Threat Spotlight: COVID-19 test-related email scams
COVID-19 has dominated headlines for almost two years, and hackers continue to exploit the pandemic in their attacks. Back in March 2020 COVID-19-related phishing attacks jumped 667%, and then as vaccination programs rolled out so did the new wave vaccine-related email threats. The latest omicron variant led to another spike in COVID-19 cases — as well as phishing attacks.
As demand for COVID-19 tests increased in recent weeks, the number of scams exploiting the scarcity of tests also went up. Our researchers saw an increase in COVID-19 test-related phishing attacks over the past couple of months. Between October and January, the number of COVID-19 test-related scams increased by 521%. The daily average peaked in early January, declining recently before starting to trend upward again.
COVID-19 test-related phishing attacks — Cybercriminals are taking advantage of the heightened focus on the COVID-19 testing and the current scarcity of tests to launch phishing attacks.
Scammers are using different tactics to get the attention of their victims. Some of the most common scams included:
- Offers to sell COVID-19 tests and other medical supplies such as masks or gloves. Some of these scams are selling counterfeit or otherwise unauthorized products.
- Fake notifications of unpaid for orders for COVID-19 tests, where scammer provide a PayPal account to send payments to complete purchase of rapid tests — counting on the desperation of their victims.
- Impersonation of either labs, testing providers, or individual employees sharing fake COVID-19 test results
The U.S. Department of Health and Human Services Office of Inspector General alerted the public earlier this month about the rising number of fraud schemes associated with COVID-19 and COVID-19 tests in particular. They warn of scammers who try to sell at-home COVID-19 tests in exchange for personal or medical information. The U.S. government launched a program on Wednesday allowing people to request up to four free at-home tests per household, and cybercriminals are bound to take advantage of the opportunity.
COVID-19-related scams continue to target individuals and businesses. As some organizations try to get their staff back to the office, they send out updated policies or request information on employees’ vaccination status. Hackers hijack these conversations. In one specific example found in Barracuda’s research, cybercriminals impersonated an HR department and shared a file hosted on a phishing site with employees in hope of stealing their account credentials. The attackers went as far as impersonating the Office 365 logo and stating that the document has already been scanned for virus and spam content.
Protecting against COVID-19 test-related phishing
Be skeptical of all emails related to COVID-19 tests
Some email scams include offers to purchase COVID-19 tests, provide information on testing sites with immediate availability, or share test results. Don’t click on links or open attachments in emails that you did not expect, as they are typically malicious.
Take advantage of artificial intelligence
Scammers are adapting email tactics to bypass gateways and spam filters, so it’s critical to have a solution that detects and protects against spear-phishing attacks, including brand impersonation, business email compromise, and email account takeover. Deploy purpose-built technology that doesn't rely solely on looking for malicious links or attachments. Using machine learning to analyze normal communication patterns within your organization allows the solution to spot anomalies that may indicate an attack.
Deploy account-takeover protection
Don’t just focus on external email messages. Some of the most devastating and successful spear-phishing attacks originate from compromised internal accounts. Be sure scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.
Train staffers to recognize and report attacks
Educate your users about spear-phishing attacks. Provide employees with up-to-date user awareness training about COVID-19-related phishing, seasonal scams, and other potential threats. Ensure staffers can recognize the latest attacks and know how to report them to IT right away. Use phishing simulation for email, voicemail, and SMS to train users to identify cyberattacks, test the effectiveness of your training, and evaluate the most vulnerable users.
Set up strong internal policies to prevent fraud
All companies should establish and regularly review existing policies, to ensure that personal and financial information is handled properly. Help employees avoid making costly mistakes by creating guidelines and putting procedures in place to confirm all email requests for wire transfers and payment changes. Require in-person or telephone confirmation and/or approval from multiple people for all financial transactions.
This Threat Spotlight was authored by Olesia Klevchuk with research support from Tanvee Desai, Data Analyst, and Prebh Dev Singh, Senior Product Manager.