With every large news event of natural disaster comes a barrage of scam emails and websites, with cybercriminals attempting to take advantage of interest in the situation. Hurricane Harvey, which damaged or destroyed more than 44,000 homes in Houston, TX, has sadly set off a spate of hackers attempting to profit from the disaster.
“Natural disasters are open season for cyber criminals intent on making a buck using time-tested and fraudulent means,” said Steve Durbin, managing director of the Information Security Forum. “Email infection, fake websites, and traditional phishing attacks are all to be expected.”
Security firm AppRiver discovered a scam email on Wednesday with links to a forged Red Cross donations site. Hackers are also using social media platforms in attempts to solicit charitable donations for flood victims, including creating fake Facebook and Twitter pages dedicated to victim relief containing links to spam websites or malware, as CNET reported.
Earlier this week, the US Computer Emergency Readiness Team (US-CERT) warned citizens to “remain vigilant” for cyber attacks seeking to capitalize on interest in Hurricane Harvey.
“Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Harvey, even if it appears to originate from a trusted source,” according to a US-Cert advisory. “Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters.”
US-CERT offered the following recommendations for users to protect themselves from phishing scams and malware campaigns:
- Review the Federal Trade Commission’s information on Wise Giving in the Wake of Hurricane Harvey.
- Do not follow unsolicited web links in email messages.
- Use caution when opening email attachments. Refer to the US-CERT Tip Using Caution with Email Attachments for more information on safely handling email attachments.
- Keep antivirus and other computer software up-to-date.
- Refer to the Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
- Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. You can find trusted contact information for many charities on the BBB National Charity Report Index.
AppRiver cybersecurity analyst David Pickett also offered the following tips for safe online donating to hurricane victims:
- Navigate directly to the legitimate sites or charities you may consider donating to. Type in the address manually instead of clicking links.
- If you aren’t sure about a charity, research it first using a third-party watchdog (give.org, charitywatch.org, guidestar.org, or charitynavigator.org).
- Be extremely suspicious of any attachment or link you may receive via email. Contact the sender directly if there is any question.
- Utilize checks and credit cards for donations directly to the charity itself, not an individual and avoid cash if possible. This creates a paper trail for tax deductions as well.
- Do not give out personal information such as driver’s license information, social security number, birth dates, mother’s maiden name, etc. This information is used by criminals for social engineering their way further into your accounts or ID theft.
“Think before you click,” Durbin said. “We all want to be sure that our donations actually go to the people, and charities who need them. Just be sure you pay close attention to who you are donating to so that you don’t end up becoming another victim.”