I N C R E A S I L Y
Coronavirus and Phishing - black keyboard with red backlights

Coronavirus and Phishing: All You Need to Know, Updated March 30th 2020 – In this article, I have put together a comprehensive guide about Coronavirus and Phishing.

You will learn about scams like Phishing, Smishing and Vishing are and how you can spot and protect yourself from them.

A significant number of hackers and fraudsters are using the current emergency about COVID-19, with millions of people working from home, to carry out scams.

In the words of An Garda Síochána:

Note from the author: in the tweet above, the word ‘Phishing’ is spelled incorrectly.

In this video by Which? you can find a summary of some of the Coronavirus scams currently in place:

Coronavirus and Phishing: All You Need to Know

Numbers and Statistics

A report from Forbes estimates that victims in the UK lost to scammers up to $1 million.

According to UK’s national reporting centre for fraud and cybercrime ActionFraud, there was a 400% increase in Coronavirus-related scams in March:

The number of Coronavirus-related newly-registered domains spiked in March to more than 35,000 in one single day.

Amazon removed from its online marketplace more than one million Coronavirus-related products.

Coronavirus and Phishing: a Definition

What is Phishing?

Phishing is a fraudulent attempt by an unauthorised party, disguised as a legitimate source, to obtain sensitive data such as login or credit card details.

The scam generally occurs through an email, text or SMS message (Smishing), phone call (Vishing) or fake website (Domain Spoofing).

Coronavirus and Phishing Domains

The spreading of Coronavirus globally has also led to a spike in the number of domain registrations related to Coronavirus and COVID-19 (source: zdnet.com):

[Threat intelligence firm] RiskIQ saw more than 13,500 suspicious domains on Sunday, March 15; more than 35,000 domains the next day; and more than 17,000 domains the day after that.

In this chart by security intelligence firm Recorded Future, you can see a graphical representation of the increase in Coronavirus-related domain registrations:

Coronavirus and Phishing - chart showing the spike in Coronavirus-related newly-registered domains

Phishing referred to a website or domain is technically called ‘Domain Spoofing’.

What is Domain Spoofing?

Domain Spoofing is a fraudulent attempt to use a fake domain to impersonate a company or one of its employees.

Domain Spoofing and Coronavirus

A significant number of Coronavirus-related and newly-registered domain might have a malicious purpose.

Recorded Future director of operation outcomes Lindsay Kaye calls out the following domains as potentially dangerous (source: forbes.com):

  • coronavirusstatus[.]space
  • coronavirus-map[.]com
  • blogcoronacl.canalcero[.]digital
  • coronavirus[.]zone
  • coronavirus-realtime[.]com
  • coronavirus[.]app
  • bgvfr.coronavirusaware[.]xyz
  • coronavirusaware[.]xyz

VirusTotal founder added the following domains to the list of potentially malicious websites:

  • corona-virus[.]healthcare
  • survivecoronavirus[.]org
  • vaccine-coronavirus[.]com
  • coronavirus[.]cc
  • bestcoronavirusprotect[.]tk
  • coronavirusupdate[.]tk

To know if the website is listed as potentially malicious, you can check this tracker by @DustyFresh (Twitter handle), updated every 30 seconds.

Coronavirus and Phishing Emails

Wikipedia lists the most common types of email phishing being: spear phishing, whaling, and clone phishing (source: wikipedia.org).

Cisco also adds Pharming, Deceptive Phishing and Office 365 Phishing (source: cisco.com), while Norton also includes Pop-Up Phishing (source: us.norton.com).

CEO Fraud (not to be confused with Whaling), Dropbox and Google Docs Phishing are less common types of phishing still worth the mention.

A number of reputable sources detected a significant increase in phishing emails since the start of March (source: finextra.com).

Security consultancy Barracuda has recorded a 667% spike in phishing attacks globally since the start of March as fraudsters attempt to cash in on the Covid-19 outbreak.

A common Coronavirus phishing attack is an email allegedly send by the WHO, CDC, NHS or some other reputable source.

The email generally offers advice, along with selling in-demand items such as face masks and hand sanitisers.

it may also include a call to action prompting the victim to donate money.

As of today, these are the most common phishing emails users have come across with (source: us.norton.com, bbc.com and thesun.ie):

  • CDC (or WHO) alerts
  • Health advice
  • Workplace policy
  • Click here for a cure
  • COVID-19 tax refund
  • Precautions
  • Airborne virus
  • Donations
  • Coronavirus maps

This is an example of a fake alert from the CDC…

Coronavirus Scams - fake email from CDC

…and this is a fake COVID-19 tax refund from gov.uk…

Coronavirus and Phishing - fake email from gov.uk

…while this is an email claiming they have found a cure for Coronavirus:

Coronavirus and Phishing - scam email about a cure for Coronavirus

 

How to Spot a Coronavirus Phishing Email

According to Microsoft, ’91 percent of all cyberattacks start with email’ (source: microsoft.com).

