Number of COVID-19 Testing Scams Jumps Sharply
The number of COVID-19 test-related phishing scams increased by 521% between October 2021 and January 2022, according to a report published by Barracuda Networks, a provider of security and data protection platforms.
Mike Flouton, vice president of product management for Barracuda Networks, said that while cybercriminals have always used current events to launch phishing attacks, the increase in attacks related to COVID-19 testing jumped considerably as the Omicron variant of the virus spread around the globe. The daily average for COVID-19 testing-related attacks peaked in early January and then declined shortly afterward before starting to trend up again, he noted.
Those phishing attacks included offers to sell COVID-19 tests and other medical supplies, such as masks or gloves, fake notifications of unpaid orders for COVID-19 tests that asked individuals to provide a PayPal account and impersonations of labs, testing providers or individual employees that purported to share fake COVID-19 test results.
In one example, cybercriminals impersonated an HR department and shared a file hosted on a phishing site, hoping to steal employees’ account credentials. The attackers even used the Office 365 logo and stated that the document being shared had already been scanned for virus and spam content.
The U.S. Department of Health and Human Services Office of the Inspector General has already issued an alert about the rising number of fraud schemes associated with COVID-19 and COVID-19 tests. Cybercriminals are now very adept at creating phishing attacks that appear legitimate, noted Flouton. The days when it was easy to spot a phishing attack because of spelling and grammar mistakes are coming to an end, he added. Cybercriminals are now employing individuals who not only have command of a local language, including idioms, they are also studying organizations’ and individuals’ communication styles before impersonating them, he said.
While tools for identifying phishing attacks are improving thanks, in part, to machine learning algorithms, Flouton said organizations still need to train end users to spot these types of attacks. The issue is that a lot of the training provided today is not engaging enough to convince employees to be more skeptical of the messages they receive, he noted.
In many cases, the training provided by security professionals is roughly equivalent to an online traffic school experience. Most of the individuals participating in this training are simply trying to get through it to comply with a mandate. As a result, the best practices being shared are not being consistently implemented. Organizations need to deliver phishing training in entertaining bite-sized chunks that are easy to digest, said Flouton.
A lot of organizations will also punish employees that fail to consistently recognize phishing attacks, especially when the credentials stolen are used to launch a more lethal ransomware attack. However, as phishing attacks increase in sophistication, even the most well-trained employee can now be fooled. Organizations need to augment training with security platforms that reduce the number of phishing attacks before they even arrive. After all, the most effective way to combat any phishing attack is to make sure it never happens in the first place.
