<- All Blogs
Threats

Covid-19 Phishing Emails: How to Spot Them

Written by
Evander Pierre
Published on
April 7, 2020

Unfortunately, coronavirus doesn’t seem to be going away any time soon. Hand sanitizer is in high demand, world leaders are taking their countries into complete lockdown, and hospitals across the globe are working at hyper speed to keep up with the number of incoming patients. As we continue to understand the pandemic and its accompanying widespread panic, the general public is left more susceptible than ever to phishing scams.

As if we didn’t have enough on our plates already, scammers and hackers are taking advantage of the global pandemic by targeting individuals with phishing emails – that’s unsolicited emails posing as if sent from a trustworthy user or organization. They might be written in a way to elicit an emotional response from the receiver, persuading you to give out personal or corporate details. Don’t fall for it!

These phishing emails, if not dealt with properly, can end up stealing your personal information, passwords, identities, and even secret company information. They can also download software that obtains private documents and holds them hostage for monetary gain (also known as ransomware).

You’ve probably received a hundred emails lately regarding a company’s new policy on social distancing, rearranged opening hours, or how to stay healthy during the pandemic. Most of these will be perfectly safe; however, there’s always the likelihood that scams will drop into your inbox too.

Amid this bizarre coronavirus-laden world we find ourselves in today, Immersive Labs wants you to be as informed as possible when it comes to those suspicious emails, so we’ve put together a handy guide on some of the features that might be included in a Covid-19-themed phishing email.

So what should you be looking out for, and how can you stay safe?

False senders

Often, scammers will create a spoof email address to make it look like the phishing scam has come from a legitimate source. Check out the sender’s name and company suffix, and double check with that person if you know them in real life.

For example, joe.bloggs@immersivelabs.com is probably a legit user, but
help@mmersivelabs.com is not. The ‘i’ in Immersive is missing. Did you spot that?

An address like info.9936HA9r-dfgmy@litelabs.it is again very suspicious, and probably not from your pal Joe in HR.

Source: https://www.businessinsider.com/coronavirus-email-scam-covid-19-phishing-false-information-who-cdc-2020-2?r=US&IR=T#check-the-senders-email-domain-and-see-if-it-matches-the-website-of-the-organization-they-say-they-work-for-then-check-the-urls-included-in-the-email-1

The address from this real-life phishing email looks suspicious. Its suffix, ‘iplowllc.com’, has nothing to do with the Centre for Disease and Control Prevention or the Government, which suggests it’s not really from the CDC.

Scammers could attempt to impersonate Government departments like in the example above, health organizations, schools, workplaces, a fake charity asking for donations, a false health center offering ‘free’ testing kits, or even your gym’s new quarantine policy – any official-looking organization that holds some sort of trust value. Remember to always confirm whether the email is from a source you recognise.

Malicious links

Coronavirus-themed phishing emails may also contain some form of malicious link. Even if it looks safe enough, clicking a link could take you to a malicious site, download info-stealing software, download software with hidden malicious functionality (what we call Trojan – hiding in plain sight), or even download ransomware onto your computer that takes your information and holds it to ransom. Not ideal.

Watch out for links that sound particularly intriguing or enticing. E.g.:

- “Click the link to find out the recent cases of Coronavirus in your area”

- “Head here to find out some common, surprising cures for the deadly virus”

- “You are eligible for a tax rebate of 128.34 GBP as part of the government established refund program for dealing with the coronavirus outbreak. Access your funds now”

And again, look for those sneaky characters that you might not spot in the actual URL:

- https;//who.org/coronavirus-information

- https;//www.google.com/tips/coronavirus-info

The links provide https;, not the standard https:. It’s easy to get caught out.

Here’s a positive example from the City of Bristol College:

If you’re unsure about a link, you can inspect it by hovering your mouse over the link in question to see where the URL leads. In this example from the college, it’s safe because the link takes you exactly where it says it would. Sometimes it’ll obviously be a scam, with complicated redirection or a suspicious looking website name; however, some links can seem incredibly authentic, so watch out.

