According to Barracuda Networks, scammers are taking advantage of the focus on COVID-19 testing and the need for at-home test kits.
COVID-19 test kits have been in high demand in recent months. With increased demand has come to a scarcity of test kits as well as confusion about where and how to obtain them. And as a result of these factors, there has been an increase in test-related scams. According to Barracuda, the number of COVID test-related phishing attacks increased by 521 percent between October and January. The daily average fell after peaking in January but has recently begun to rise again.
Cybercriminals use a variety of tactics in their phishing campaigns to capture the attention of potential victims.
In some cases, attackers sell COVID-19 tests as well as medical supplies like masks and gloves. Many of these are for counterfeit or illegal goods. Scammers may also send a phony notification of an unpaid order for COVID-19 tests. In these emails, the attackers include a PayPal account where they hope to steal money from fearful or desperate victims. In other cases, criminals pose as representatives of laboratories or testing facilities, promising to share COVID-19 test results.
The scammer promotes COVID-19 rapid test kits with competitive prices and quick delivery dates in one phishing email intercepted by Barracuda. The attacker attempts to legitimize the hoax by claiming that the products have already been shipped to the European market and are CE certified (meeting European Union requirements for health, safety, and the environment).
In another phishing email, the criminals are selling not only COVID-19 test kits and analyzers, but also thermometers, pulse oximeters, vaccine storage freezers, and vaccine injection syringes.
In another phishing email, the attackers pose as a company’s HR department and attach a PDF file claiming to be a COVID-19 vaccination self-compliance report. The scammers are attempting to steal account credentials from unsuspecting employees by spoofing Microsoft and Office 365 in the email.
In reality, US officials have attempted to make the COVID-19 at-home test kits more widely available. Anyone who purchases test kits in a regular retail setting can now submit the purchase to their insurance provider for reimbursement. You can also order up to four free test kits per household from the US Post Office.
Barracuda offers the following tips for IT and security professionals to protect themselves and their organizations from phishing attacks that target COVID-19 tests and related topics:
Any emails about COVID-19 tests should be treated with caution. Instruct your users to be wary of emails attempting to sell COVID-19 test kits, provide information on testing sites with immediate availability, or share test results. Warn them not to click on any links or file attachments in such emails, especially if they are unexpected.
Consider artificial intelligence. Because sophisticated attackers can bypass email gateways and spam filters, you need security products to protect your organization from spear-phishing attacks. The right technology does more than just scan for malicious links or attachments; it also employs artificial intelligence and machine learning to detect anomalies in your normal communication patterns.
Count on account takeover safeguards. Many threats originate not only from external email messages but also from internal ones sent through compromised employee accounts. As a result, you must ensure that scammers do not use your organization to launch attacks against itself. For this, rely on security products that use artificial intelligence to detect when accounts have been compromised, alert users in real-time of such incidents, and remove malicious emails from those accounts.
To prevent fraud, establish strict internal policies. Create and review internal policies to ensure that all personal and financial information is handled properly. Establish policies and procedures for confirming all email requests for wire transfers and payment changes. Any financial transaction should require in-person or phone confirmation and approval from multiple people.
Employees should be trained to recognize and report cyberattacks. Provide employees with information on the most recent COVID-19-related phishing scams and other potential threats. Make sure your users can detect these attacks and report them to your IT staff or help desk right away. Use phishing simulations for email, voicemail, and text messages to help employees recognize a cyberattack.