It’s October, so it must be Cybersecurity Awareness Month. Now in its 17th year, Cybersecurity Awareness Month provides a great opportunity to educate and remind everyone of the importance of cybersecurity. 

This year, we have an even greater need to raise awareness for cybersecurity due to COVID-19. Never to waste a crisis, malicious actors are wired to exploit vulnerabilities and are taking advantage of the fear, uncertainty, and doubt(FUD) around the pandemic to spread malware at an accelerated rate. In fact, ESG and the Information Systems Security Association (ISSA) recently surveyed 364 cybersecurity and IT professionals on the impact of the pandemic on cybersecurity. The report finds that since March 2020, 63% of respondents have seen an increase in attempted cyberattacks related to COVID-19, including phishing, social engineering attacks and ransomware.

COVID-19 or coronavirus-related spam/phishing attempts will likely continue to be on the rise, so we cannot be complacent. We have a shared responsibility to do our part to help mitigate risk. 

What can we do?

Even if you’re not a security professional, there are steps you can take to protect yourself and others from these types of attacks. 

The best tool at your disposal is reporting. Most web-based mail services (Gmail, Hotmail, etc..) have a ‘Report Phishing’ or ‘Report Spam’ option that should be used whenever possible to enhance their detection algorithms. When messages are marked as spam or phishing, not only are you training the system, but you’re also alerting the mail services’ security team of the incident so they can take preventative action and tune their configurations. Think of it as adding to herd immunity.

How to Report Phishing and Spam

How to spot a phishing email

If an email sounds too good to be true (“New COVID-19 prevention and treatment information! Attachment contains instructions from the U.S. Department of Health on how to get the vaccine for FREE”), it probably is. And if an email demands urgent action from you (“URGENT: COVID-19 ventilators and patient test delivery blocked. Please accept order here to continue with shipment.”), take a moment to slow down and make sure it’s legitimate. 

Keep in mind:

• Legitimate sources of health information likely won’t use unsolicited email or text messages to make announcements. 
• Legitimate government agencies won’t ask for your information. Never respond to an email with your personal data.
• Check the email address or link. You can inspect a link by hovering your mouse button over the URL to see where it leads. Sometimes, it’s obvious that the web address is not legitimate; Phishers can create links that closely resemble legitimate addresses, so beware of that possibility. If you have any doubts as to the legitimacy, report the message as a phishing attempt.
• Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation, and grammatical errors, it’s likely a sign you’ve received a phishing email. Mark as phishing / spam. 
• Look for generic greetings. Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam” signal an email is not legitimate.
• Avoid emails that insist you act now. Phishing emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information — right now. Don’t click on links, download attachments or reply in any way. Instead, mark the message as a phishing attempt.

Do you part and spread the word to coworkers, family and friends to make sure they’re aware of the heightened risk and how to avoid falling victim to these types of scams.

Additional Resources:

Avoid and report phishing emails

How to deal with phishing in Outlook.com

Phishing & Other Suspicious Emails