Since the start of COVID-19, there has been a notable increase in spam communications, including phishing emails, SMS phishing (text messages) and voice phishing (robocalls). Attackers are taking advantage of this time of change and stress to trick people.
Many scams reference COVID-19 itself. Attackers have been sending phishing emails claiming to be from health organizations or posing as government officials with information about the virus and vaccines. They are even sending text messages that state you’ve been in contact with someone exhibiting symptoms of COVID-19 and that you must click a link for further instructions. Similar messages have been found in phone scams as well.
Keep reading for tried-and-true methods to support you in identifying and avoiding all spam messages.
Foolproof ways to identify spam communications every time
- Be cautious when reading ALL emails. It’s easy to get overwhelmed by an avalanche of email communications, especially since remote work requires more virtual communications. Take your time when reading emails to avoid fatigue and slow down enough to really investigate the contents of each message. Dedicating your full attention to this process will make it easier to analyze the messages and differentiate between real emails and phishing.
- Don’t be isolated. You might feel like a lone ranger battling the sea of social engineering threats on your own. However, a co-worker or the Cybersecurity Team is only a phone call, email or text message away. If you are unsure if a communication is real or phishing, reach out to someone for help. You’ll be glad you connected with a real human!
- Review the design and message of the email. Consider the following questions when reviewing any type of email you get: Is the message poorly designed? Does it contain bad grammar or misspelled words? Does it look like an official email from the supposed sender? These are usually indicators of hastily crafted phishing or spam emails.
- Check the sender of the email. Does the email address of the sender match who the email claims to be from? For example, if the email says it’s from Microsoft yet the sender’s address is 123344@evilguy.jp, that’s an almost guaranteed sign the message is malicious. If you’re interested in a more technical approach to reviewing email headers, you can check out a PDF handout on the subject online (must be on site or VPN to access).
- Watch out for the unexpected. It is easy to identify a phish if you get a message about something that catches you off guard, such as one claiming to send a document via OneDrive you know nothing about or information about a package that you haven’t ordered. If you aren’t sure, never click on a link in the message to find out more information. Instead, copy/paste tracking numbers into package delivery sites to see if it references a real shipment or ask for help from the Cybersecurity Team or a colleague.
- If you don’t recognize a phone number, do not pick up, respond or click. If you are receiving a real phone call or text message from someone who needs to get a hold of you (and isn’t already in your contact list), they will leave you a voicemail with information to call them back or will identify themselves in the text message. Never respond or give any information to someone on a cold call claiming to be from tech support such as Microsoft or Apple, as these are generally
- Spam numbers often have the same area code and prefix as your phone. When attackers send spam messages, they try to spoof your phone number to make it look like a local number. However, as you get more spam calls you may notice the prefix (the first three digits after the area code) stays the same from one call to the next, with only the last four digits changing. If you see this happening, you know these are spoofed callers trying to trick you.
- Block persistent numbers. If you keep getting spam texts or calls from the same number, use the block feature in your cell phone or a scam protection application from your wireless provider to reduce notifications from these numbers.
Looking for more information about phishing and other cybersecurity resources?
Check out our website: securityawareness.fnal.gov.
Email us at cybersecurity@fnal.gov for general questions and to report phish.
Jessie Pudelek is a computer security analyst at Fermilab.