First off, let’s call these people what they are – cybercriminals. These people have always taken advantage of situations. Catching people when they are vulnerable is what they do. But, lately, these criminals have stooped to a lower level. As the world has become less stable, as the Covid outbreak has intensified and as people seek any form of reassurance they can get, cybercriminals have upped their clickbait game and are launching exactly the type of cyberattacks that will catch even the wariest people off guard.
How are they doing it? Clickbait. A catchy email, or even text message, saying just what you want to hear, so you’ll click on it. And that’s it. Sometimes that’s all it takes for these cybercriminals to infiltrate your system or gain direct access to your bank account.
So, today we want to take a deeper look at what clickbait is and how to spot it. This way, Somerbys IT can keep you as protected as possible during these uncertain times.
What is clickbait?
Clickbait has been around for a long time but it’s constantly evolving and becoming more intelligent, effective and harmful. Essentially, it’s an email or text message that entices you to click something (often a link or an attachment) that contains malware. The moment you do, you open your system to the hackers behind the scam, and they can access credentials, steal data or completely paralyse your system. Their aim? To get you to pay a ransom. Even before the Covid crisis, ransomware was a huge threat to businesses, as we spoke about in our blog from earlier in the year: Ransomware – the Biggest Cyber Threat of 2020.
In the past, these have been fairly simple to spot. An offshore prince saying he’d like your bank details to transfer some of his wealth to you, or a company promising to enlarge a certain part of your anatomy… but, these days, cybercriminals are much better at disguising themselves. Not only are they choosing topics you want to hear about, but they actually look like the companies they are impersonating.
Look at these examples:
The first one appears to be from the World Health Organization (WHO) and the second one from the official government website. But both are fake – and excellent examples of clickbait. These are the types of cyberattacks that are rife at the moment, and you have to be on full alert to spot them.
How to spot and avoid clickbait
Fear not, there are ways that you can spot and avoid clickbait. The National Cyber Security Centre website is a great place to read more about how to stay safe online, but here we want to give you some key things to look out for:
Hackers try to imitate addresses, so watch out for subtle differences and misspellings. In the WHO example above ‘@who-pc.com’ is used, but a quick look at their website tells you their email addresses end in ‘@who.int’. Adding an extra dot is a common tactic, for example changing @paypal.com to @pay.pal.com, or changing certain letters like ‘@government’ to ‘@governrnent’. Even if the sender name looks legitimate, hover your cursor over it to see the full email address.
Given that many scams originate from overseas, a badly worded email is a giveaway sign. While a spell check can catch most errors, it can’t catch all grammar mistakes. Look at the emails above and you’ll see what we mean. The GOV.UK one talks of a ‘precaution measure’ instead of a ‘precautionary measure’ and also that ‘the government established new tax refund programme’ when it should be ‘the government has established a new tax refund programme’. Also look out for impersonal greetings and bizarre sign-offs. The WHO email uses ‘Dear Sir/Madam’, which is far too formal; also, these days, most emails are personalised.
Suspicious attachments and links
Never open an attachment or click on a link unless you are 100% sure about who it has come from. This sounds obvious, but the targeted Covid scams we’re seeing are even fooling the experts. Links are often hidden by buttons to try to trick you – again, like with emails, hover over the button and you’ll see the link, and, if it looks suspicious, don’t click it.
Asking for personal or bank details
This should set off alarm bells straight away. Any company that legitimately needs these details will take you through a set of security questions; you will never be asked via email or text.
Question anything that gives you a short time limit or creates urgency. ‘Get this cure before they run out’, ‘Tax returns available in the next 24 hours only’, and ‘Government paying grants to the first 100 people to register’ are all strategies being used by cybercriminals right now.
If you do spot anything suspicious, then mark it as spam and delete it straight away. And, in the event that you do get caught out, we urge you to get in touch. Many hackers access your system and lie in wait for what can be months, collecting as much data as possible before compromising your system. The sooner we act, the less damage will be done.