Phishing scammers and more sophisticated hackers, who are often sponsored by a state, are now exploiting the current fear and uncertainty to get access to sensitive data such as login and bank or credit card details (source: wired.com):

Phishers know all too well that during uncertain times—whether it’s international conflict or coronavirus—people become desperate for information and reassurance.

In this section of the article, I am going to go through some social engineering red flags, which will help you spot a phishing email almost immediately.

Coronavirus Scams - infographic on how to spot social engineering red flags in emails

Who is the Email from?

One of the most common types of phishing is deceptive phishing. In this case, the scammer is sending an email pretending to be somebody you know or a company you trust and you have already engaged with.

You should be aware of emails coming from:

  • a sender you don’t usually communicate with, for example a Singapore specialist (unless you live in Singapore)
  • an email address you don’t recognise, such as [email protected]
  • a look-alike email address, such as covidcure-who.com
  • somebody you don’t know personally or you have not been virtually-introduced by one of your contacts
  • somebody you don’t have a personal relationship with

More specifically to the workplace, you should be aware of emails coming from:

  • someone outside of your organisation
  • someone you don’t have a business relationship with
  • a customer, vendor or partner – unexpectedly.
Who is the Email Sent to?

You should be aware of emails sent to many people (you are in Cc), where you don’t know most of the people in the list.

You should also be aware of emails sent to an unusual number of people (you are in Bcc).

When Was the Email Sent?

This is more difficult to assess than the other red flags. You should be aware of emails sent at unusual times, according to your time zone.

You should also be aware of emails sent on holidays or during the weekend.

What is the Email Subject Line?

You should be aware of emails whose subject line includes:

  • an irrelevant sentence, which doesn’t match with the content of the email
  • a call to action creating a sense of urgency to act now, such as ‘Donate now to save COVID-19 lives!’
  • a reply to an email you have never sent (this generally starts with ‘Re:’ to mimic a reply to an email)
  • a number of spelling or grammar mistakes, such as
  • a number of exclamation marks or other symbols
What is the Content of the Email?

You should be aware of emails whose content includes:

  • a generic greeting, such as ‘Dear Sir, Madam’, instead of your first name
  • a number of spelling and grammar mistakes
  • a number of exclamation marks or other symbols
  • a call to action to click on a link or download an attachment, generally accompanied by urgency and fear of negative consequences if you don’t comply
  • no email signature or one that raises doubts on its legitimacy, such as ‘Specialist wuhan-virus-advisory’.
Does the Email Have Any Hyperlinks?

You should be aware of emails with hyperlinks (and never click!) where:

  • on mouse-over the link-to-address is different from the hyperlink displayed
  • the hyperlink is a misspelling of a known website, such as accounts-micorsoft.com
  • the hyperlink is a look-alike of a known website, such as boirenewonline.com instead of 365online.com
  • the hyperlink is the only content of the email body
Does the Email Have Any Attachment?

You should be aware of emails with attachments that seem unnecessary for the purpose of the email.

In general, you should be aware of emails with attachments whose format is one of these: .DOC, .XLS, .PDF, .ZIP, or .7Z (source: forbes.com).

According to analysis by Helsinki-based security provider F-Secure 85% of all malicious emails have a .DOC, .XLS, .PDF, .ZIP, or .7Z attached.

What to Do If You Fall for a Coronavirus Phishing Scam

If you believe you have fallen for a Coronavirus phishing scam, either an email or a domain, here’s a list of practical steps you can take (source: us.norton.com):

  • Change your passwords – This applies to computer, email, apps, bank accounts and PIN
  • Contact your bank – If you have logged in to your online banking after clicking on a phishing link, immediately notify bank
  • Contact your credit card company – If you have used your credit or debit card online after clicking on a phishing link, immediately contact your credit card company about freezing and replacing your credit and debit cards
  • Update your software and apps – Make sure you are running the latest version of software and apps on both your phone and other devices
  • Check your bank account regularly – For some time from the event, make sure you check your bank accounts regularly for suspicious activity

Coronavirus and Phishing: Smishing

What is Smishing?

Smishing is the fraudulent attempt to obtain your personal information through a text or SMS message.

The attacker sends a message pretending to be your bank or some other reputable company with the aim of stealing sensitive data from the victim.

