Exclusive threat spotlight: COVID-19 test-related email scams

COVID-19 has dominated headlines for almost two years and hackers continue to exploit the pandemic in their attacks. Back in March 2020 COVID-19-related phishing attacks jumped 667% and then as vaccination programs rolled out so did the new wave vaccine-related email threats. The latest omicron variant led to another spike in COVID-19 cases — as well as phishing attacks.

As demand for COVID-19 tests increased in recent weeks, the number of scams exploiting the scarcity of tests also went up. Our researchers saw an increase in COVID-19 test-related phishing attacks over the past couple of month. Between October 2021 and January 2022, the number of COVID-19 test-related scams increased by 521%. The daily average peaked in early January, declining recently before starting to trend upward again.

Highlighted Threat

COVID-19 test-related phishing attacks — Cybercriminals are taking advantage of the heightened focus on the COVID-19 testing and the current scarcity of tests to launch phishing attacks.

Scammers are using different tactics to get the attention of their victims. Some of the most common scams included:

• Offers to sell COVID-19 tests and other medical supplies such as masks or gloves. Some of these scams are selling counterfeit or otherwise unauthorised products.
• Fake notifications of unpaid for orders for COVID-19 tests, where scammer provide a PayPal account to send payments to complete purchase of rapid tests — counting on the desperation of their victims.
• Impersonation of either labs, testing providers, or individual employees sharing fake COVID-19 test results

The Details

The U.S. Department of Health and Human Services Office of Inspector General alerted the public earlier this month about the rising number of fraud schemes associated with COVID-19 and COVID-19 tests in particular. They warn of scammers who try to sell at-home COVID-19 tests in exchange for personal or medical information. The U.S. government launched a program recently allowing people to request up to four free at-home tests per household and cybercriminals are bound to take advantage of the opportunity.

COVID-19-related scams continue to target individuals and businesses. As some organisations try to get their staff back to the office, they send out updated policies or request information on employees’ vaccination status. Hackers hijack these conversations. In one specific example found in Barracuda’s research, cybercriminals impersonated an HR department and shared a file hosted on a phishing site with employees in hope of stealing their account credentials. The attackers went as far as impersonating the Office 365 logo and stating that the document has already been scanned for virus and spam content.

Protecting against COVID-19 test-related phishing

• Be skeptical of all emails related to COVID-19 tests

Some email scams include offers to purchase COVID-19 tests, provide information on testing sites with immediate availability, or share test results. Don’t click on links or open attachments in emails that you did not expect, as they are typically malicious.

• Take advantage of artificial intelligence

Scammers are adapting email tactics to bypass gateways and spam filters, so it’s critical to have a solution that detects and protects against spear-phishing attacks, including brand impersonation, business email compromise and email account takeover. Deploy purpose-built technology that doesn’t rely solely on looking for malicious links or attachments. Using machine learning to analyse normal communication patterns within your organisation allows the solution to spot anomalies that may indicate an attack.

• Deploy account-takeover protection

Don’t just focus on external email messages. Some of the most devastating and successful spear-phishing attacks originate from compromised internal accounts. Be sure scammers aren’t using your organisation as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognise when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.

• Train staffers to recognise and report attacks

Educate your users about spear-phishing attacks. Provide employees with up-to-date user awareness training about COVID-19-related phishing, seasonal scams and other potential threats. Ensure staffers can recognise the latest attacks and know how to report them to IT right away. Use phishing simulation for email, voicemail and SMS to train users to identify cyberattacks, test the effectiveness of your training and evaluate the most vulnerable users.

• Set up strong internal policies to prevent fraud

All companies should establish and regularly review existing policies, to ensure that personal and financial information is handled properly. Help employees avoid making costly mistakes by creating guidelines and putting procedures in place to confirm all email requests for wire transfers and payment changes. Require in-person or telephone confirmation and/or approval from multiple people for all financial transactions.

This Threat Spotlight was authored by Olesia Klevchuk with research support from Tanvee Desai, Data Analyst.

For more information, visit: www.barracuda.com