COVID-19 Scams: Phishing in a Pandemic

The sad fact of the matter is that when there is a crisis, cybercriminals will follow to exploit those that are in a panic. We saw this locally with the bushfires at the start of 2020 and we’re now seeing it on a global scale as a result of the COVID-19 pandemic. For the Australian public, Scamwatch has reported a loss of over $700,000 so far from COVID-19 related email scams since the start of the pandemic.

These types of events breed fear and anxiety amongst the general public and businesses, which is what attackers will prey on the most. Fear and anxiety can negatively impact rational decision making in a big way. During these crises, these scams against vulnerable targets can increase by up to 96%.(1) In this blog I wanted to share with you some of the types of COVID-19 related email attacks we’ve seen across the industry, from a business and consumer perspective and some of the steps you can take to protect your organisation from falling victim.

Business Email Compromise (BEC)
For many businesses at this time, good cash-flow is key, and criminals will leverage human’s inherent good nature to help out their suppliers and third parties by paying promptly when they can. There has been a significant uptake in cybercriminals spoofing third parties, providing fraudulent bank details and citing cash flow as a reason for urgent requests.(2)

It isn’t new for attackers to spoof enterprise brands such as Microsoft or Google, but during this time cybercriminals have pivoted the messaging and social engineering used in these attacks. Spinning up fraudulent Microsoft sites and requesting end-users provide their credentials as part of “remote working enrolment” or a mandatory COVID-19 policy update they are required to access and read via their One Drive.(3)

On an individual level, cybercriminals have been spoofing senior executives within organisations, making fraudulent requests to team members in departments such as Accounts or HR. Exploiting the fact that the vast majority of end-users aren’t in the office and therefore unable to corroborate a request. Additionally, preying on employees that may be feeling insecure within their job during this time and so are trying to ensure they are doing everything that is asked of them in a timely manner.(4)

Government Scams
There has been an influx of phishing and smishing campaigns, spoofing Australian government services. The most reported including; fake text messages purporting to be the Department of Human Services and pretending to provide links to Government advice on the pandemic – leading the user to a fraudulent site to steal credentials. Also increased impersonation of the Australian Taxation Office, sending phishing campaigns with fake subsidy or tax refund notifications.(2)

There have also been various campaigns where cybercriminals have purported to be the World Health Organisation (WHO). In these cases, the attackers are claiming to provide updates on restrictions or testing, via malicious attachments or links that will then install malware and steal sensitive information.(5)

Superannuations & Banks
As many individuals who have suffered a loss of income attempt to take advantage of the early access the Government has provided to superannuations, cybercriminals have begun targeting individuals for this. Sending fake emails informing people that they are able to assist them in accessing their superannuations, either charging them a fee for this service or requesting their personal information and then stealing the superannuation funds for themselves.(2)

Similarly, many banks across Australia are advising their customers to be vigilant during this time. With phone, email and text messages all being used to execute brand spoofing. These fraudulent sites are requesting individuals to “confirm your credentials” which are then being used by the fraudsters for their gain.

Fake Online Stores & Puppy Scams
With the panic buying of toilet paper, hand sanitiser and face masks, cybercriminals moved to cash in on unsuspecting individuals. Creating fake online stores that offer these supplies, and sometimes even a vaccine to the virus, which unfortunately individuals have fallen for.

And a stranger one I know, but the ACCC has also reported a number of puppy purchasing scams as a result of the pandemic. As more people have moved to work from home, there’s been an increase in individuals wanting to purchase canine companions, which cybercriminals have exploited by creating fake sites or running fraudulent adverts. So far, the Australian public has lost almost $300,000 as a result of these scams.(2)

Security Recommendations
The range of these scams shows that every industry is a target and the reason they are so rife is because they work. Here are some of our recommendations from an organisation perspective, as to how you can mitigate these threats for end-users.

1. Security awareness training – if you are familiar with InfoTrust you will know this is a point we stress regularly; people are your last line of defence. I would strongly advise some kind of security awareness training or education to your end-users on the kinds of fraudulent emails they should be looking out for. And, the steps that should be taken if they believe an email to be malicious.

2. Enable Multi-Factor Authentication (MFA) – for all your services and applications that hold business-sensitive data, we would strongly advise that you enable MFA for your end-users. This is a quick way to stop an attacker in their tracks, and significantly decrease the chance of them successfully completing an Account Takeover attack.

3. Configure your impersonation controls – any secure email gateway solution worth its salt will have impersonation controls available for your business to utilise. Stringent security policies should be put in place to protect your employees who are most likely to be impersonated e.g. CEOs, CFOs and other senior executives.

If you believe you or someone you know has fallen victim personally to a scam check out Scamwatch’s help page which provides support and advice here.

1. Channel 7
2. Scamwatch
3. Mimecast – 100 days of COVID-19
4. Security Brief
5. ACSC Threat Update

see our

Related resources