Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

COVID-19 Phishing Scams

Próximo SlideShare
Cybercriminals Are Lurking
Cybercriminals Are Lurking
Cargando en…3

Eche un vistazo a continuación

1 de 47 Anuncio

Más Contenido Relacionado

Similares a COVID-19 Phishing Scams (20)

Más reciente (20)


COVID-19 Phishing Scams

  1. 1. COVID-19 Fake Websites and Phishing Scams
  2. 2. Purpose The purpose of this training is to educate users about social engineering with a focus on phishing. ▸ After this training, you will be able to identify and report phishing attacks. ▸ Apply good practices when on the web 2
  3. 3. Fake COVID-19 Corona virus related domains 1
  4. 4. According to GOOGLE 2.02 million phishing websites have been registered since the start of 2020 4 February 02-FEB-20 March 01-MAR-20 April 19-APR-20 May 10-MAY-20 41,320 53,731 55,008 58,538
  5. 5. 5 60,000 phishing websites were reported in May 2020 alone!
  6. 6. 6 Fraudsters are exploiting the opportunity to steal the Personally Identifiable Information (PII), financial information, and even medical information, of those looking for knowledge, protection, and treatment for the viral infection. “
  7. 7. coincides with the increasing prominence of coronavirus as a global problem 7
  8. 8. 8 More than 700 fake websites mimicking Netflix and Disney+ signup pages have been created seeking to harvest personal information from consumers during the coronavirus lockdown streaming boom. “
  9. 9. ▸ Cybercriminals are also impersonating official bodies such as HMRC and the World Health Organization in scam text messages and emails in an attempt to exploit the coronavirus outbreak. 9
  10. 10. Deceptive Websites – Fake Site 10 ▸ This fake website url is “” EXAMPLE
  11. 11. Deceptive Websites – Real Site 11 ▸ The real government’s website has a “” URL, not a “.com” url. EXAMPLE
  12. 12. Social Engineering Don’t get hooked 2
  13. 13. Top 10 Social Engineering Techniques ▸ Pretexting ▸ Quid Pro Quo ▸ Honeytrap ▸ Baiting ▸ Phishing ▸ Water-Holing ▸ Tailgating ▸ Spear Phishing 13
  14. 14. 14 “Hi there, regarding my purchase, I have to go to California, my sister has mental health issues so I'll be there for couple of days, It will be very helpful if you send this item to new address (See attachment). Kind regards.” “
  15. 15. PreTexting Pretexting is a type of social engineering attack that involves a situation, or pretext, created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that the victim would typically not give outside the context of the pretext. 15
  16. 16. Examples of PreTexting ▸Pretexting is a form of social engineering used to manipulate victims into divulging sensitive information. Pay attention to generic greetings. 16
  17. 17. How to avoid Pretexting ▸ Avoid sharing personal information on social media. If you have already shared out this information, request to have it pulled down. ▸ Use authorized and trusted channels to verify your email address and phone number in case you receive a suspicious message. ▸ Do not click on links sent via emails, instead use trustworthy websites. ▸ Do not disclose your personal information and passwords to anyone if you are uncertain. ▸ Cancel requests for help from a company if you have not requested assistance. ▸ Find out who has access to your data at work and ensure that it is secure. ▸ Do not open emails from an unknown source. ▸ Secure your computer by installing anti-virus software, email spam filters, firewalls, and always keep them updated. 17 Tip 1
  18. 18. Quid Pro Quo Quid pro quo attacks promise a benefit in exchange for information. This benefit usually assumes the form of a service. 18
  19. 19. Examples of a Quid Pro Quo ▸Fraudsters contact random individuals, inform them that there’s been a computer problem on their end and ask that those individuals confirm their personal information, all for the purpose of committing identity theft. 19
  20. 20. How to avoid Quid Pro Quo ▸ Invest in modern antivirus and antimalware software that will help prevent and manage potential intrusions. ▸ Evaluate email filtering software that can identify and remove phishing attacks before they make it to an employee’s inbox. ▸ Social engineering attacks rely on either the naivete or gullibility of staff. Provide regular security awareness training that outlines common tactics and strategies that criminals will use. ▸ Conduct frequent penetration tests to gauge how well your employees are prepared to handle these various attacks. ▸ Shred company records or any documentation that includes names or employee information. Consider using trash receptacles or dumpsters with locking mechanisms. 20 Tip 2
  21. 21. Honeytrap An investigative practice involving the use of romantic or sexual relationships for interpersonal, political (including state espionage), or monetary purpose. The honey pot or trap involves making contact with an individual who has information or resources required by a group or individual. 21
