There are currently numerous reports of targeted phishing attempts, a/k/a spear phishing, which seek to exploit anxieties around the COVID-19 outbreak. Phishing may take place over email, phone calls, SMS text messages, social media updates, and web pop-ups. Scammers will likely use familiar/expected language and branding to make their messages appear legitimate. These phishing messages may also appear to come from trusted organizations, such as the CDC (Center for Disease Control), WHO (World Health Organization) banks, merchants, governmental agencies, charitable organizations or known individuals, such as a co-worker or friend.
These messages may seek to:
- trick you into revealing sensitive information, such as account credentials or a credit card number.
- trick you into transferring your organization’s sensitive data or funds. These scams often involve someone posing as an executive or an assistant to an executive in your organization, who needs a request handled on an expedited basis.
- install malware on your device, including spyware, ransomware, and cryptocurrency mining code via an attachment that you open, a macro or content that you enable, or an embedded link that you click.
- redirect you to a fraudulent website designed to look legitimate, in order to steal your credentials.
CISA (Cybersecurity & Infrastructure Security Agency) has also warned that malicious actors are actively targeting organizations involved in the national and international COVID-19 responses, which includes academic institutions. These attackers seek medical research, intellectual property, bulk personal information and intelligence that aligns with their national priorities. Both CISA and the NCSC (National Cyber Security Center) have emphasized the importance of regular patching or updating of systems/devices and the use of strong, unique passwords for all accounts. For password recommendations and examples of passwords to avoid, please see the following NCSC web page. For more information on choosing and protecting passwords, see the following CISA Security Tip.
Best Practices & Reminders:
- Do not forward suspicious emails to your co-workers. To report a suspicious email or if you have questions about the legitimacy of a message, email phishing@nyu.edu.
- Be skeptical of email from unknown senders or from people who do not usually contact you directly via email.
- Verify the sender’s email address, including the domain, e.g, verify that an email purporting to come from a colleague is sent from an nyu.edu email address (vs. an nyu.gmail.com email address or another variant).
- Grammatical and spelling errors are often signs of phishing.
- Do not click embedded links or open attachments you are not expecting to receive.
- Never provide sensitive information to callers or over email.
- Remember that phone numbers and email addresses can be spoofed, so a communication may appear to be legitimate when it’s not.
- Be suspicious of requests to purchase gift cards and to provide the codes/pins to the requestor. Scammers seeking this information will often pose as someone that you know.
- When in doubt of the legitimacy of a communication, contact the sender via a trusted means of communication, such as their NYU Directory phone number.
- Use antivirus (anti-malware) software to help protect you from known threats. For information regarding NYU sponsored anti-malware software access and eligibility, click here. Please note that use of anti-malware software is not a substitute for your own judgement/discernment.
- Update/patch your device operating systems, applications, browsers and browser extensions regularly, as updates address known vulnerabilities which can be exploited by malware.
- Follow the FTC’s tips for coronavirus charitable donations.
- For best practices while teleworking, see the NYU Tech Guide to Teleworking.
For examples of specific COVID-19 phishing threats sent to NYU community members, please see the following NYU IT Security News & Alerts blog posts :
For additional information on COVID-19 scams, please see: COVID-19 Scams Update.