How to Spot a Coronavirus Smishing Text

In this example, you will see an unsolicited text message from a scammer trying to impersonate the UK government website:

Coronavirus Scams - scam message from fake gov.uk

You should be aware of and never respond to text or SMS messages (source: irishmirror.ie):

  • that are unsolicited
  • imitating a text from a trusted source, such as gov.uk or who.int
  • asking to click on a link
  • asking you to call a number (click-to-call)
  • asking to verify your login, personal, bank or credit card details
  • creating a sense of urgency
  • showing evident spelling and grammar mistakes
  • whose link-to-address (when you mouse over on the link) is different from the displayed URL

What to Do If You Fall for a Coronavirus Smishing Scam

The course of action is very similar to the one described about phishing scams. If you believe you have fallen for a Coronavirus Smishing scam, you should immediately:

  • Change your passwords – This applies to computer, email, apps, bank accounts and PIN
  • Contact your bank – If you have logged in to your online banking after clicking on a phishing link, immediately notify bank
  • Contact your credit card company – If you have used your credit or debit card online after clicking on a phishing link, immediately contact your credit card company about freezing and replacing your credit and debit cards
  • Update your software and apps – Make sure you are running the latest version of software and apps on both your phone and other devices
  • Check your bank account regularly – For some time from the event, make sure you check your bank accounts regularly for suspicious activity

Coronavirus and Phishing: Vishing

What is Vishing?

Vishing is the fraudulent attempt to obtain sensitive information from the victim via telephone.

Phishing often targets Voice over IP (VoIP) services such as Skype, Face Time or Whatsapp.

Coronavirus and Vishing

In my research I have found two mentions of Coronavirus-related vishing scams, in Ireland and UK.

In an article on thejournal.ie, a senior official from the Department of An Taoiseach confirms (source: the journal.ie):

[The] department has become aware of a number of members of the public receiving phone calls from individuals who say they are from the department and requesting their bank or financial institution account details.

In the same article, she warns the public that ‘you will not get phone calls asking for your bank details from the government’.

In the UK there is a Coronavirus-related vishing scam concerning UK’s communication regulator Ofcom.

The scam was about the switching off or downgrading of the user’s broadband connection.

In a post published on March 25th, Ofcom confirms that they ‘will never call you out of the blue like this. If you receive one of these calls claiming to be from us, please hang up’.

How to Spot a Coronavirus Vishing Call

The advice on how to spot a Coronavirus vishing scam applies to any generic vishing scam. Here’s some practical steps (source: digital.ulsterbank.ie):

If you get a call asking you for this information, end the call immediately

If you receive a suspicious or unexpected call, always verify it by terminating the call and phoning back using an independently checked phone number, such as one from an official website.

If you receive a request to download software to connect to your computer, and you have not initiated the conversation with the company, decline to do so.

In any case, ‘never give out your Mobile banking App activation codes or passcode, Online Banking PIN, full Online Banking password or card reader codes to anyone over the phone, even a caller claiming to be from your bank or the police’ (source: digital.ulsterbank.ie).

What to Do If You Fall for a Coronavirus Vishing Scam

The course of action is very similar to the one described about phishing and smishing scams. If you believe you have fallen for a Coronavirus vishing scam, you should immediately:

  • Change your passwords – This applies to computer, email, apps, bank accounts and PIN
  • Contact your bank – If you have logged in to your online banking after clicking on a phishing link, immediately notify bank
  • Contact your credit card company – If you have used your credit or debit card online after clicking on a phishing link, immediately contact your credit card company about freezing and replacing your credit and debit cards
  • Update your software and apps – Make sure you are running the latest version of software and apps on both your phone and other devices
  • Check your bank account regularly – For some time from the event, make sure you check your bank accounts regularly for suspicious activity

Coronavirus and Phishing: Other Types of Scams

Phishing, vishing and smishing are the most common types of Coronavirus scams.

There are other types of scams, which are less common but potentially as dangerous.

Some criminals are taking advantage of people staying at home, especially elderly people. They offer to take their temperature with the aim of robbing them or worse (source: which.co.uk)

Other Coronavirus scams include the selling of hand sanitisers and face masks for a highly-inflated price.

Coronavirus and Phishing: Appendix

Coronavirus and Phishing: Glossary

What is Spear Phishing?

Spear Phishing is a fraudulent phishing attempt targeting individuals or companies by leveraging personal information about the target to increase the probability of success.

According to the SANS Institute 95% of all attacks on enterprise networks are the result of successful spear phishing (source: cisco.com)

This phishing technique was used by the hacker group Fancy Bear (Threat Group-4127) ‘to target email accounts linked to Hillary Clinton’s 2016 presidential campaign’ (source: wikipedia.org).

What is Whaling?

As a variation of Spear Phishing, Whaling is a fraudulent phishing attempt targeting companies’ CEOs and senior executives.

What is Clone Phishing?

In this type of phishing attempt, scammers clone the content of an email, the target has already received.

The content of the email is identical or similar to the one received, with the exception of the sender email and links or files attached, which are generally malicious.

Among the types of phishing, this is considered ‘one of the most difficult to detect’ (source: us.norton.com).

What is Pharming?

‘Pharming sends users to a fraudulent website that appears to be legitimate’ (source: cisco.com) with the aim of obtaining personal information.

