Earlier this month, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning that a malicious actor has been sending out phishing emails containing links to a website spoofing the Small Business Administration (SBA) COVID-19 loan webpage. The CISA reports that these emails have a subject line that says “SBA Application – Review and Proceed” and a sender marked as disastercustomerservice@sba(.)gov.
If you follow the link in the body of one of these emails, you’ll reach a screen prompting you to sign in to your SBA Economic Injury Loan portal account, which the perpetrator of this scam will use to steal your credentials. This is just one example of the many phishing schemes that cybercriminals have launched to take advantage of those affected by the novel coronavirus pandemic. Now more than ever, it’s vital to proactively protect your organization against these attacks and ensure your team members know how to spot suspicious messages.
Coronavirus-Themed Phishing Schemes: What to Watch Out For
Soon after COVID-19 began to spread around the world, hackers hatched plans to exploit the victims of the outbreak. The U.S. Department of Justice warns on its website that malicious actors are trying to capitalize on this catastrophe via “a variety of scams.” In addition to attacks on remote work infrastructure, this surge of coronavirus-driven cybercrime has included a flood of phishing emails.
In a joint alert issued in April, the CISA and the United Kingdom’s National Cyber Security Centre (NCSC) observed that malicious actors were sending out phishing messages with “COVID-19” or “coronavirus” in their subject lines to entice recipients eager for information about the pandemic and relief efforts. Some of these fraudulent emails claim to come from official sources like the SBA, Centers for Disease Control and Prevention (CDC) and World Health Organization (WHO).
Around the same time that the CISA and NCSC issued that alert, Google’s Threat Analysis Group (TAG) reported detecting 18 million malware and phishing Gmail messages per day with COVID-19 themes. In the months since then, coronavirus-related phishing campaigns have made headlines numerous times. Here are just a few examples, in addition to the SBA COVID-19 loan website scam:
- Hackers have launched COVID-19 phishing schemes targeting tax professionals in an effort to steal their clients’ information, according to CPA Practice Advisor.
- Some phishing campaigns have attempted to lure people into downloading a malicious attachment that promises information about a coronavirus vaccine, according to TechRepublic.
- National Health Service (NHS) staff have been bombarded with more than 40,000 phishing emails during the pandemic, according to Healthcare Dive.
If a member of your staff gets fooled by one of these malicious messages, the consequences for your company could be severe, particularly because phishing emails are often a vector for ransomware.
The Link Between Phishing and Ransomware
Phishing schemes aren’t just tools leveraged for credential theft but are also a common method for distributing ransomware, a type of malicious software that encrypts your files and demands a ransom in exchange for decryption, according to the CISA. In recent months, there’s been a rise in email-based ransomware attacks with ransomware as an initial payload, according to research conducted by Proofpoint.
Additionally, the pandemic inspired malicious actors to up the average ransom payment to $111,605 in the first quarter of this year, an increase of 33 percent compared to the last quarter of 2019, according to a report from Coveware. That report also cites phishing emails are a top attack vector.
For example, the FBI has sounded the alarm about hackers leveraging COVID-19-themed phishing emails to trick recipients into downloading a type of ransomware called Netwalker, according to BankInfoSecurity. Malicious actors deploying Netwalker have taken credit for extracting a $1.14 million ransom from the University of California San Francisco after encrypting several servers.
The FBI recommends secure backups as a way to prepare for potential ransomware attacks so that you can access a copy of your data without giving in to the attackers’ demands. However, it’s crucial to note that backups are no longer enough to combat all kinds of ransomware. For example, the variant Maze introduced a new approach that involves leaking sensitive data if you refuse to pay the ransom, according to Malwarebytes Labs.
How to Protect Your Company From Phishing Campaigns
The onslaught of phishing attempts is likely to continue for some time along with the pandemic, so it’s imperative to take steps to reduce the chances that your team members will take the bait and expose sensitive data. In the CISA alert about phishing emails containing spoofed COVID-19 relief loan website links, the agency recommends various best practices to combat these kinds of campaigns, including the following:
- Labeling all emails that come from outside your organization so recipients know to proceed with caution
- Maintaining strong password policies
- Patching and updating all systems and programs on a regular basis to minimize points of vulnerability
- Ensuring everyone knows to be careful when opening email attachments, no matter who the sender is
If it’s been a while since your staff underwent security awareness training, this is a good time to refresh their memory and make sure they know how to spot a malicious message (e.g., by watching for grammatical errors and checking that the sender is really who they say they are). Implementing advanced cybersecurity solutions like the following can also significantly reduce your data breach risk level:
- Email spam filter
- Endpoint and network Managed Detection and Response (MDR)
- Zero-trust network architecture with a Secure Access Service Edge (SASE)
If you’d like to learn more about how to protect your organization from phishing and other types of cyberattacks, our team of experienced security analysts would be happy to assist you. Just give us a call at 877-599-3999 or email firstname.lastname@example.org.