Cyber threat actors are continuing to take advantage of the COVID-19 pandemic as a ploy for malicious activities, according to the Canadian Centre for Cyber Security.
The centre says cybercriminals are using the pandemic as an effective lure to encourage victims to visit fake websites, apps and open email attachments.
“Canadians must exercise constant vigilance and awareness about fake and malicious web sites and applications related to COVID-19 that are attempting to steal money or personal information, including fake COVID-19 exposure notification applications,” a spokesperson for the centre told MobileSyrup.
Since March 2020, the centre has removed over 5,500 fraudulent sites or email addresses, including websites impersonating the federal government.
“They’re also setting up sites where they will try to sell fake vaccines…”
For instance, the centre has worked to identify and remove malicious websites pretending to be the Public Health Agency and the Canada Revenue Agency.
“While this work was primarily focused on COVID-19 related fraud, this work continues each and every day as we identify and remove more fraudulent domains impersonating the Government of Canada for any reason,” the spokesperson stated.
The centre says Canadians can protect themselves from scams and fraudulent behaviour by being on guard for phishing messages, securing their email accounts and using multi-factor authentication.
Alana Staszczyszyn, a cybersecurity consultant at Toronto-based Security Compass, says numerous COVID-19 scams are related to the Canada Emergency Response Benefit (CERB). She notes that other scams are trying to get people to submit their health data.
“They’re also setting up sites where they will try to sell fake vaccines, or tricking people into confirming their health information for a fake prescription or some sort of COVID-19 treatment,” she stated.
How to protect yourself against COVID-19 scams and fraud
Staszczyszyn says it’s important for all Canadians to have a level of threat awareness and to be cognizant of the types of things they click on or download.
She advises users to inspect emails for indicators of phishing. One way to do this is by checking the email address of the sender. For instance, if an email appears to be sent from a government agency or a bank, but the email address doesn’t look legitimate, then that’s a clear indicator that it’s inauthentic.
Grammar, punctuation and the tone of emails are also good indicators of phishing. Further, if you come across a link, you can hover over it and the bottom left corner of your browser will show the URL it goes to.
Staszczyszyn says people should not download files that they aren’t expecting, which she notes occurs far more often than it should. Users should only open files that are sent from a trustworthy email address or are attached to an email that they are expecting to receive from a trusted sender.
“People need to be aware that even things like Word documents, Excel documents or any sort of PDF can also be malicious,” she explained.
In terms of safety within web browsers, Staszczyszyn says that there is usually a lock icon that indicates whether a site is encrypted at the top left corner of the URL bar. If the icon is locked and green, this means the site is encrypted. However, if it is unlocked and red, this indicates that it is not encrypted, which means users should not share any important data on those sites.
Another way of recognizing whether a site is secure is by simply looking at the URL and checking to see if it matches the site’s content.
“If you have a really old phone, you’re not getting the security patches and it’s more likely that a malicious phone app can easily take your data”
Staszczyszyn also expressed the importance of having a password manager to store passwords in a central safe place. However, she notes that passwords saved in password managers should not be for important accounts such as banking, social security or government accounts.
She says password managers are great for smaller accounts, such as a Starbucks account. “That’s where a lot of hacks happen. It’s where nobody’s looking because nobody cares,” Staszczyszyn stated. Since people don’t pay much attention to their smaller accounts, it’s easier for threat actors to get away with fraud or scams undetected.
Another tip is to ensure passwords are long and different for all accounts. Considering several cyber-attacks are conducted by bad actors simply guessing weak passwords, it’s important to have a lengthy and complex password.
She explained that several “attacks are just basically guessing passwords because people use the same passwords and they use weak passwords. Their passwords are in data dumps, and they don’t know it. And then they just use the same password across all their accounts.”
Further, Staszczyszyn says updating your device and operating systems helps prevent your accounts and electronics from being compromised.
“If you have a really old phone, you’re not getting the security patches and it’s more likely that a malicious phone app can easily take your data,” Staszczyszyn noted.
Staszczyszyn notes that it’s also a good idea to backup your data both onto a physical hard drive and onto a cloud service to ensure that nothing is lost permanently if your account ever does get hacked or compromised.
Users who have come across a scam, fraud or cybercrime are advised to report it to the Canadian Anti-Fraud Centre.