Most of the times, this happens without the victim’s knowledge or consent.

What is Deceptive Phishing?

Deceptive Phishing is a less sophisticated version of Spear Phishing where the ‘hacker pretends to be another person (someone the victim knows or a reliable company) to obtain either personal information or login credentials’ (source: randed.com).

Deceptive Phishing is considered the most common type of phishing. The term is often associated with ‘Traditional Phishing’ and ‘Clone Phishing’.

What is Office 365 Phishing?

It’s a fraudulent attempt to gain access to a Microsoft Office 365 account. The attacker sends an email, pretending to be Microsoft, asking the receiver to log in by clicking on a malicious URL.

Currently there is no evidence this type of phishing has been used in relation to Coronavirus and Phishing.

What is Pop-Up Phishing?

It’s a fraudulent phishing attempt to install malware on a computer by way of showing a pop-up. The user is prompted to click on the pop-up to install a software or app. If installed, this generally leads to infecting the machine with malware.

What is CEO Fraud?

It’s the fraudulent attempt to use an email address similar to the CEO or senior executive’s to obtain sensitive or payment details within a company.

Currently there is no evidence this type of phishing has been used in relation to Coronavirus and Phishing.

What is Dropbox Phishing?

It’s a fraudulent attempt to obtain login details or install malware by sending Dropbox-style emails to users to validate their accounts or download files.

Currently there is no evidence this type of phishing has been used in relation to Coronavirus and Phishing.

What is Google Docs Phishing?

It’s a fraudulent attempt to obtain login details by inviting the victim ‘to check out a document on Google Docs – and the fraudster’s fake page is indeed hosted on Google Drive, so everything seems legit’ (source: coludm.co).

Currently there is no evidence this type of phishing has been used in relation to Coronavirus scams.

What is Fraudulent Selling?

According to eBay, ‘any attempt by sellers to misrepresent themselves, or the products they’re selling, is seller fraud’ (source: ebay.com).

Currently there is no evidence this type of phishing has been used in relation to Coronavirus and Phishing.

What is Social Engineering?

Social Engineering is a fraudulent attempt to manipulate people with the aim of obtaining their personal data, generally the victim’s login or credit card details.

‘Almost every type of attack contains some kind of social engineering’ (source: usa.karsperksy.com), including phishing, smishing and vishing.

Coronavirus and Phishing: Sources

https://en.wikipedia.org/wiki/Phishing
https://www.cisco.com/c/en/us/products/security/email-security/what-is-phishing.html#~types-of-phishing-attack
https://us.norton.com/internetsecurity-online-scams-what-is-phishing.html
https://randed.com/types-of-phishing/?lang=en
https://cloudm.co/resources/articles/6-common-phishing-attacks-and-how-to-avoid-them
https://www.rte.ie/news/coronavirus/2020/0311/1121714-covid-19/
https://www.ebay.com/help/buying/resolving-issues-sellers/avoiding-seller-fraud?id=4024
https://www.finextra.com/newsarticle/35519/sharp-rise-in-phishing-attacks-as-scammers-prey-on-coronavirus-fears
https://us.norton.com/internetsecurity-online-scams-coronavirus-phishing-scams.html
https://www.bbc.com/news/technology-51838468
https://www.thesun.ie/tech/5202441/coronavirus-cyber-scams-to-look-out-for-including-hacked-maps-fake-tax-refunds-and-hoax-donation-pages/
https://www.phishing.org/what-is-phishing
https://www.who.int/docs/default-source/coronaviruse/situation-reports/20200202-sitrep-13-ncov-v3.pdf
https://euobserver.com/coronavirus/147905
https://www.wired.com/story/coronavirus-phishing-scams/
https://blog.knowbe4.com/red-flags-warn-of-social-engineering
https://www.forbes.com/sites/leemathews/2018/08/01/these-are-the-five-most-dangerous-email-attachments/#29683f7e2d1b
https://us.norton.com/internetsecurity-online-scams-what-to-do-when-you-fall-for-an-email-scam.html
https://www.zdnet.com/article/thousands-of-covid-19-scam-and-malware-sites-are-being-created-on-a-daily-basis/
https://www.recordedfuture.com/coronavirus-panic-exploit/
https://www.forbes.com/sites/thomasbrewster/2020/03/12/coronavirus-scam-alert-watch-out-for-these-risky-covid-19-websites-and-emails/#1c4bc1f81099
https://www.irishmirror.ie/news/irish-news/smishing-text-scam-ireland-onlinebanking-18975051
https://www.thejournal.ie/garda-warning-scam-coronavirus-5055087-Mar2020/
https://digital.ulsterbank.ie/personal/security-centre/vishing.html

Coronavirus and Phishing: Photos

https://unsplash.com/@taskinhoo

 

 

Related Post

4 Comments

Leave a Comment