On August 24, Tropical Storm Harvey turned into Hurricane Harvey and made landfall near Rockport, Texas. It caused catastrophic flooding in the greater Houston area, killed at least 16 people, and could result in close to $60 billion in economic losses. While thousands flock to help the victims of the storm, cybercriminals are spinning into action, trying to fleece sympathetic Americans with phishing campaigns.
As reported by SC Magazine, cybercriminals are manipulating users to click on fraudulent Hurricane Relief Fund links. These fake links have been seen all over Facebook and Twitter and not only take users to bogus funds, but can also lead to malware sites. US-CERT issued a warning yesterday advising those that want to help:
“Remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey. Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Harvey, even if it appears to originate from a trusted source. Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters.”
Spear phishing attacks, a more targeted practice of sending emails that appear to be from a known or trusted source in order to induce clicking, are also expected to ramp up around hurricane relief efforts. Meaning those interested in helping relief efforts should be even more skeptical when reviewing incoming emails. Be on the lookout for bad grammar, links that don’t match branded web domains and other red flags associated with phishing campaigns.
For organizations looking to support the relief efforts, be sure to remind employees about the risks and dangers associated with phishing campaigns. Teach your users about the hazards of clicking on suspect email attachment files and embedded hypertext and web links.
Want to take your anti-phishing training to the next level? Learn how to educate your workforce about phishing and train them to identify these attacks in this Dark Reading article from WatchGuard’s CTO, Corey Nachreiner. To learn how WatchGuard turned the tables and hooked a spear phisher, check out this Secplicity blog post.