  22. 22. Example of a Honeytrap The trapper will seek to entice a target into a false relationship (which may or may not include actual physical involvement) in which they can glean information or influence over the target. 22 | ▸Sarah Cook was overjoyed when she met someone she thought was special on an dating site. Mrs Cook (not her real name), 52, felt she had developed a genuine connection with a US soldier serving in Iraq and was only too happy to help him out when he needed money. But her dreams were shattered when Ghanaian police arrested 31-year-old Maurice Asola Fadola, who they suspected of posing as the soldier and conning Mrs Cook out of £271,000.
  23. 23. How to avoid a Honeytrap ▸ You need to have the patience and ability to question yourself. Often scams create a sense of urgency, which tests your ability to take a quick decision and portrays itself as scenario that there may be huge loss of opportunity. ▸ These are sure shot signs of scam in motion, which tempts to in making a wrong decision. ▸ Any offer that sounds too good to be true, but which comes with a sense of urgency is usually a scam. 23 Tip 3
  24. 24. Baiting Baiting attacks use a false promise to pique a victim's greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware. 24
  25. 25. Baiting The most reviled form of baiting uses physical media to disperse malware. 25 ▸Attackers leave the bait—typically malware-infected flash drives—in conspicuous areas where potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company).
  26. 26. How to avoid Baiting ▸ Alertness and awareness will serve you well and protect you against baiting and other social engineering attacks. ▸ Keep your antivirus and antimalware security settings up-to-date so they flag potentially harmful and malicious cyber threats ▸ Can that URL really be trusted and is it secure and have an up-to-date, valid security certificate? For example when you use Google Chrome, check that there is a lock sign in the browser search window. This will allow you to see if your connection is secure, can be trusted and has a valid certificate. ▸ Scan your computer regularly to further protect yourself against these cyber threats and help improve your cybersecurity hygiene. 26 Tip 4
  27. 27. Phishing! A social engineering attack using a fake e-mail, often with a theme, to elicit interaction (clicking a link or opening an attachment) to deposit malware on the target system. 27
  28. 28. Example of Phishing Phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware. 28 ▸An email sent to users of an online service that alerts them of a policy violation requiring immediate action on their part, such as a required password change. ▸It includes a link to an illegitimate website—nearly identical in appearance to its legitimate version— prompting the unsuspecting user to enter their current credentials and new password. Upon form submittal the information is sent to the attacker.
  29. 29. How to avoid be Phished ▸ Know what a phishing scam looks like ▸ Don’t click on that link ▸ Get free anti-phishing add-ons ▸ Don’t give your information to an unsecured site ▸ Rotate passwords regularly ▸ Don’t ignore those updates ▸ Install firewalls ▸ Don’t be tempted by those pop-ups ▸ Don’t give out important information unless you must ▸ Have a Data Security Platform to spot signs of an attack 29 Tip 5
  30. 30. Water Holing is a targeted social engineering strategy that capitalizes on the trust users have in websites they regularly visit. ... This strategy has been successfully used to gain access to some (supposedly) very secure systems. The attacker may set out by identifying a group or individuals to target. 30
  31. 31. Water Holing This is a social engineering attack that takes advantage of the amount of trust that users give to websites they regularly visit, such as interactive chat forums and exchange boards. 31 ▸Users on these websites are more likely to act in abnormally careless manners. ▸These websites are referred to as watering holes because hackers trap their victims there just as predators wait to catch their prey at watering holes. ▸Hackers exploit any vulnerabilities on the website, attack them, take charge, and then inject code that infects visitors with malware or that leads clicks to malicious pages.
  32. 32. Water Holing – OceanLotus Example A watering hole campaign targeting several websites in Southeast Asia occurred in 2018 and 2019. This campaign, believed to have been run by the OceanLotus group, was very large in scale and over 20 compromised websites were found, including the Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia, and several Vietnamese news and blog outlets. Attackers added a small piece of malicious code to the compromised websites, which checked visitors’ locations and only visitors from Vietnam and Cambodia received the malware. 32
