Since nearly the start of the coronavirus outbreak, cybercriminals have been exploiting every facet of the pandemic by preying on our anxiety and fear as a way to make a buck. As COVID-19 testing and test kits are now being required by more public venues and organizations, attackers have seized on this need to try to scam people. A recent blog post from security firm Barracuda Networks looks at the rise in phishing campaigns that exploit the concerns over such testing.
During just the past few months, demand has risen for COVID-19 test kits. Along with that demand has come both a scarcity of test kits as well as confusion over where and how to obtain the kits. And those factors have triggered an increase in test-related scams. Between October and January, the number of COVID test-related phishing attacks surged by 521%, according to Barracuda. After peaking in January, the daily average fell but has recently started to rise again.
In their phishing campaigns, cybercriminals try a few different tactics to grab the attention of potential victims.
In some cases, attackers hawk COVID-19 tests and medical supplies such as masks and gloves. Many of these are for counterfeit or unauthorized products. In other cases, scammers send a phony notification of an unpaid order for COVID-19 tests. Included in these emails is a PayPal account where the attackers hope to grab money from fearful or desperate victims. And in additional cases, criminals pretend to be from laboratories or testing facilities promising to share COVID-19 test results.
SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic)
In one phishing email caught by Barracuda, the scammer promotes COVID-19 rapid test kits with competitive prices and fast delivery dates. The attacker aims to add legitimacy to the hoax by claiming that the products are CE certified (meeting European Union requirements for health, safety and environment) and have already been shipped to the European market.
In another phishing email, the criminals are selling not only COVID-19 test kits and analyzers but thermometers, pulse oximeters, freezers for vaccine storage and syringes for vaccine injection.
And in one more phishing email, the attackers impersonate a company’s HR department with an attached PDF file claiming to be a COVID-19 vaccination self-compliance report. Also spoofing Microsoft and Office 365 in the email, the scammers are looking to steal account credentials from unsuspecting employees.
In actuality, US officials have tried to make the COVID-19 at-home test kits more accessible. Anyone buying test kits through regular retail channels can now submit the purchase to their insurance provider for reimbursement. More easily, you can order up to four free test kits per household directly from the US Post Office.
To protect yourself and your organization from phishing attacks that exploit COVID-19 tests and related topics, Barracuda offers the following tips for IT and security professionals:
- Be dubious of any emails about COVID-19 tests. Instruct your users to watch out for emails that aim to sell COVID-19 test kits, offer details on testing sites with immediate availability, or share test results. Warn them to never click on links or file attachments in such emails, especially ones they didn’t expect.
- Turn to artificial intelligence. As sophisticated attackers can sneak past email gateways and spam filters, you need security products that will protect your organization against spear-phishing attacks. The right technology doesn’t just scan for malicious links or attachments but uses AI and machine learning to look for anomalies within your normal communication patterns.
- Rely on account takeover protection. Many threats come not just from external email messages but from internal ones via compromised employee accounts. As such, you need to make sure that scammers aren’t using your organization to launch attacks against itself. For that, rely on security products that use AI to determine when accounts have been compromised, alert users in real-time of such incidents and remove malicious emails from those accounts.
- Establish strong internal policies to stop fraud. Create and review internal policies to make sure that all personal and financial data is handled correctly. Set up guidelines and procedures to confirm all email requests for wire transfers and payment changes. Require in-person or telephone confirmation and approval from several people for any financial transaction.
- Train employees to recognize and report cyberattacks. Provide employees with awareness training about the latest COVID-19-related phishing scams and other possible threats. Make sure that users can spot these attacks and immediately report them to your IT staff or help desk. Try using phishing simulations for email, voicemail and text messages so that employees can better identify a cyberattack.