sadly, cyber crooks love a crisis, because it gives them a believable reason to contact you with a phishing scam.
Fortunately, at least for fluent speakers of English, the criminals have made numerous spelling and grammatical mistakes that act as warning signs that this is not what it seems.
The link you’re asked to click on is similarly, and fortunately, dubious.
Firstly, it seems to be a compromised music site with a weird name that doesn’t have any obvious connection to any well-known health organisation; secondly, it is an HTTP site, not an HTTPS site, which is sufficiently unusual these days to be suspicious in its own right.
Nevertheless, the scam page itself is incredibly simple – it can’t have taken the crooks more than a few minutes to put together – and visually effective.
The fake page consists of the official, current home page of the World Health Organisation (WHO) , with an unassuming popup form on top of it.
What to do?
Never let yourself feel pressured into clicking a link in an email
Most importantly, don’t act on advice you didn’t ask for and weren’t expecting. If you are genuinely seeking advice about the coron avirus, do your own research and make your own choice about where to look.
Don’t be taken in by the sender’s name.
This scam says it’s from “World Health Organization”, but the sender can put any name they like in the form field.
Look out for spelling and grammatical errors
Not all crooks make mistakes, but many do. Take the extra time to review messages for telltale signs that they’re fraudulent – it’s bad enough to get scammed at all without realizing afterwards that you could have spotted the fraud up front.
Check the URL before you type it in or click a link
If the website you’re being sent to doesn’t look right, stay clear. Do your own research and make your own choice about where to look.
Never enter data that a website shouldn’t be asking for
There is no reason for a health awareness web page to ask for your email address, let alone your password. If in doubt, don’t give it out.
If you realize you just revealed your password to impostors, change it as soon as you can
The crooks who run phishing sites typically try out stolen passwords immediately (this process can often be done automatically), so the sooner you react, the more likely you will beat them to it.
Never use the same password on more than one site
Once crooks have a password, they will usually try it on every website where you might have an account, to see if they can get lucky.
Turn on two-factor authentication (2FA) if you can
Those six-digit codes that you receive on your phone or generate via an app are a minor inconvenience to you, but are usually a huge barrier for the crooks, because just knowing your password alone is not enough.
Educate your users
A free anti-phishing toolkit which includes posters, examples of phishing emails, top tips to spot a phish, and more.
Harshita C. Jadhav