How can you stay safe online during a global crisis?

guide

Publish date17 Mar 2022
Update date:19 Apr 2024

The effects of the COVID-19 pandemic and the shock of the invasion of Ukraine has meant that our desire for news and information has become the perfect opportunity for criminals to dupe more victims. Scammers have been actively contacting citizens via calls, text messages or social media platforms to offer high-demand products and services that are actually fraudulent. They will even trick you into donating to fake charities, when in fact your money is going straight into the criminal’s pocket.

If you think that you have provided your account details to a scammer, contact your bank immediately. Always report any suspected fraud attempt to your local or national police, even if you did not fall victim to the scam.

Fake News Phishing and smishing Spear phishing Bogus websites Fake apps Fake investment opportunities Money muling

Fake news

Fake news is very dangerous and only gains traction if the public shares it through social media.

Spreading misinformation can start:

from individuals, such as criminals, seeking to profit from the crisis;
from states and state-backed actors seeking to advance geopolitical interests;
from opportunists looking to discredit official sources.

What can you do?

Establish whether you have indeed come across fake information. Beware of clickbait headlines, questionable websites and misleading photos. If you are unsure, go to reputable websites and double-check the information.
If you have come across fake information, do not engage with it. Do not comment and do not share further. Doing so would just help make the post more popular.
If it was shared on social media, report the post to the platform. If you know the person who shared the fake news, send them a private message and tell them that the information they posted is likely to be false. Send them these tips so they understand the risks.
Contribute to sharing official information. Share updates from trustworthy, official websites that report on the crisis.
Be mindful – fake news will often tell you what you want to hear with clickbait headlines.
Look around – is the website trustworthy? Check the website’s about page, mission and contact info.
Check the sources – is any other news source reporting on the same thing? How many sources does the story quote?
Photo search – is the news you are reading accompanied by a photo that strikes you as out of context? Run an online search, it might be your clue towards figuring out that this is an example of misinformation.
Check the date – some news outlets re-publish old posts or promote old news as current stories. Check the publication date of the article and check if the timeline it refers to makes sense.
Turn to the experts – go to reputable websites. Is the information also available there?
Beware of deepfakes – this technology can produce videos or audio clips of a public figure saying or doing something that never happened in real life.

Phishing and smishing

Phishing refers to fraudulent emails coming from criminals posing as legitimate senders that trick the receivers into taking an action or sharing their personal, financial or security information. Smishing (a combination of the words SMS and phishing) is the attempt by fraudsters to acquire the same information via cell phone text message.

The messages usually:

look identical to messages from a reputable organisation (such as a charity, medical or governmental institution) or service provider;
sound urgent;
claim to enclose important or breaking news;
ask you to take action, such as clicking attachments and links or confirming your login credentials.

You may also be contacted by a fraudster pretending to be:

a family member or a friend, claiming to need money for some reason connected to the crisis. Criminals may be capable of manipulating real pictures of your loved ones to give fake authenticity to their story.
a very wealthy person affected by the crisis who needs to move their money, with your help.

If you receive such messages, always report them as spam and don’t reply.

What happens if I click something?

If you open the attachment and/or click on the link, your system is likely to get infected with malware.
If you enter login credentials to access information, criminals will have access to those credentials.
If you are asked to provide your bank details and you do, criminals will gain access to your finances.

Use antivirus software on all your electronic devices.
Ensure that your security software and operating systems are up-to-date.
Set up unique passwords for all your online accounts.
Think twice before clicking on any links and attachments as criminals could be trying to phish or smish you. If you’re in doubt, don’t click links, open attachments or reply and certainly don’t give out any financial information.
Always access your online banking directly through their official webpage or app, never clicking on a link or via third parties apps.
Check your financial accounts regularly for any suspicious activity or unauthorised charges. You can set up alerts and certain security measures that will notify you when transactions are made, preventing unexpected access and money transfers. Liaise with your bank to set up those measures.

Spear phishing

Spear phishing is designed to specifically target an individual, an organisation or a company with the goal of stealing data for malicious purposes and possibly installing malware to gain further access to the corporate network.

This type of phishing is very customised towards the intended victims, making them more difficult to detect. They can have serious consequences for companies, governments and citizens.

As a business:

Ensure that employees are informed and aware of this type of scam and how to avoid it.
Establish clear (cyber)security protocols, follow best practices on email services (SPF, DKIM, DMARC, email warning banners, etc.) and keep your network systems and devices up to date.
Review information posted on your company website, in particular contracts and suppliers. Strongly advise your staff to limit what they share about the company and workplace on their personal social media accounts.
Always contact your local or national police in case of phishing attempts, even if you did not fall victim to the scam.

