One of the many concerns for internal counsel during the COVID-19 crisis is the increasing challenge of managing data security. From exploiting the increased number of employees who are now working from home, through to supply chain disruptions, cyber threat actors are capitalising on geographic and operational impacts from the COVID-19 pandemic.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) continues to receive reports from individuals, businesses and government departments about a range of different COVID-19 themed scams, online frauds and phishing campaigns. This threat update is about raising awareness of the evolving nature of COVID-19 related malicious cyber activity impacting Australians. The Australian Competition and Consumer Commission’s (ACCC) Scamwatch page also has helpful information about the different types of COVID-19 scams and how to prevent yourself becoming a victim.
Cybercrime actors are pivoting their online criminal methods to take advantage of the COVID-19 pandemic. On average each month, the ACSC receives about 4,400 cybercrime reports through ReportCyber, and responds to 168 cyber security incidents.
Since 10 March 2020, the ACSC has:
- received more than 95 cybercrime reports (approximately two per day) about Australians losing money or personal information to COVID-19 themed scams and online frauds,
- responded to 20 cyber security incidents affecting COVID-19 response services and/or major national suppliers in the current climate, and
- disrupted over 150 malicious COVID-19 themed websites, with assistance from Australia’s major telecommunications providers, Google and Microsoft.
Cybercrime actors are registering COVID-19 themed websites to conduct widespread phishing campaigns that distribute malicious software (malware) or harvest personal information from unsuspecting Australians. The Australian Signals Directorate is committed to protecting Australians from malicious cyber activity during this difficult time, including by striking back at these cybercriminals operating offshore
Mitigation strategies for combatting COVID-19 scams and phishing emails
There are some key details to look out for to help determine if a text message or email is phishing:
- Read the message very carefully, look for anything that isn’t quite right, such as spelling, tracking numbers, names, attachment names, sender, message subject and URLs.
- On a PC or laptop, hover your mouse over links to see if the embedded URL is legitimate, but don’t click.
- Google information such as sender address or subject line, to see if others have reported it as malicious.
- Call the organisation on their official number as it appears on their website (separate to any contact details in the received message) and double-check the details or confirm the request is legitimate. Do not contact the phone number or email address contained in the message, as this most likely belongs to the scammer.
- Use sources such as the organisation's mobile phone app, web site or social media page to verify the message.
Protect yourself against phishing emails
Cybercriminals and scammers produce phishing emails that look legitimate. By following these simple steps, you can assist in protecting yourself against phishing emails:
- Before opening an email, consider who is sending it to you and what they’re asking you to do. If you are unsure, call the organisation you suspect the suspicious message is from, using contact details from a verified website or other trusted source.
- Do not open attachments or click on links in unsolicited emails or messages.
- Do not provide personal information to unverified sources and never provide remote access to your computer.
- Remember that reputable organisations locally and overseas, including banks, government departments, Amazon, PayPal, Google, Apple and Facebook, will not call or email to verify or update your personal information.
- Use email, SMS or social media providers that offer spam and message scanning.
- Use two-factor authentication (2FA) on all essential services such as email, bank and social media accounts, as this way of 'double-checking' identity is stronger than a simple password. 2FA requires you to provide two things, your password and something else (e.g. a code sent to your mobile device or your fingerprint) before you, or anyone pretending to be you, can access your account.