Beware of Quickly-Evolving Coronavirus Email Phishing Attacks

 Whether you’re in a small business, large enterprise, or anything in between, security professionals around the world should be urgently warning company employees about the rapid rise of coronavirus-related email phishing scams—and how to avoid infecting their networks.

Employee awareness of phishing scams is, thankfully, on the rise. But the novel coronavirus (aka COVID-19) is enabling bad actors to raise the ante on phishing threats. There are three key reasons why:

• COVID-19 email scams prey on today’s ever-present fear and anxiety over this new pandemic, anticipating users’ emotions to short-circuit their common sense.
• Employees are expecting information from their companies, national and local governments, associations to which they belong, etc., so phishing attacks that impersonate these groups may have an easier path to a click.
• Coronavirus email phishing scams are evolving rapidly, and in-sync with the latest emphasis pouring out of news media.

Coronavirus Email Phishing Attacks Prey on Fear & Uncertainty

Phishing scams often tap into whatever is making news, jumping to each new story as it emerges. But coronavirus phishing emails are sticking to the pandemic story but evolving strategies in tandem with it, according to Dr. Kiri Addison, Head of Data Science for Threat Intelligence and Overwatch at Mimecast.

“We’re seeing a steady stream of different email phishing attacks that are evolving as the coronavirus pandemic evolves, and as the response evolves,” said Addison. “New email phishing scams are matching what people are talking about and what people are worried about at the time.” Addison explained that the first phishing attacks impersonated doctors and other specialists from Wuhan, China, enticing users to click on a link to find the latest information on symptoms and treatments. “Then, as governments became involved, and other official organizations, we saw impersonations of those organizations offering government advice. And when businesses began taking action, and started sending people home, we saw business impersonations being sent to employees saying, ‘Click here to find out what the office closures are, or what the latest work from home policy is.’” Most recently, phishing attacks have emerged around phony COVID-19 cures, she added.  

Most coronavirus phishing emails pursue one of two goals: credential capture to gain access to your system or network, or malware delivery to infect it. In either case, cyber criminals gain access that lets them analyze the best way to monetize their unauthorized “opportunity.” 

Phishing Attack Defense is Simple: DO NOT CLICK!

“Since these attacks embody the kind of information that people are waiting for and expecting, there’s a potentially higher rate of human error,” noted Addison. “It’s very important that companies make their employees aware of the latest scams that are going around.”

Moreover, she encourages businesses to establish central intranet pages of their own from which employees can get up-to-date information. That way, companies can encourage employees to check those central pages often, “and simply tell them not to click on any links in supposed company emails.”

That “do not click” advice can be extended as a strong defense against any email phishing scam. Even when an offer or a bit of information lures people in, they should be encouraged to pursue it in a separate channel: search on the internet, pick up the phone and make a call, etc.

The UK’s National Cyber Security Centre (NCSC) offers additional worthwhile guidance, including how to spot and deal with suspected email phishing.

What’s Next on Criminals’ Coronavirus Phishing Scam Agenda?

Enterprise security professionals should expect cyber criminals to milk the coronavirus pandemic for as long as they can.

While they’ll probably continue delivering the same old kind of malware login capture approaches, they’ll likely be changing the themes of email scams to continue matching what’s going on in the news. “We’ll probably start seeing offers to help people deal with isolation, and content around the financial impact on people, as well. That could mean impersonating banks or mortgage companies,” Addison predicted.

Roundup of Selected Coronavirus Email Phishing Scams

Based on information from Mimecast’s Threat Intelligence team, plus reputable sources from around the web, here is a selection COVID-19 related email phishing scams:

• Take the test: Several scams offer DIY “at home” coronavirus tests leading to fake testing sites that can capture credit card information. The fake site in the accompanying image was spotted by Mimecast Threat Intelligence. Only one company has announced a legitimate at home coronavirus test, which is set to hit next week.

• WHO’s calling: Email scammers pretend to be the World Health Organization offering information on how to avoid infection. When you click through, it asks for personal information.[i] There’s only one official WHO site: WHO:int. WHO also has a page that provides information about how to avoid scammers pretending to be them.

• Get educated about the (phony) cure: The phishing scammers in the accompanying screen capture pretend to be a well-known online learning company offering a course to teach you all about the cure to COVID-19, but they harvest your credentials instead (if you let them). It sounds more legitimate by claiming partnership with the WHO.
• CDC Imposters: The Centers for Disease Control and Prevention is unlikely to email individuals with offers of any kind. But the real CDC coronavirus site is a valuable source of critically important information.
• Free Phones: This one’s an SMS, not email, scam. Forbes reports that a congresswoman received a supposed offer of free iPhone 11s from Apple “to help you spend time at home.”[ii] Apple is not giving away free phones.

[i] “The Internet is drowning in COVID-19-related malware and phishing scams,” Ars Technica

[ii]  “Coronavirus Scams: Watch Out For These Efforts To Exploit The Pandemic,” Forbes