Cyber-criminals are exploiting Coronavirus and COVID-19 for phishing and scam emails across the world. The Information Security and Compliance team have put together some top tips to help staff.

Emails about Coronavirus or Covid-19
It is not surprising that the majority of phish, smish and scam emails across the world are now using Coronavirus and COVID-19 to catch your eye and spark your curiosity. They are deliberately playing on our interest in the topic, our emotional response to it and the fact that most people are feeling distracted by it.

What is a phish email?
A phish email is a fraudulent message claiming to be from a reputable source and encouraging you either to give away personal information, usually your username and password and/or personal financial details (usually bank account details) or to download an attachment.

Why do would a cyber-criminal want to have access to your laptop or data?
You might think that the data on your laptop or desktop won’t be interesting to a cyber-criminal – and you might be right. But if you engage with a phish email (ie enter your password or download an attachment), you’re giving them access not only to the data on your device but also to any other University system which you have access to, particularly those which you access with your username and password.

Once they have that access, they can trawl through your data (eg. to steal it), change your password (eg to require a ransom to give you access again) or to download some malware (eg a virus) into it. Alternatively, if you download an attachment, it is likely to be used to infect your device with a virus or other malware which may spread through your email contacts etc.

None of these will be a good experience for you.

How to spot a phish email
Be particularly careful with any email which mentions Coronavirus or Covid-19 in the subject line. It will probably look official. Always look out for the following:

• Are you expecting the email? If not, be very cautious.
• Does the email start with a generic opening such as “Dear Valued Customer”? If so, be very cautious.
• Look for spelling and grammatical mistakes.
• Does it ask for personal information such as your PIN, password or bank details? Does it ask you to download something? Be wary of either of these.
• Is it offering refunds for events, flights etc cancelled because of the virus? Be wary – and don’t enter your bank details.
• Look at the sender’s domain name, ie the last bit of the email address
  • something like enquiries@homeoffice.gov.ukis likely to be trustworthy but UKhomeoffice@gmail.com is certainly not.
• If there’s a link, hover over it and check it is genuine.
  • You could do a separate web search of the company it claims to be from and compare the urls
  • Look at the domain name: co.ukor gov.co.uk/login would be trustworthy whereas login-at-gov.co.uk would not.
• If you have any doubt whether it is genuine, don’t click on the link or download anything but contact the IT ServiceDesk. 

What is a smish?
A smish is the same concept as a phish email but using a text or SMS message to your mobile. Follow these tips to check one:

• As with a phish – are you expecting a text from this person or company?
• A message from an official body will appear as being sent by ‘UK_Gov’ or ‘NHSNOREPLY’. A smish will usually just have a number.
• As with a phish, look for spelling and grammatical mistakes, and do a separate web search to check the url.
• The UK Government has said it will not send a fine via text or SMS for leaving your home during lockdown – nor will it ask you pay a bill.

There is more guidance and advice on the Sharepoint site.

Handling Personal Data While Working Remotely?
We’re also very aware that many members of staff will be handling personal data while working remotely.

At the University, we routinely handle the personal data of our staff, our students and our research participants. Personal data is a piece of information you could use to identify someone.

With personal data, less is more: less data in a data breach, and less data to be hacked. This is especially true when you’re working remotely, when you might easily be distracted, and particularly if you’re working on a laptop or desktop not owned by the University.

While working at home or remotely and when handling personal data, it’s important to remember the following:

• You are responsible for keeping the data safe and secure, make sure you’re following the correct process even when you’re working at home, and if in doubt, ask your line manager.
• Only hold the minimum data you need.
• You must be able to justify all your actions regarding personal data.
• Save your files on approved UON storage locations, never save sensitive or personal data from the University on your own personal computer.
• If you’re accessing O365 from your personal computer, keep your work inside O365, rather than copying it locally to your personal computer.
• If you’re handling hard copies of personal data at home, keep it away from family members and store it securely overnight, eg in a holdall or backpack which is zipped shut or locked.
• If you’re away from your personal computer, lock the screen; this will reduce exposure of our information. You can set it to be automatic.
• To report a data breach, use the form here.

There is more guidance and advice on the Sharepoint site.