  33. 33. How to avoid Water Holing ▸ Keep all your systems, software and OS’s updated to the latest version with all patches offered by vendors applied. ▸ Invest in advanced network security tools, such as solutions that leverage network traffic analysis and perform inspection of suspicious websites in order to spot attackers attempting to move laterally across the network and exfiltrate data. ▸ Practice makes everything perfect — so make sure that security awareness training includes all current threats to your organization, which should definitely include watering hole attacks. 33 Tip 6
  34. 34. Tailgating Attack is a social engineering attempt by cyber threat actors in which they trick employees into helping them gain unauthorized access into the company premises. 34
  35. 35. Tailgating Attack The attacker seeks entry into a restricted area where access is controlled by software- based electronic devices. 35 ▸A social engineer can pretend to be a delivery agent from an e-commerce company or someone from a food delivery service, holding boxes as an excuse to ask employees to open the door. ▸The social engineer would pretend to make it look uneasy for him to open the door and would ask any authorized person to help him as a courtesy to get entry to the restricted premises.
  36. 36. How to avoid Tailgating Attacks ▸ Make sure to lock your system and other devices while leaving the work station. ▸ In order to avoid tailgating attacks, do not let unknown people enter restricted premises of office unless they have appropriate credentials or authority of access. ▸ Never help strangers to access a secured location when they ask to open the door or are from delivery services unless they are permitted. ▸ Always keep your access identity card with you while you are on the premises and make sure to keep it secure from being misused by unauthorized employees. ▸ Never insert stray or idle external devices like USB or memory cards in your system before getting them verified by the security administrator. ▸ Implement cybersecurity practices in your organization to prevent potential cyber risks. ▸ Provide cybersecurity awareness training to employees to make them understand about cyberattacks and how to recognize them. 36 Tip 7
  37. 37. Spear Phishing Spear phishing is a phishing method that targets specific individuals or groups within an organization. 37
  38. 38. Spear Phishing It is a potent variant of phishing, a malicious tactic which uses emails, social media, instant messaging, and other platforms to get users to divulge personal information or perform actions that cause network compromise, data loss, or financial loss. 38 ▸Spear phishing attackers perform reconnaissance methods before launching their attacks. One way to do this is to gather multiple out-of-office notifications from a company to determine how they format their email addresses and find opportunities for targeted attack campaigns. ▸Other attackers use social media and other publicly available sources to gather information.
  39. 39. How to avoid Spear Phishing ▸ Educate your employees and conduct training sessions with mock phishing scenarios. ▸ Deploy a SPAM filter that detects viruses, blank senders, etc. ▸ Keep all systems current with the latest security patches and updates. ▸ Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment. ▸ Develop a security policy that includes but isn't limited to password expiration and complexity. ▸ Deploy a web filter to block malicious websites. ▸ Encrypt all sensitive company information. ▸ Convert HTML email into text only email messages or disable HTML email messages. ▸ Require encryption for employees that are telecommuting. 39 Tip 8
  40. 40. Knowledge Checking Abbreviated Key takeaways 3
  41. 41. a) 1.12 Million b) 2.02 Million c) 5.9 Million d) 10 Million e) None of the above ______ million phishing websites have been registered since the start of 2020 ✓
  42. 42. a) Fox News b) Disney c) Amazon d) Netflix e) None of the above More than 700 fake websites mimicked the following companies ✓ ✓
  43. 43. a) a form of social engineering used to manipulate victims into divulging sensitive information. b) a new way to text. c) a pre-filled form. d) all of the above. Pretexting is… ✓
  44. 44. a) a promise or a benefit in exchange for information. b) a new way to text. c) a French desert. d) Latin for hello. e) None of the above Quid Pro Quo is… ✓
  45. 45. a) a way to catch bee honey b) a trap that involves making contact with an individual who has information or resources required by a group or individual. c) A new web app. d) None of the above A Honeytrap is… ✓
  46. 46. Resources
  47. 47. Thank you Any questions? You can find me at: 47

Notas del editor

  • Find more maps at