Malicious cybercriminals are actively targeting individuals and Australian organisations with COVID-19 related scams and phishing emails.
These incidents are likely to increase in frequency and severity over the coming weeks and months. This is due, in part, to the ease in which existing scam emails and texts can be modified with a COVID-19 theme.
How to spot if an email or text message is phishing?
There are some key things to look for to determine if the text message or email is phishing:
Read the message carefully, look for anything that isn’t quite right, such as tracking numbers, names, attachment names, sender, message subject and URLs.
On a PC or laptop, hover your mouse over links to see if the embedded URL is legitimate, but don't click.
Google information such as the sender address or subject line to see if others have reported it as malicious.
Call the organisation on their official number as it appears on their website (separate to any contact details in the received message) and double-check the details or confirm the request is legitimate. Do not contact the phone number or email address contained in the message, as this most likely belongs to the scammer.
Use sources such as the organisation's mobile phone app, web site or social media page to verify the message.
Protecting yourself against phishing emails
As the examples above illustrate, cybercriminals and scammers can produce phishing emails that look very legitimate. By following these simple steps, you can assist in protecting yourself against phishing emails:
Before opening an email, consider who is sending it to you and what they’re asking you to do. If you are unsure, call the organisation you suspect the suspicious message is from, using contact details from a verified website or other trusted source.
Do not open attachments or click on links in unsolicited emails or messages.
Do not provide personal information to unverified sources and never provide remote access to your computer.
Remember that reputable organisations locally and overseas - including banks, government departments, Amazon, PayPal, Google, Apple and Facebook - will not call or email to verify or update your personal information.
Use email, SMS or social media providers that offer spam and message scanning.
Use two-factor authentication (2FA) on all essential services such as email, bank and social media accounts, as this way of 'double-checking' identity is stronger than a simple password. 2FA requires you to provide two things, your password and something else (such as a code sent to your mobile device or your fingerprint) before you - or anyone pretending to be you - can access your account.