As an employee:

Always stay alert, especially during times of a global crisis.
Never open suspicious links or attachments received by email. Be particularly careful when checking your private email on the company’s computers.
Always check email addresses carefully when dealing with sensitive information/money transfers.
Avoid sharing information on your company’s hierarchy, security or procedures.
Restrict information that you share about you and your employer on social media.
Report the phishing attempts to your security team or relevant department.

Bogus websites

Websites with fake news about the crisis or posing as charities through fake aid campaigns can easily be shared on social media.

These bogus websites can do more than just spread misinformation. By asking you to create an account or log in, they gain access to your personal information and can even infect your device with malware.

How can I recognise fake websites?

Fake websites will often include text that suggests a sense of urgency.
They can use a similar theme, making emotional yet fake appeals for solidarity.
They are very vague about how the contributions will be used, and it’s also unclear which legitimate organisation they represent.
They may ask for the donation to be made in a cryptocurrency format.
They could be poorly designed, or only have one well-designed page.
Pop-up windows are commonly used to gather your information.

Don’t trust information that does not come from official sources (e.g. local or national government, official entities).
If a website asks you to fill in your personal or financial information (either through pop-up windows or a login form), think twice before doing so.
Configure your browser to block pop-up windows.
Specifically, when it comes to charities:
- Research thoroughly before donating. If possible, stick to organisations that have a history of work in the field.
- Don’t rely on links you received from someone or from social media. Instead, navigate to the official website yourself, paying special attention to the full address (URL) displayed on your browser.
- Don’t give in to undue pressure. Fraudsters will attempt to use the severity of the situation to rush you into donating.

Fake apps

Criminals identify opportunities to launch new apps claiming to provide exactly the information or the service that the public is eager to get.

What are the risks?

If you download a fake app, you can infect your devices with mobile malware.
The malware might infect your device and could take control over your files or even lock the entire device. This is called ransomware.

Stick to already existing apps provided by official entities you can trust.
Always check what permissions an app requires.
Research the app and its publishers carefully before downloading and check user reviews.
If your device is infected with ransomware, do not pay the ransom. A free decryptor may be available on No More Ransom – a Europol-backed project.

Fake investment opportunities

Investors need to be wary of crisis-related investment scams, such as promotions that falsely present the perfect moment to invest in certain products, services or crypto assets.

Reject cold calls related to investment opportunities. Ignore investment ads and offers received by email or social media.
Be suspicious of offers promising a safe investment, guaranteed returns and large profits.
Always get impartial financial advice before you hand over any money or make an investment.
Beware of future scams. If you have already invested in a scam, fraudsters are likely to target you again or sell your details to other criminals.

Money muling

A money mule is a person who transfers money (digitally or in cash) received from a third party to another one, obtaining a commission for it. It is a type of money laundering, and consequences are severe.

Criminals can use global crises to recruit money mules. They create organisations and NGOs to lure online workers through fake job advertisements. For example, new recruits can be requested to process ‘donations’ to fight the crisis at hand, pay the money into their bank accounts, and send it on, keeping a commission for themselves.

Research any company or person that offers you a job. Double-check that the website of the organisation is legitimate.
Never provide your bank account to anyone unless you know and trust them.
Decline any easy money offers. A reputable organisation will never ask you to pay money into your own bank account. If it sounds too good to be true, it probably is.

Advise for businesses and public organisations

Raise staff awareness with regards to corporate (cyber)security rules - i.e. phishing, social engineering, use of corporate devices, safe teleworking, etc.
Perform an audit of your network infrastructure. Ensure that only necessary ports are left open and try to reduce or eliminate your shadow IT exposure.
Increase your security monitoring. Actively check unusual remote user activity and increase your alert levels for VPN-related attacks.
Look for misconfigurations or outdated software to avoid critical and/or weaponised vulnerabilities. Check your internal systems and all corporate devices. Ensure that the latest security patches are installed and that all the devices are under strict business-supervised security policies.
Secure remote access to your IT systems. Only allow your employees to connect to the corporate network through corporate devices and a company-provided VPN with multi-factor authentication. Ensure that remote sessions automatically time out and require re-authentication after a specified period of inactivity. If possible, consider restricting the use of remote desktop connections that are not absolutely necessary.
Make sure that all endpoint protection clients are up and running with the latest updates.