Examples of COVID-19 Phishing Emails

Tony MasonSecurity Awareness & Phishing

Coronavirus Phishing Emails
Coronavirus Phishing Emails

The Epidemic of COVID-19 Phishing Emails Rages On. KnowBe4 customers using their Phish Alert Button (PAB) continue to share an ever-growing variety of emails from bad actors looking to capitalise on the crisis.

There are some rather unusual social engineering schemes. KnowBe4 are offering up a selection of those emails. IT administrators and users can then see for themselves what these scams look like.

The Tried & True

Spoofs of authoritative sources of information continue to be the most common malicious virus-themed emails. The top three spoofed organisations remain:

The CDC (Centers for Disease Control)…

coronavirus_phish-7a

The WHO (World Health Organisation)…

coronavirus_phish-13a

HR:

coronavirus_phish-8a

As with the earlier spoofs KnowBe4 reported, all three of these more recent emails lead to credentials phishes. The third (from HR) does take a bit of a novel approach. It instructs recipients to download an attachment billed as an informational poster/flyer for the walls. In reality, the alleged poster/flyer is just a standard credentials phish.

coronavirus_phish-8b

It’s also worth pointing out that the second email above (the WHO spoof) not only spoofs Docusign (a frequent target of malicious spoofs) as well as the World Health Organisation. It is also delivered through Sendgrid. Sendgrid is a well-known email service provider widely used by many companies.

Sadly, this isn’t the first time we’ve seen a malicious email campaign coming via what is almost certainly a compromised Sendgrid account. We also regularly encounter malicious emails phishing for Sendgrid account credentials. Indeed, malicious emails coming through Sendgrid are becoming more and more common. This is becoming a worrisome trend. Given that Sendgrid is likely whitelisted within many organisations, it’s worrying that emails are coming via that service to sail right through firewalls and email filtering straight into users’ inboxes.

The New & Novel

As we repeatedly advise, the bad guys are always innovating. They are always trying new approaches and experimenting with new social engineering schemes. Recently we’ve seen some rather striking and even unusual attempts to trick users into clicking through to malicious content. As we might expect, some of these newer social engineering schemes seem to work better than others.

As is currently being widely reported, malicious actors are now using a Coronavirus/COVID-19 dashboard. This is complete with a live map similar to the real thing built by folks at John Hopkins University. This is to lure users to sites that install malware of one sort or another.

This particular email spoofs HHS (the U.S. Department of Health & Human Services). It dangles a link to that malicious map application in front of users desperate for the latest information on the spread of the virus.

coronavirus_hhs_map-1

Although governmental agencies and organisations are the preferred targets for spoofing in virus-themed phishing emails, private companies are also targets as well.

In this malicious email the bad guys spoof the well-known health insurance giant Cigna. They hit users with a fake bill for “Coronavirus (COVID-19) insurance coverage.”

coronavirus_insurance-1

One might well wonder whether this is a viable approach. We don’t know at this point. Despite the fact the many users will recognise the improbability of Cigna signing them up for insurance coverage against a pandemic without even bothering to ask, there could well be plenty of freaked-out users who will immediately click that Big Blue Button to find out just what the heck is going on. Some may even find such (fake) news welcome and comforting.

The Utterly Bizarre

And then there is this spoof of Air Canada, which…well, maybe you’d just better take a look for yourself.

coronavirus_aircanada-1a

Well now. We’ve certainly seen Coronavirus survey emails before , both real and malicious (see KnowBe4’s second blog post from last week). This one, however, is off the charts. The malicious actors behind this spoof either: a) have an unusually warped and evil sense of humour; b) have it in for PR/Marketing at Air Canada (maybe the bad guys lost some frequent flyer points and weren’t too happy about it?); or, c) are just completely clueless and tone deaf.

Whatever the case, we wouldn’t expect many users to fall for this last phish. Then again, there’s one in every crowd.

Conclusion

Good information and education remain the best disinfectants for malicious online schemes trailing in the wake of the Coronavirus itself. Unlike toilet paper, hand sanitisers, and medical masks, good information is not in short supply and not subject to panic buying at your local grocery store.

Our hope is that by letting concerned users actually see the COVID-19-themed phishing emails that the media is widely reporting they can make better, more informed choices about how to navigate the flood of information landing in their inboxes at this stressful moment.

While your users are working from home, they are more likely to be phish-prone. Try this Free Phishing Test to see how vulnerable your business is.

KnowBe4 Security Awareness Training & Simulated Phishing well worth considering in the current climate as home workers are more susceptible to phishing emails.