Hackers Exploit Coronavirus Pandemic in Latest Event-Based Email Attacks
April 02, 2020—
3 min read
While quickly checking your phone from a store on Black Friday, you spot a too-good-to-be-true deal from Amazon that’s only valid for the next two hours.
With the tax filing deadline looming, you receive an email from the IRS requesting that you immediately validate some info or else your refund will be delayed.
Or after the latest catastrophic hurricane, a Red Cross email contains an urgent plea for donations to help those without shelter, food, or clothing.
These are all examples of event-based email attacks, which exploit topical events like holidays, sporting events, and natural disasters to create compelling phishing lures. Topical or current events share three important characteristics that create a higher probability of email attacks being successful:
- A built-in sense of urgency: The holiday or sporting event is right around the corner or the disaster has just happened. Either way, there is a sense of urgency that can be exploited to drive immediate responses.
- Significant legitimate email traffic: Various parties (e.g. businesses, government agencies, non-profits, etc.) are sending important communications related to the event, and users are eagerly awaiting these messages.
- Distracted users: Due to changing conditions in their physical environment or because they’re feeling any number of emotions (concern, fear, anxiety, stress, etc.), users are distracted and more likely to let down their guard.
Coronavirus phishing and scams surge in latest example of event-based email attacks
The latest lure for event-based email attacks is the global coronavirus pandemic—and it contains the characteristics described above. Collectively, the world feels an incredible sense of urgency as the number of cases skyrockets daily. Schools have closed and most businesses have shuttered, leaving workers to adjust to working from home while juggling their children. These closures, and the first signs of an economic downturn, are creating wild fluctuations in the market and prompting unprecedented action by governments around the world.
All of this has left us tired, distracted, confused, anxious, afraid, and desperate for reliable information. While plenty of legitimate coronavirus-related emails are being sent by government agencies, businesses, schools, and other organizations, hackers are exploiting these conditions to unleash a variety of email attacks, including spam, scam, phishing, spear phishing, and malware.
Based on our global view of email traffic, Vade first detected traditional spam waves using COVID-19 to peddle items like face masks. The example below is rather innocuous, albeit unsolicited. The display name has been adjusted to Coronavirus Mask, but the message content highlights “anti-pollution clean air breathing masks.”
We’ve also seen a variety of email scams that resemble spear phishing in that they lack links or malicious attachments. In the example below, someone purporting to work as an engineer for an offshore oil firm offers the recipient a job as an assistant. Because of the coronavirus, the email notes, the position is work from home.
Very quickly, though, we started seeing more sophisticated phishing campaigns impersonating the World Health Organization (WHO), Centers for Disease Control (CDC), and GOV.UK. The first example is a GOV.UK phishing email that claims the recipient is eligible for a tax refund of 128 GBP in response to the coronavirus and leads them to a phishing page to access the funds. The second example is a WHO phishing page that asks the user to verify their account details in order to download COVID-19 safety measures.
With economic stimulus plans being approved by the US and other governments globally, we anticipate additional attack waves with lures dangling stimulus checks and other economic incentives. Moreover, with unemployment numbers rising sharply, we also expect an increase in fake job offers similar to the example above.
Introducing Current Events for Vade for Office 365
While all threats naturally concern MSPs and IT admins, event-based email attacks pose a particular challenge: How do I protect my end users from the sudden deluge of threats while ensuring that important legitimate communications aren’t accidentally blocked? In this time of global crisis, Vade felt a deep sense of responsibility to contribute in our own unique way to the effective management and mitigation of the pandemic.
In that spirit, we have released a new Current Events feature for Vade for Office 365. The feature provides MSPs and admins with greater visibility into all email traffic—both malicious and legitimate—specifically tied to the coronavirus pandemic.
From the email logs section of the Vade for Office 365 admin console, simply select the ‘COVID-19’ filter under Current Events to view the email traffic, including all coronavirus-related threats detected by Vade. If the filter missed something, you can pull the message from one or more inboxes using the Remediate feature. Equally important, you can keep an eye on legitimate COVID-19 communications and, should any messages be misclassified, put them back in users’ inboxes.
COVID-19 is the first use case for the Vade for Office 365 Current Events feature. Others will be added over time in response to holidays and other one-off events that trigger surges in threats and overall email traffic. The goal is to increase visibility and help MSPs strengthen trust with their clients during these important periods.
Resources for helping users detect coronavirus threats and safely telecommute
In addition to this new feature, we have pulled together a collection of resources to help educate end users on how to detect email threats and safely work from home during the coronavirus pandemic. The page includes infographics on cyber hygiene and how to detect phishing and spear phishing attacks, along with links to free tools like our Phishing IQ Test and IsItPhishing.AI URL checker.
We hope they help raise security awareness and promote best practices during this period of heightened threat activity. We’re all in this together, and together we will prevail. Stay safe, everyone!