According to recent reports, the number of reported phishing attacks has risen by a huge 600 per cent since February, at the time when it became clear that the Coronavirus was going to become a worldwide threat. The majority of attacks are designed to cash in by taking advantage of people’s fear and the uncertainty.
Phishing attacks are normally sent via email, but can also occur on instant messages, texts, (smishing) or over the phone, which is nothing new. The difference now is that most of us are working from home or simply isolating and relying on an array of technology platforms to communicate on an unprecedented scale.
Catches of the month
Action Fraud reported in May on emails purportedly from Tesco offering customers a free shopping voucher directing them to a website, which looks a lot like Tesco’s but is an imitation designed to steal logins. It is addressed simply to the ‘Customer’ whereas official correspondence from organisations would normally be addressed to the recipient’s name. The message is also badly written, has no Tesco branding and even spells the retailer’s name as ‘Tesc0’. Morrisons customers have also been targeted with a similar voucher scam, as well as a fake offer of a prize draw. Despite people being more aware of the risks, some of us still fall victim to these scams.
Aimed not at shoppers but high-ranking executives at more than 150 organisations, with some success, a spear phishing campaign involving a ‘boobytrapped’ PDF has also been identified. Dubbed the ‘PerSwaysion’ attack, it has mainly targeted the financial sector and is remarkably simple. Victims receive an email from a legitimate, yet compromised, address containing a PDF as an attachment. When it’s opened, they are redirected to Microsoft Sway, its newsletter service, and asked to provide their Office 365 logins. Designed again to steal credentials, spam filters won’t alert you as it’s a normal file. It is the lack of a security warning, along with the fact the message has come from a genuine email address, makes this almost impossible to detect. To deal with this kind of attack, you must look very carefully at every email received containing an attachment or link and if you were not expecting to receive something from that person, contact them via another channel like phone or instant message. Another constant clue is the fact that criminals often have a hard time replicating people’s writing styles, either because English is not their first language, or because the recipient and sender have a specific way of communication which can be hard to imitate.
Staying social in unsociable times
We have seen examples ranging in complexity and credibility. For example, a Facebook ‘promotion’ claimed to offer compensation for the spread of the virus up to £1 million, if you sent your personal details to the Facebook management team. This was a blatant scam, which we hope virtually anyone could spot.
WhatsApp has also been targeted, producing requests to forward verification codes, allowing hackers to access messages, photos and videos. This could work by someone who knows your phone number sending a request to register the social media tool to a different device. When the code is sent, the scammer will message, coaxing you to forward it on to them and, as a result, potentially target your contacts with certain demands. There are also emails and direct messages circulating claiming to be from Instagram, saying accounts have been compromised and asking for your email address and password, which is all too common and quite obvious.
However, things get trickier as scams become more and more sophisticated.
Beware of follow the rules
Another scam which has been doing the rounds recently is a UK government payment hoax sent via text, again involving offers of compensation for Covid-19. The text states that the government is paying £258 to every resident as part of a promise to battle the virus and you are then prompted to tap a link. It is in a similar format to the nationwide text which was genuinely sent by the government at the start of lockdown, urging people to stay at home.
On close inspection, the sender’s email address is a spoof, but owing to human nature, many people have been tempted by the promise of some free cash. Once clicked, the link directs to a website imitating the government’s site and asking for personal bank details.
It’s not just rewards which are being exploited but, unsurprisingly, threats as well. Lockdown has caused some confusion and in addition, some thankfully infrequent over-zealous policing. As a result, one scam has taken up the case of issuing fines. Texts allegedly from GOV.UK are sent saying you have been seen going outside the house more than once and will be fined £250, increasing to £500 if not paid, along with the extra threat of being arrested. There is then a prompt to call an 0800 number to make an appeal. This is a pretty effective phish. It is grammatically correct and is from GOV.UK. Then there is the psychological effect of being accused of wrongdoing, enough to startle enough people into replying.
Stay home, stay safe?
Phishing attacks are not going to stop anytime soon, so we recommend you treat all emails using the pandemic as a subject skeptically. Avoid interacting with the links and attachments in these emails whenever possible. And if you get weird messages with links to videos or online meetings you didn’t expect, avoid clicking.
Regardless of the type of phishing, in general you can prevent these sorts of attacks by avoiding all email links. If you want to visit what you think is a legitimate link, go to the real site manually and find it. Also avoid email attachments. If you are unsure about a link or attachment that seems to come from someone you know, call them first and make sure it is genuine.
Corey Nachreiner, CTO, WatchGuard Technologies