If you’re not sure and are actually interested in what they might have to say, it’s fine to use good ol’ Google. Search for the legitimate page with key words like ‘world health organisation coronavirus information’, and you should be directed to the real page with all of the factual information and none of the hacking. Alternatively, try copy and pasting the content of the link into your browser to see if you’re taken to a real page. Reading it from here instead ensures it isn’t malicious.

Harmful files

Similar to a malicious link, a phishing email might come with a file attached and instructions to download it. This could be a PDF, a Word document, or even an .exe file. Always be wary of downloading a file from an email. Scammers can be incredibly sophisticated and could replicate your office HR team with ease.

Imagine receiving an email from HR that had two attached files to download:

“Company Health Advice and Measures”
“Work From Home Policy Forms”

The email asks you to download the files, fill out your details, and send back to this address. That’s easy, right?

A simple phishing attack may have just been employed, and an attacker has now gained access to all the details you submitted on the form. A more sophisticated and complex phishing email may have instead deployed an executable file onto your computer, allowing hackers to infiltrate, gain all your personal (and any company) information on your device, and create a “backdoor” to the network system to allow easy access for next time. Oops.

ABC News provides an interesting, topical example too.

Source: https://abcnews.go.com/US/coronavirus-pandemic-creates-perfect-storm-cybercriminals-exploit-people/story?id=69770890

More and more people are working remotely because of the outbreak, and you better believe that hackers will try to exploit this. Unfamiliar with this new working environment and the logistical challenges it presents, workers might be less protected on devices at home, and more likely to download a so-called presentation or work-related form without even thinking twice about it. Remember to take the time out to double check weird emails. Who is it from? Did you have a meeting planned with this person? Does their company name ring any bells at all? Ask someone on your team, and if it is as dodgy as it looks, mark the email as spam and delete it.

Immediate action

Phishing emails, whether themed on the Covid-19 pandemic or not, will often call for some immediate action to be taken. Scammers tend to imply a sense of urgency about their emails to scare vulnerable receivers into making the download or clicking the link without fully considering the full outcome or possibility of a threat.

Say you’re a delivery driver and have received this email:

“URGENT: Ventilator and testing equipment shipment blocked. Accept order here to continue with shipment.”

Amid these worrying and often frightening times, it could be even easier than usual to get an unaware victim to follow a link. Double check with someone before downloading anything from suspicious emails.

Requests for details

Legitimate Government agencies or banks will never ask you for your Social Security number, details, or any sort of login information via an email. Anything asking for this, as well as banking information or passwords, could be a phishing scam.

HSBC is doing it right by providing info to its customers. Don’t give out your details or move any money over to an unknown source.

Source: HSBC’s sponsored Instagram post

Similarly, this example from Abnormal Security shows how easy it is to impersonate your university and get you to log in via the email’s provided link. You just gave a malicious actor your login credentials, password, and access to the entire university system…

Poor spelling and grammar

You would have thought that the Director of the World Health Organisation would know how to use capital letters correctly, right? Right. If you spot spelling mistakes, commas out of line, or even a more generic greeting than usual, it’s probably because that email is a scam.

Check out this real-life example that was posited to be from Dr. Tedros Adhanom, the Director General of the WHO. It’s rife with spelling and grammatical errors.

Source: https://www.tripwire.com/state-of-security/security-awareness/covid-19-scam-roundup-week-of-3-16-20/
Too good to be true

If it sounds too good to be true, it probably is. You receive an email about Covid-19 protection. It sounds pretty appealing...

Source: https://coronavirusphishing.com/2020/03/23/protection-for-corona-virus/

An immunity oil? Why didn’t you say so! I’ll buy five cases for my family and 10 more for my local hospital. Let’s spread the word about this amazing protection!

I don’t think so, hackers.

Remember, once a phishing attack is underway, hackers can easily access a wealth of your personal and business information. They can use this knowledge to gain access to secure sites and secret intelligence, to infiltrate companies, undertake identity theft and fraud, and even hold you to ransom for monetary gain. It’s always worth taking a little more time to read over any emails you receive to make sure they’re legit.

Additional sources: https://coronavirusphishing.com/

Share this post