Scams are abundant. Scams are a type of social engineering and COVID-19 / Coronavirus is a dream for social engineers. Why?
Social Engineers want to get you to do something that they want you to do. That could any of the following actions:
- Click a link
- Open an attachment
- Login to an account
- Provide information
- Enter a credit card number
- Send a gift card
- Donate money to a fake charity
- Buy a bogus product
Social Engineers are trying to prevent you from verifying the authenticity of their request. They do this by relying, primarily, on four (4) elements to get you to perform this action on their command:
- Pretext (a story that provides context for the requested action)
- Urgency (you must act now)
- Fear (you must act now or something bad will happen)
- Authority (We’re the IRS, the CEO, or the CDC)
If you want to see an example of this in action, here’s a 2-minute video of a professional social engineer deploying these tactics over the phone. She has a pretext (needs to get a bank loan), urgency (needs to get it done today), fear (a crying baby) and authority (claims to be the wife of the account owner).
COVID-19 / coronavirus is such a dream for scammers because it provides, all by itself, three out of these four elements. The pretext is on the front page of practically every website on the Internet. Many people feel urgency to take action. Many people are afraid. And the fourth element, Authority, is very easy to fake right now because entities such as John Hopkins University and the Center for Disease Prevention and Control (CDC) that are emerging as COVID-19 / coronavirus authorities are not as recognizable to most people and therefore much easier to impersonate. Domain names with “COVID-19” or “coronavirus” in them may seem authoritative, but scammers have registered hundreds if not thousands of these domains and are already leveraging them for scams of all kinds.
An atmosphere of fear and urgency provides incredibly fertile ground for social engineering operations. The world is facing an unprecedented level of fear and urgency right now. Social engineers are more sophisticated and have more tools at their disposal than ever before. This article from Forbes includes examples of dozens of coronavirus-related domains having been registered and being actively used to peddle scams. Fake coronavirus maps that attempt to deliver malware are emerging. Businesses and large enterprises are not immune. Scammers are using supply-chain scare tactics to bait executives.
To protect yourself and your organization, the rules are just like Warren Buffet said about investing (also very fraught now, and very ripe for scams).
It’s simple, but not easy.
It’s also unchanged.
If it’s trying to make you act urgently and trying to make you afraid, be very skeptical.
Don’t click. Don’t open. Verify.