Whenever there’s a big event with widespread awareness and human impact, it’s inevitable that online criminals will follow. It happens like clockwork after natural disasters and other calamities, and the COVID-19/coronavirus pandemic is no exception. What’s different is that the pandemic’s reach is so universal, and all of us are profoundly impacted in so many different ways. That provides multiple openings for opportunistic criminals.
When we are fearful, crave information, seek resources or are moved to help others, those are the emotions and motivations that criminals prey on. That’s when we’re most vulnerable and most likely to let our guard down. The pandemic brings in a host of other factors as well: Many are working from home, outside the protection of corporate firewalls. We are relying on email for communications that would otherwise be handled in-person. And most of us are dealing with multiple distractions, which means we may not be as alert as we should be.
In this time of uncertainty, it’s no wonder criminals are pouncing.
COVID-19 Phishing by the Numbers
Between January and March, Barracuda Networks reported that phishing emails spiked by over 600% as the pandemic spread. During one week in early April, Google reported that each day, its Gmail service blocked 18 million malware and phishing emails related to COVID-19—roughly one in every six phishing emails blocked. Since the pandemic was declared by the World Health Organization, thousands of domain names related to COVID-19 or coronavirus were registered, presumably to give the criminals’ lures an air of legitimacy. More recently, Google announced that more than a dozen hacking groups sponsored by foreign governments have been spreading pandemic-related emails to send phishing scams and plant malware.
Multiple Angles of Attack
Whatever form they take, the end goals of phishing attacks have always been the same. They aim to infect the user’s device with ransomware or other malware, steal log-in credentials, or steal money through fake charitable websites or other ruses. The COVID-19/Coronavirus pandemic provides plenty of lures to use as bait. Here are some of the schemes that have been reported.
- Messages that attempt to initiate funds transfers by masquerading as a co-worker or third-party firm the company normally does business with. Oftentimes the request will be COVID-19 related, such as funds to pay for personal protective equipment, or a request for payment by electronic funds transfer due to the unusual circumstances of the pandemic.
- Invitations to online meetings that instead point to websites laden with malware.
- Emails that falsely identify themselves as coming from authoritative organizations such as the UN World Health Organization (WHO) or the U.S. Centers for Disease Control and Prevention (CDC).
- Promises of coronavirus cures or test kits, offers or communications about hard-to-find protective equipment, or messages that solicit donations to prevent the virus or support victims.
- Emails directing employees to perform payroll or other human resources functions due to the change of working from home.
- Offers of work-from-home opportunities, or free meals from well-known restaurant chains for government or essential workers.
- Ruses related to stimulus payments, loans or other financial relief, purportedly from government organizations or other “official” programs.
- Messages that convey late-breaking or alarming news, often localized to convey maximum urgency.
- Documents that promise information, “Infection trackers” or other apps that plant ransomware or other malware.
Practical Prevention Tips
Countermeasures such as email filtering can help, but the best protection against phishing attacks is personal awareness and vigilance. Here are a few tips from our security analysts.
- If you receive an email from someone you know asking for sensitive information, or especially anything of a financial nature, reach out them via a separate channel with a voice call or text message to verify if they sent it.
- If there’s a link in the email, hover over the link. Most email software will show you where the link actually points (often in the bottom left corner of the email window).
- You can also copy the link and paste it into the URL window at virustotal.com. This free online resource will run the content on the linked page against 50 different virus scanners. This can also be used to check email attachments for malware.
- Be on the alert for grammatical or spelling errors, or generic headlines like dear bank user, dear employee (even if it names your company) or other general-purpose greetings.
Phishing Tests: A Proactive Defense
Phishing tests are a great way to not only test the knowledge of your users, but to allow them to learn from their mistakes. It’s far better to fail a simulated phishing campaign and gain knowledge from the experience than to fall for the real thing and suffer real damage.
At SOCBOX, we’re conducting COVID-related phishing tests for our clients, using many of the angles of attack that are currently being used by criminals. They can include spear-phishing or whaling attacks aimed at specific employees or company roles. Normally these packages are an add-on to our normal services, and typically conducted annually or quarterly, but we can also provide them as a special standalone service. If you’d like to know more, contact us or call 877-284-7789.