WASHINGTON — QUESTION:
Will public health agencies like the Centers for Disease Control and World Health Organization ever send you unsolicited emails asking for personal information?
ANSWER:
No. The Federal Trade Commission, World Health Organization, Maryland Attorney General Brian Frosh and Virginia Attorney Mark Herring are warning the public about phishing attempts by people pretending to be the CDC and WHO.
SOURCES:
World Health Organization: "Beware of criminals pretending to be WHO"
Federal Trade Organization: "Coronavirus: Scammers follow the headlines"
Attorney General Mark Herring: "Attorney General Herring urges Virginians to Be Way of Coronavirus Related Scams"
Attorney General Brian Frosh: "Attorney General Fosh Warns Marylanders About Coronavirus Disease 2019 Scams"
David Emm: Principal Security Researcher at Kaspersky
Sherrod Degrippo: Senior Director of Threat Research and Detection at Proof Point
Matt Lourens: Security Engineering Manager at Check Point
PROCESS:
Lots of people on social media are tweeting out screenshots of emails supposedly coming from public health agencies like the Centers for Disease Control and Prevention or the World Health Organization.
One person even tweeted out a screenshot of a fake CDC Paypal account.
So we're verifying, will these public health agencies really email you asking for your personal information?
Our Verify experts reached out to the World Health Organization, Federal Trade Commission, Maryland Attorney General Brian Frosh, Virginia General Attorney Mark Herring and cybersecurity agencies.
"Beware of criminals pretending to be WHO," the agency writes on its site.
WHO said it will never ask you to login to view safety information, never email attachments you didn't ask for, or ask you to donate directly to emergency response plans or funding appeals.
They're not the only health organization falling victim to a cyber attack. Both Herring and Frosh issued warnings to look out for anyone claiming to be from the CDC or "experts saying that they have information about the coronavirus."
"Scammers are taking advantage of people’s fear of getting sick from COVID-19. Consumers can avoid being cheated by understanding how these thieves are trying to steal their personal information and money," Frosh said.
The FTC said the emails may promote awareness and prevention tips, and fake information about cases in your neighborhood. They also said these phishing emails may ask you to donate to victims, offer advice on unproven treatments, or contain malicious email attachments.
Cybersecurity firms across the globe are on high alert tracking coronavirus-related phishing attempts and warning clients to be wary of unsolicited messages.
"We're seeing multiple campaigns a day now of this," Sherrod Degrippo, senior director of threat research and detection at Proof Point, said. "Sometimes two and three a day that are leveraging the coronavirus concerns to sort of scare people into clicking on something, opening it and installing malicious software onto their computers."
David Emm, principal security researcher at Kaspersky explained that hackers are evolving, and the onus is on the public to become smarter and better equipped.
"Look to see what the domain name is that the email has come from, does it really match the legitimate one?" Emm said. "It's always better if you intend to go to a website to go to the website by typing it in yourself..rather than just guessing."
Since January 2020, there's been 4,000 coronavirus-related domains registered globally, according to security software company Check Point.
Matt Lourens, a security engineering manager at Check Point, explained that about three percent of domains were found to be "malicious," meaning operating with the intent to steal money or data, and five percent were found to be "suspicious," which showed no clear purpose for existing.
"It's a massive amount, Lorens said. "We've already identified an excess of 400-500 that are absolutely malicious sites with the intent of creating chaos."
So we can Verify, no, the CDC and WHO are not emailing you, asking for personal information. Be wary of any info you get from an unsolicited email.