Posted by Anna Nicholls on 21-Sep-2020 12:07:17

Phishing for covid


The past six months have brought out the best, and the worst in people as the world has battled the coronavirus pandemic together. We’ve seen communities coming together to help and support one another, much needed funds raised for charities and neighbourhoods standing together and clapping for carers. And then we’ve seen the flip side of the coin, as criminals try to take advantage of people when they’re at their most vulnerable. 

According to security firm Barracuda Networks, the number of covid related phishing emails increased by 667% earlier this year, with 137 emails identified in January; 1188 identified in February and over 9000 in March. At the time, Google said it was blocking around 18 million Covid-19 related phishing emails a day. In August, the UK’s HMRC reported it was investigating more than 10,000 covid-related phishing attacks showing that the pace at which cyber criminals are trying to dupe people, isn’t slowing down. 

These fraudulent emails come in many guises. Cyber criminal gangs have set up fake charities, to which people have innocently donated their hard earned money, thinking that they’re helping those communities in dire need of support. Others have posed as the NHS or WHO (World Health Organisation), mining data through fake track & trace messages - exploiting people’s deepest concerns and fears and attacking them at their most vulnerable. And these phishing scams don’t just come via email. As technology works harder and harder to stop cyber gangs in their tracks with antivirus softwares and advanced threat detection capabilities, many criminals have gone old school with phishing SMS text messages and even good old fashioned phone calls. 

However these con artists try to grab people’s attention though, their intentions remain the same. To steal data, defraud victims and distribute malware. And some of these scams are so realistic, and so convincing, that people would be forgiven for falling for them. Especially when something as deeply disconcerting as covid is concerned. 

So what precautions can you take to protect yourself from a phishing scam? Well unfortunately, because these criminals prey on human emotion, all the security tech in the world won’t protect you if you fall for an old fashioned con artist trick, but there are ways to remain alert and things to be aware of that just might help to keep you safe and savvy. 

How to spot a phishing scam

Check their domain
Which domain has the email been sent from? If it’s a public domain (@hotmail @gmail @yahoo for example), the chances are it's an individual, and not a company or a charity. A recent example of this was a phishing scam email which promised a tax rebate was due, but which upon closer inspection had been sent from a Hotmail address, and not from the Inland Revenue. Check the email address that the messages are coming from - and pay more attention if you’re opening emails on your smartphone. People often fall victim to a scam via their phones because the small screen size makes it difficult to see clearly where the email has been sent from.

Be aware of the latest scams
Other recent and popular scams which have done the rounds during the coronavirus pandemic have attempted to exploit the services we’re relying on the most at the moment. We’ve already mentioned the NHS Track & Trace app being spoofed back when it launched, but cyber criminals have also tried to dupe us into thinking we’re at risk of losing the services we depend on. For example, emails, texts and calls including messages stating that broadband bills haven't been paid and services will be terminated. The same goes for Netflix and Amazon Prime subscriptions. Even phone calls stating that illegal activity has been identified on people’s internet connections and the police are being informed. Fake news! Scammers know that we’re all working from home and depend more than ever on our internet connectivity at the moment. Pay close attention, and don’t fall for it. It’s no coincidence that scammers are playing us via the services we’ve depended on the most in recent months.

Check their spelling
If you look closely at the scams, you will almost always find something untoward. Spelling mistakes, an incorrect or low quality, pixelated logo, for example. Many cyber scams originate from overseas and translation software isn’t always that clever at interpreting context and dialect - so read the emails carefully, and if it doesn’t look or sound quite right, it probably isn’t.

Avoid links and attachments like, well, like covid
We were going to say avoid them like the plague… this is one that we should all know by now. NEVER click on, or download an email attachment if you don’t know or trust the sender, and don’t click on URLs embedded into emails or SMS messages. You can hover over a URL before clicking on it to see the domain. If it’s a genuine Netflix email, it won’t come from and it won’t direct you to a hidden PayPal domain.

Embrace the technology
Use the technology available to you to help avoid and isolate any attempted, or successful phishing or hack attempts. Make sure your PC or laptop has antivirus software installed, and that it’s regularly updated. Security software will update in order to adapt to the latest threats, so if you’re out of date, you’re at risk. Keep your smartphones updated for the same reason. If the apps you’re using offer MFA (multi factor authentication) then use it. Online banking will enforce this now, but social media platforms give you a choice. MFA simply means that you will be required to enter two forms of ID verification to make a change to your account, for example a password and a fingerprint scan, or they might text a code to a second device and ask you to confirm it. 

If you think you’ve responded to a scam, go to and follow the steps and advice on what to do. If you’ve submitted your bank or credit card details, contact your bank or lender for advice. And if you’ve clicked on a hyperlink on your computer, run a full virus scan and make sure your security software is updated.

Keep your wits about you as best you can and if you are in any doubt at all, ignore the email and telephone the provider alleging to have sent the email. Any reputable company will be more than happy to check it out for you, rather than have you fall victim to a phishing scam.

Topics: security, legal, compliance, GDPR

Written by Anna Nicholls