As the world continues to grapple with the COVID-19 pandemic, the U.S. government has passed a stimulus plan to distribute money directly to many United States citizens in the coming weeks. We’ve already seen threat actors use the promise of COVID-19 payments to target Americans, Australians, Canadians, and those in the UK. Below are six ways consumers can protect their personal information from COVID-19 fraud attempts.
The potential coronavirus stimulus risks are also amplified by the fast-moving flow of information surrounding this worldwide event. News is changing by the hour if not by the minute and it’s not always clear who has the right information. These sorts of events create a rich environment for misinformation and attackers often leverage confusion as an opportunity to present what they want you to know and do as real and authoritative.
What You Can Do Now to Help Protect Yourself
Below are six ways you can protect yourself and your personal information:
- Be aware that you are at risk. Knowing that attackers are ready to do their best to trick you out of your money can help you take an appropriately skeptical stance in regard to information you may see or hear. And be sure to warn others of the potential danger.
- Be wary of any emails, text messages, social media communications, or phone calls you receive that promise stimulus payments. To date, the United States Government has never used email to collect information in regard to payment programs of this type. The U.S. Postal Service is used to both distribute and collect information. This means that any email, or other digital communication, you receive that asks for stimulus information is almost certainly a fraud.
- Don’t provide your bank account number, usernames/passwords, social security number, or other personal information in response to any online requests—and avoid clicking on email links. If you have any questions regarding payments, go directly to authorized institutions for additional directives.
- Create unique usernames and passwords for each account. In the event your username/password is stolen, you can reduce your risk of extensive compromise by using different credentials across multiple accounts. These accounts can include your email, financial/banking websites, work log-in, and streaming services.
- Verify websites are legitimate. If you are visiting a website, you can verify the site is safe by clicking the padlock image on the left of the browser address (highlighted in orange below). Be sure to check that the name of the server is your desired destination (highlighted in red below).
Figure 1: How to Verify a Website - IRS Example
- Avoid disinformation with multiple sources. Finally, make a point to get information from trusted, big name news sources and take the time to double-check with at least one other trusted, big name news source. In particular, be wary of information that friends may have seemed to have sent you or posted on social media. These messages could be spam (and they didn’t send them) or it could be misinformation.
We urge everyone to be vigilant and verify the authenticity of all digital requests and communications associated with coronavirus. Proofpoint researchers have been tracking coronavirus-themed attacks since January and will continue to do so. We will update this blog as more information about this program and COVID-19 threats become available.