Phishing emails are a favorite tactic used by scammers to try to convince people to share account credentials, financial information, and other private data. But one particular speciality is the Business Email Compromise (BEC). In these campaigns, cybercriminals impersonate internal executives, outside contractors, or other “official” individuals hoping to persuade employees into revealing sensitive information.
As bad actors have been exploiting COVID-19 for their own nefarious purposes they’re now deploying coronavirus-themed BEC campaigns aiming at tricking unsuspected business workers. A series of BEC emails picked up by Trustwave shows how cybercriminals are giving a virus-based spin to the usual types of scams.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
COVID-19 gift card scam
In this one, the sender claims to have symptoms of the coronavirus and is in self-isolation with no mobile phone or other essential items. The scammer asks the recipient to purchase a $250 iTunes or Walmart gift card and share the details so he can use the funds to buy the necessary daily essentials.
COVID-19 wire transfer scam
Here, the scammer asks the recipient to set up a wire payment for COVID-19 medical support. In one instance, the criminal impersonates the CEO of a company and tells a corporate accountant to create the needed wire transfer.
COVID-19 payroll scam
In this one, the scammer impersonates a company employee with a request to update his direct deposit information in light of the coronavirus. The scammer asks the recipient what details are needed in hopes of gaining certain banking and financial data.
COVID-19 assistance in a confidential legal matter
Here, the scammer claims to be managing some type of operation for the company that involves a legal representative. The criminal asks the recipient to assist the representative in providing any confidential information required. The request is urgent, says the scammer, as the coronavirus has already pushed the project behind on its deadline.
“Scammers will use any possible means to lure victims over email,” Trustwave said in its report. “The fact that a company email is associated with a real corporate user, who could be prone to trickery, makes it a lucrative target. BEC scammers recently capitalized on the coronavirus (COVID-19) pandemic and combined it with BEC scam impersonation techniques as a perfect combo to lure and trick users into sending money or gift cards to the scammers.”
To help organizations defend themselves and their employees against BEC campaigns, Karl Sigler, senior security research manager for SpiderLabs at Trustwave, offers some specific advice.
“Organizations can help protect against BEC attacks by first educating employees on what to look out for in terms of more traditional phishing campaigns,” Sigler said. “For example, spotting emails where domain names don’t match in the From and Reply-To fields, misspelled domain names that may be off by just one character, and poor use of the country’s native language. From a technical standpoint, mail administrators should utilize an email gateway to eliminate spam and phishing attempts before they reach a user’s inbox and incorporate multifactor authentication for email access to minimize the chances of account takeover.”