Phishers have been exploiting people’s fear and curiosity regarding breakthroughs and general news related to the COVID-19 pandemic from the very start, and will continue to do it for as long it affects out private and working lives.
Cybercriminals continually exploit public interest in COVID-19 relief, vaccines, and variant news, spoofing the Centers for Disease Control (CDC), U.S. Internal Revenue Service (IRS), U.S. Department of Health and Human Services (HHS), World Health Organization (WHO), and other agencies and businesses.
Phishers targeting employees
According to Inky researchers, employees who have slowly been returning to work in offices and other company premises can expect cyber crooks to impersonate their colleagues and their company’s leadership.
Judging by previously detected campaigns, the attackers will be hitting employees with emails made to look like they are coming from the HR or some other department, or from the CEO.
Lures will likely include:
- Surveys that employees must take regarding their willingness to receive the Covid-19 vaccine (or other related inquiry)
- New internal precautionary measures to “support health and safety”
- Information about changes in rules and new security roles within the company
- Requirements to review and complete new policy sections and guidelines
The emails will contain design elements related to the company (logos, etc.). Links will point to credential harvesting or malware-serving sites on a hijacked domain, and will look like they point to legitimate tools (e.g., Google, Basecamp, SharePoint, etc.). Phishers will try to create a sense of urgency, obligation, and even threaten employees with sanctions to get them to follow the links.
“Of course, we would be remiss if we didn’t mention that even if you’re one of the many companies remaining remote after the pandemic, you’re still at great risk of an email phishing attack,” the researchers noted.
“According to the FBI’s 2020 Internet Crime Report, the number of complaints rose 69% during the year of the pandemic, with the largest reported losses in history — a whopping $4.1 billion. Business email compromise phishing schemes continue to be the costliest with adjusted losses of about $1,8 billion. And sadly, in terms of types of cybercrime, phishing incidents more than doubled in the past year.”