It didn’t take long. The scammers have adapted their phishing and spear-phishing tactics to exploit the global corona virus pandemic.

According to the Wall Street Journal, here’s what to watch for:

Email doctored to look like a company’s purchase order for face masks or other supplies could trick an employee into wiring payments to a fraudulent account[…]. Individuals could provide personal details in response to a phishing attempt that promises information about a company’s remote-work plan.

The current state of confusion, and the lack of any coherent federal plan only exacerbate the risk that a well-meaning and worried employee will click something in an email without realizing the consequences.

What should you, as a business owner, do?

Reassure your employees that skepticism is prudence.

Here’s a handy checklist for empowering employees to be more phish-proof:

  • government agencies — especially with emergencies like pandemics, hurricanes, fires or floods, chances are good that an alphabet soup mix of city, county, state and federal agencies are involved. Governments issue press releases and agency heads do news interviews — they don’t mass email companies with a vague message that tells little more than “see attached” or “click here for important information”. And they certainly never start a criminal investigation by emailing.
  • hover — if there’s a link to click, first hover over the link to see where a click will actually take you. If you can’t tell if it’s safe or not, the safest course of action is to simply manually type the desired website URL into the browser yourself rather than using the link in the email.
  • grammar and spelling — read through the sender’s name@domain slowly and carefully. Chances are, your employees don’t normally get letigimate emails from presnident@yuorcopmanyname.com, right? Same goes for the grammar, tone and spelling in the body of the message itself.
  • urgency and threats — if the subject line is alarming (“account denied”, “shipment missing”, “final notice”), pick up the phone and call the sender. And call that company’s rep using the number you’ve already stored in your contacts list, not the number in the email.
  • lacking personalization — yes, humans can be hard to find sometimes. But a real executive, customer or vendor with a real problem isn’t going to email you as “dearest friend”.
  • attachments — most modern cyber-security systems should be able to scrub for infected attachments, but the crooks are always innovating. Pause before you rush to open that attachment. If all you normally get from FedEx is an email with your tracking number, why would the real FedEx suddenly be sending you an attachment that is supposedly your shipper?