When tragedy strikes, criminals invariably prey on people’s best intentions.
Scammers have been using Hurricane Harvey-themed messages to trick people into opening phishing emails and links on social media sites, which can steal login information, infect machines with malware, or con victims out of money. US-CERT, a cybersecurity arm of the U.S. Department of Homeland Security, issued a warning about the threat on Monday.
“[R]emain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey,” the advisory read. “Emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters.”
As the advisory notes, a common scam during and after natural disasters is for fraudsters to pretend to set up relief funds and request donations. Fortune has seen several suspicious online profiles and personas that, although their legitimacy couldn’t be determined, raised several red flags: a small number of followers, unverified accounts, no apparent links to accredited charities, and no means to track where proceeds go.
Get Data Sheet, Fortune’s technology newsletter
Zack Allen, threat operations manager at ZeroFOX, a social media-focused cybersecurity startup, says the ruse is a typical one. “Cybercriminals are opportunists and, sadly, a crisis like Hurricane Harvey is a prime example of their preying on humanity’s empathy and trust,” he wrote in an email to Fortune. “People all over the world quickly rushed to their social media accounts to find the best avenues to donate to victims, but these same avenues are ideal for scammers who try to convince victims to donate to their fraudulent Hurricane Harvey cause.”
Kevin Epstein, vice president of threat operations at Proofpoint (PFPT), a cybersecurity firm that provides email protection, said that in recent days he has seen hurricane-related snares such as “see this terrifying video” or pleas to “donate to the relief effort.” One PDF attachment titled “hurricane harvey – nueces county news release 11 – it’s your chance to help.pdf” prompted people, when opened, to enter their email username and password, he told Fortune.
It’s common for fraudsters to take advantage of news du jour to bait prospective victims. “Consistently, attackers use world events as themes for their attacks,” said Oren Falkowitz, CEO at Area1 Security, a cybersecurity startup that fights phishing. He noted that attacks related to tax season and national elections were examples of recent popular lures.
A few tips you can use to stay safe: First, keep your software up to date. Hackers often try to compromise devices running outdated software that has security holes.
Second, be careful what you click: Don’t accept or open unsolicited content from untrusted sources. (You should even be wary of trusted contacts, as they too may have been compromised.)
Third, be sure the organizations to which you’re contributing money are legitimate. Here’s a rundown of some reputable charities assembled by Fortune. US-CERT further recommends reviewing these safety guidelines from by the Federal Trade Commission for Hurricane Harvey-related charitable giving, and cross-checking organizations on this directory of national charities from the Better Business Bureau.
