Alert! Govt warns against large-scale phishing attack from today; may use 'COVID-19' as bait

The government has warned people about a suspicious phishing attack, which in the garb of revealing "official information on COVID-19" could steal all your personal data, including bank account and debit or credit card details. Such phishing attack will start from today, so people have been advised to be extra cautious before such emails. Malicious actors are planning a large-scale phishing attack against Indian individuals and business, including small, medium and large enterprises, the Indian Computer Emergency Response Team of the Ministry of Electronics and Information Technology has said.

The phishing the campaign is expected to use malicious emails under the pretext of local authorities in charge of dispensing government-funded COVID-19 support initiatives. "Such emails are designed to drive recipients towards fake websites where are deceived int downloading malicious files or entering personal and financial information," the ministry statement said.

The phishing campaign is designed to impersonate government agencies, department and trade associations who have been tasked to oversee the disbursement of the government financial aid programmes. "The malicious actors are claiming to have 2 million individuals or citizens email IDs and are planning to send emails with the subject" Free COVID-19 testing for all residents of Delhi, Mumbai, Hyderabad, Chennai and Ahmedabad, inciting them to provide personal information," the government said.

Such emails could come from different fake email ids created by malicious actors impersonating various authorities. People could receive emails from ids such as "ncov2019@gov.in" and the attack, the campaign could start from today, June 21.

What you can do if you receive malicious email

• Don't open attachments in unsolicited emails, even if they come from people in your contact list and never click on a URL contained in an unsolicited email, even if the link seems benign. If it seems a genuine URL, close the email and go to the organisation's website directly through the browser and check if such information is given there.
• Leverage Pretty  Good Privacy in mail communications. Additionally, advise the users to encrypt or protect the sensitive documents stored on the internet-facing mechanics to avoid potential leakage.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e. the extension matches the file header).
• Beware about phishing domain, spelling errors in emails, websites and unfamiliar email senders.
• Check the integrity of URLs before providing logging credentials or clicking a link.
• Don't submit personal information to unknown and unfamiliar websites.
• Consider using safe browsing tools, filtering tools in your anti-virus, firewall and filtering services.
• update spam filters with latest spam mail contents.
• Any unusual activity or attack should be reported immediately at @cert-in.org.in