Cyber criminals are constantly evolving COVID-19 phishing scams to exploit what people are most concerned about right now.
Key points
- While every organization you've ever dealt with emails you about their coronavirus plans, email phishers are pushing billions of similar-looking emails into the round.
- They exploit your users' feelings of fear and insecurity.
- Security professionals should advise their employees not to click on emails and to send them obviously legitimate messages on a regular basis; the best way to do this is to have a single intranet page/source with company news on the corona virus.
Whether it's a small or large business, security professionals around the world should urgently warn their employees about the rapid increase in coronavirus -related email scams phishing scams and show them how to avoid infecting their networks.
Fortunately, employee awareness of phishing scams is increasing. But the novel coronavirus (also known as COVID-19) allows malicious actors to up the ante on phishing threats. There are three main reasons for this:
- COVID-19 email scams take advantage of the pervasive fear and anxiety about this new pandemic by anticipating users' emotions and disabling their common sense.
- Employees expect information from their companies, national and local governments, associations they belong to, etc., so that phishing attacks posing as these groups have an easier path to a click.
- Coronavirus email phishing scams are rapidly evolving in line with the latest news in the media.
Coronavirus email phishing attacks rely on fear & insecurity
Phishing scammers often take advantage of the latest news and jump on any new story as soon as it comes up. According to Dr. However, Kiri Addison, head of data science for threat intelligence and overwatch at Mimecast, coronavirus phishing emails are sticking to the pandemic story and evolving their strategies alongside it.
"We're seeing a steady stream of different email phishing attacks that are evolving as the coronavirus pandemic develops and responds," Addison said. "New email phishing scams fit what people are talking about and worrying about right now." Addison explained that the first phishing attacks posed as doctors and other specialists from Wuhan, China, and tricked users into clicking on a link to get the latest information on symptoms and treatments. "Then, when governments and other official organizations got involved, we saw imitations of these organizations offering government advice. And when companies started taking action and sending their employees home, we saw them posing as businesses and telling their employees, 'Click here to find out which offices are closed or what the latest guidelines are for working from home'. Recently, phishing attacks have surfaced involving fake COVID-19 cures, she added.
Most coronavirus phishing emails have one of two goals: Intercepting credentials to gain access to your system or network, or spreading malware to infect it. In both cases, cyber criminals gain access to analyze how best to monetize their unauthorized "opportunity".
Defending against phishing attacks is simple: DON'T CLICK!
"Because these attacks are the kind of information that people are waiting for and expecting, the likelihood of human error is higher," Addison said. "It's very important that companies make their employees aware of the latest scams (which are trying to defraud.
It also encourages companies to set up their own central intranet sites where employees can access up-to-date information. In this way, companies can encourage their employees to visit these key sites frequently, "and simply tell them not to click on links in supposed company emails.
The advice "don't click" can be used as an effective defense against any email phishing scam. Even if an offer or information is tempting, people should be encouraged to pursue it another way: search the Internet, pick up the phone and call, etc.
The UK's National Cyber Security Centre (NCSC) provides further useful guidance, including , how to spot and deal with suspected phishing emails .
What's next on the criminals' agenda with the coronavirus phishing scam?
Enterprise security professionals should expect cybercriminals to exploit the coronavirus pandemic for as long as possible.
While they will likely continue to offer the same old type of malware to intercept logins, they will likely change the themes of the email scams to continue to be consistent with the current messaging. "We're likely to see offerings that help people deal with isolation, as well as content that addresses the financial impact on people. That could mean posing as banks or mortgage companies," Addison predicted.
Overview of selected coronavirus email phishing scams
Based on information from Mimecast's Threat Intelligence team, as well as reputable sources on the Internet, here is a sampling of COVID-19-related email phishing scams:
- Take the test: several scams offer DIY coronavirus tests for home use, leading to fake testing websites that can intercept credit card information. The fake website in the accompanying image was discovered by Mimecast Threat Intelligence. Only one company has announced a serious home coronavirus test, due out next week.
- WHO calls: email scammers pose as the World Health Organization offering information on how to avoid infection. When you click through, you are asked for personal information.[i] There is only one official WHO page: WHO:int. WHO also has a page with information on how to protect yourself from scammers posing as them.
- Find out about the (fake) cure: the phishing scammers in the accompanying screenshot pose as a well-known online learning company offering a course to teach you all about the cure for COVID-19, but instead they collect your credentials (if you let them). The claim to be working with the WHO makes it sound even more legitimate.
- CDC scammers: it's unlikely the Centers for Disease Control and Prevention is sending individuals emails with offers of any kind. But the real CDC coronavirus website is a valuable source of extremely important information.
- Free Cell Phones: This is a text message scam, not an email scam. Forbes reports that a congresswoman received an alleged offer for a free iPhone 11s from Apple "so you can spend more time at home." [ii] Apple is not giving away free phones.