This pandemic has not slowed down the horrendous behavior of cybercriminals. In fact, ruthless thieves have actually stepped up their activity and have even been caught incorporating coronavirus fears into their schemes.
The numbers are staggering. We’ve seen COVID-19 related scams skyrocket over the past few weeks as phishing attacks increased by more than 30%. Tap or click here for some recent examples.
While the phishing attacks we’ve been seeing have been successful at tricking victims, the scams are about to get more convincing. That’s because criminals who aren’t very tech-savvy are getting help setting up spoofed websites from bad actors on the Dark Web.
It’s like Squarespace for hackers
Phishing emails always have the same objective: to steal account credentials and banking information. Their success rate depends not only on how convincing the email is, but also on how convincing the spoofed website is that you’re redirected to.
Let’s face it, if you are sent to a website that looks like it was built by clowns and is riddled with grammatical errors, you’re most likely going to run away as fast as possible. But on the other hand, making malicious emails and websites look exactly like official ones can be a goldmine for the thief. Tap or click here for details on spoofing.
Now researchers at Proofpoint have found a number of readily available templates for sale on the Dark Web that lets anyone willing to pay for them build official-looking websites. It’s basically a hackers’ online marketplace for tools of the trade.
And the problem with these templates is that they go even deeper than just an official-looking landing page. Many come with multiple pages, so a visitor will be more convinced that they’re at the right place.
Even worse, millions of people around the world are looking for information dealing with the COVID-19 pandemic and could end up on one of these fake sites, which could lead to handing over account passwords and banking information. Sites being spoofed include the World Health Organization (WHO), the Centers for Disease Control and Prevention (CDC), the IRS, and more official government websites from around the globe.
You may also like: Warning! Crime ring stealing millions in U.S. unemployment money
Some of the fake sites ask visitors to enter their email address and password before being able to look around the site. For example, the spoofed CDC site asks you to authenticate with your email provider so you can receive a “Vaccine ID.” The authenticator even uses logos from Gmail, Yahoo, AOL, Microsoft Outlook and more.
How to protect yourself from spoofed sites
COVID-19 has seriously impacted the economy and many people are in need of assistance. That’s why the U.S. government started sending Economic Impact Payments last month but not everyone has received it just yet. Tap or click here to track your stimulus payment.
Government officials have recently been talking about possibly giving Americans more assistance in the near future, which is what makes the IRS a perfect target for criminals and spoofed sites. One template lets a thief create a fake IRS site designed to steal personal information such as your Social Security number, banking credentials, street address and more.
If you end up on the fake site you’ll be greeted with a page supposedly offering Financial Aid Details. It claims that you’re eligible for financial aid and all you need to do is submit a request. Below is an example of what the spoofed page looks like.
After clicking on the “Continue” button, you’ll be taken to yet another spoofed page. On this page, you’ll be asked to enter your Social Security number, date of birth, full name, bank account information and other details. Below is an example of what this spoofed page looks like.
With this infomation, cyber crooks could potentially drain your bank account, steal your identity and open credit accounts in your name. That’s why it’s so critical to avoid falling for phishing emails and protect your information.
First, never trust links or attachments found in unsolicited emails. With spoofing techniques like we’ve detailed above, now you know how easy it is for crooks to create fake messages and sites.
If you need to visit sites like IRS.gov, or CDC.gov, type them directly into your web browser. Thieves are just getting too good at spoofing sites and you need to know you’re on the official one before entering critical information.
Next, never reply to an email or text message with personal information. Again, if you need to correspond with an organization or business, navigate directly to their website by typing the address into your browser.
Also, make sure you have unique passwords for every online account. Many people use the same password for multiple websites, which is a terrible mistake. If your credentials are stolen from one site and you use the same username and/or password on others, it’s easy for the cybercriminal to get into each account. Tap or click here for ways to create better passwords.
Finally, you need to take steps to protect your identity. Identity theft is one of the fastest-growing crimes in the U.S. and there are countless threats out there to defend against them yourself. That’s why it’s important to use an identity protection service you can trust. We recommend Identity Guard.