Fighting Coronavirus Phishing Scams

Hilary Tuttle


May 1, 2020

Around the world, people are dealing with an endless volume of new information about the coronavirus outbreak. They are distracted, stressed and concerned about the well-being of family and friends, and many are making the disorienting shift to working remote, some increasing the use of personal devices to do so. This can all leave employees more susceptible to online schemes, and there is no dearth of attempts to take advantage. Indeed, as of April 1, email security firm Proofpoint reported that 80% of the emails they were intercepting had something to do with the coronavirus outbreak, a level the company’s researchers called “unprecedented.”

Some of these phishing emails take advantage of employees working from home to launch credential-stealing attacks. “We see that threat actors are keeping up with the daily developments concerning the coronavirus,” reported the threat intelligence team at email security firm Mimecast. “As the pandemic continues to spread and more and more people are made to work from home, we are seeing more phishing emails that are trying to trick users into giving their credentials through a faked login page. Threat actors are actively utilizing this pandemic to attempt to compromise individuals’ accounts and organizations’ networks. The potential for human error will inevitably increase in the coming weeks and we expect to see more of these phishing attempts.”

Other phishing scams purport to be news from government authorities or public health organizations, directing recipients to click malicious links for updates on the spread of the COVID-19 pandemic, new containment measures or local advisories. In February, the World Health Organization warned that some criminals were spoofing WHO officials to send fraudulent emails, and Kaspersky Labs reportedly found emails spoofing the CDC that asked for bitcoin donations to help fund a coronavirus vaccine. Other email scams spread malicious attachments, claiming to offer coronavirus protection tips or maps of the outbreak but actually containing malware.

At the end of March, Mimecast reported detecting three million COVID-19 emails a day, the vast majority of which were believed to be malicious. Among the phishing campaigns targeting consumers, the firm found new approaches including many “taking advantage of their fears and curiosity as they head to the web for quick answers about cures, quarantine practices, economic changes and where toilet paper is still in-stock.” Indeed, with people observing stay-at-home orders and panic-buying making some critical supplies hard to find, cybercriminals have even created websites impersonating big-box retailers like Costco and Walmart to target people searching online for essentials.

“It is vital that individuals are aware of the widespread attempts at fraud that are inevitably exploding at this time due to the fear and uncertainty around the coronavirus,” said Carl Wearn, Mimecast’s head of e-crime. “One key focus of this is the widespread spoofing, copying and setting up of apparently legitimate websites that appear to offer a cure to the virus, and a range of equipment such as masks and testing kits. Criminals are aware that this unique situation is prompting people to search for these items and that people will also likely pay a premium for them. This is ripe for criminals to take advantage of, and they are. There are literally thousands of domains active to take advantage of this right now.”

Wearn advised, “Please ensure you use only known, reputable suppliers for any of these items, should you want them. It is almost certain that any purchase from the array of criminal sites set up to take advantage of this human suffering will merely lead to the significant loss of funds, and even if equipment is provided, it is likely to be counterfeit and ineffective.”

In regular bulletins, the Federal Trade Commission has reported massive surges in consumer complaints about scams related to COVID-19, totaling more than 10,000 fraud cases by mid-April. Unfortunately, these scams have proven successful: As of April 14, U.S. consumers had lost over $13.4 million in reported incidents alone, with a median loss of $558 per incident. The top categories of coronavirus-related complaints included “travel- and vacation-related reports about cancellations and refunds, reports about problems with online shopping, mobile texting scams, and government and business imposter scams.”

Based on the tactics used thus far, the FTC advised consumers to only click on links from sources they know, visit the CDC and WHO websites directly for the most up-to-date information, and be alert for fraudulent online offers for non-existent treatments and vaccinations, phony charitable donation campaigns, or “investment opportunities” from companies purporting to offer coronavirus products and services.

Other scammers are using coronavirus-related financial relief measures as lures. With governments like the United States, Canada, Australia and the United Kingdom exploring options like issuing direct stimulus payments to residents or extending tax filing deadlines, criminals have a new set of compelling pretenses for contacting victims to request sensitive data like Social Security numbers, bank account information and credit card data.

Many financial institutions are also implementing measures to help clients impacted by the coronavirus, leading some criminals to impersonate banks and credit card companies. Cybersecurity analysts report seeing such emails claiming to offer waived late fees and, in some cases, even a cash credit for the account holder. The links in these messages direct recipients to spoofed credit card login pages that attempt to steal information including user ID, password, email and credit card number. Such scams are likely to increase in the coming months as the U.S. government and others start dispersing funds.

Anticipating a continued increase in coronavirus payment fraud attempts, Proofpoint offered six tips to avoid becoming a victim:

1. Be aware that you are at risk. Knowing that attackers are ready to trick you out of your money can help you take an appropriately skeptical stance with regard to information you may see or hear. You can also warn others of the potential danger.

2. Be wary of any communications you receive that promise stimulus payments. To date, the U.S. government has never used email to collect information for payment programs of this type. The U.S. Postal Service is used to both distribute and collect information. This means that any email or other digital communication, you may receive that asks for stimulus information is almost certainly a fraud.

3. Do not provide personal information in response to any online requests and avoid clicking on email links. If you have any questions regarding payments, go directly to authorized institutions.

4. Create unique usernames and passwords for each account. If your username and/or password is stolen, you can reduce your risk of extensive compromise by using different credentials across multiple accounts. These accounts can include your email, financial/banking websites, work and streaming services.

5. Verify websites are legitimate. If you are visiting a website, you can verify the site is safe by clicking the padlock image on the left of the browser address. Be sure to check that the name of the server matches your desired destination.

6. Avoid disinformation by using multiple sources. Get information from reputable news sources and double-check any reports with another reputable news source. In particular, be wary of information that friends send you or post on social media. These messages could be spam that they did not actually send or simply misinformation.

Employers should also remind employees of cybersecurity best practices to protect themselves and the organization. For example, the fact that employees are working from home should not change protocols for requests via email, particularly any involving money transfers. It is more important than ever for employees to slow down, review messages in detail, and pick up the phone to verify authenticity (using a phone number that can also be verified beyond the email in question). Enterprises should also consider creating go-to destinations for employees to get the latest updates from their employer; information on any company policy changes and closures; official contact information for colleagues and supervisors; and links to reputable and objective sources for public safety, quarantine and medical guidance, such as the CDC, WHO, National Institutes of Health, and local government authorities.

During the pandemic and beyond, remind employees that they should always be wary of a message if it: plays on fear or urgency; includes spelling, grammar or formatting errors; asks for personal information, login credentials or financial details; encourages clicking on a link or opening a suspicious attachment; uses an unfamiliar, incorrect or vague greeting; or originates from a suspicious or abnormal email address.

Hilary Tuttle is managing editor of Risk Management.