Cybercrime actors are continuing to pivot their online criminal methods to take advantage of the COVID-19 pandemic, with an average of 4,400 cyber crimes being reported each month through ReportCyber – the Australian Cyber Security Centre’s online reporting platform. As we continue to work from home, without all the protections of a well equipped office, it’s vitally important that we remain vigilantly aware of our cyber security to protect our identities and our finances.
Here, we outline some of the crimes we are currently seeing, and provide some tips to help you spot the scams and protect yourself from them.
What we are seeing
Cybercrime actors are registering COVID-19 themed websites to conduct widespread phishing campaigns that distribute malicious software (malware) or harvest personal information from unsuspecting Australians.
Malicious cyber adversaries will continue to use COVID-19 themed phishing campaigns to obtain user credentials, allowing them to bypass security controls in order to gain access to accounts and networks belonging to individuals and businesses. This could include targeting employees working from home and the remote systems they are relying upon. Sophisticated adversaries will also be focused on covertly obtaining COVID-19 information, such as details of Australia’s pandemic responses and research on vaccines and treatments, broadening the types of information they typically target.
Those engaged in cybercrime activities continue to rapidly adapt their techniques in response to changes in the current environment. We have observed new phishing campaigns that align with breaking developments, such as government relief payments or public health guidance, within days, even hours, of these announcements occurring. Cyber criminals are also amending historical methodologies or widespread scam campaigns with a COVID-19 theme.
COVID-19 themed SMS phishing campaigns
Numerous SMS phishing campaigns seek to trick recipients into clicking on a malicious web link contained in the message. While the links appear to come from legitimate organisations, such as the Australian government or a financial institutions, they actually direct the recipient to a malicious website that is hosting malware. For example, in one campaign, the malicious actor is directing people to a website hosting the Cerberus banking Trojan, a form of malware that has been carefully crafted to steal your financial information.
Case study 1: Banking themed SMS phishing campaign
On Monday, 30 March 2020, the ACCC received sixteen reports of a Westpac themed phishing text. The link in the SMS directed recipients to a website that attempts to harvest personal information.
COVID-19 payment phishing campaigns using Australian Government branding
There have also been a range of payment themed scams targeting Australians that use official Australian Government branding. The fraudulent emails come from addresses that very closely resemble or spoof official Australian Government email accounts. The emails aim to trick the recipient into installing malware onto their device and/or to harvest their personally identifiable information.
Case study 2: Australian Government official spoofed in email phishing campaign
April 2020, a report was received from an Australian Government department that a senior staff member’s email was being spoofed as part of a COVID-19 themed phishing campaign. The email contained an attachment with embedded malware that was designed to steal sensitive information such as banking usernames and passwords.
Case study 3: Phishing campaign pretending to come from Australian Government
Cybercriminals are impersonating official Australian Government correspondence about COVID-19 assistance payments in order to steal personally identifiable information (PII). In this example, the phishing email invites the recipient to provide all of their PII, including tax file number and copies of their identity documents (driver licence or passport and Medicare card) in order to access a benefit payment. Individuals who provide this much personal information are at significant risk of identity theft. With this information, criminals could open bank accounts or take out loans in your name.
Case study 4: Economic stimulus payment phishing email
Cyber criminals are preying on people who are out of work and seeking to access financial assistance from the government or their employer. On 3 April 2020, this phishing email was sent to hundreds of employees within a large Australian company. Recipients were asked to click on the link in order to receive a $1,000 benefit payment to be delivered in the March payroll. The link redirects users to a website designed to install malicious software onto the company’s corporate network.
SMS phishing campaigns about COVID-19 testing and restrictions
We have also received reports about a number of malicious emails and text messages from cyber criminals that claim to provide information on how to get tested for, or stay protected from, COVID-19. These malicious messages claim to be from Australian Government agencies or other trusted sources such as the World Health Organisation (WHO). They try to convince the recipient to click on a link or open an attachment that will then install malware and steal sensitive information such as bank account details.
Case study 5: COVID-19 testing themed SMS phishing campaign
On 31 March 2020, a report from an Australian Government agency about a SMS phishing campaign. The message was designed to appear as though it came from ‘Gov’ and requested that recipients click on a malicious web link that spoofed an official government domain. This website was hosting malware. After the domain used in this initial campaign was taken down, the cybercriminals quickly switched tactics. A new domain was created to host the malware and messages were redesigned to spoof ‘MyGov’. By replacing the alpha tags in the SMS header with ‘MyGov’, the malicious actor was able to deliver these messages within the existing legitimate SMS chain between individuals and Services Australia.
Remote access scams targeting people working from home
We are receiving an increasing number of reports from businesses and members of the public about remote access scams. Most of these reports indicate that the scammers are pretending to be from IT companies, telecommunications companies, and banks. Cyber criminals often attempt to persuade you to give them remote access to ‘fix an issue’, and will provide a range of scenarios to convince you that they need immediate access to your device.
Allowing anyone access to your devices can, and usually does, result in devastating consequences, including financial loss or the compromise of your personal accounts. If you are unsure about the identity of a caller, just hang up and check their official website for the legitimate contact details and then call them back.
Case study 6: Microsoft themed remote access scam
Scammers are exploiting a legitimate United States Microsoft support number – (1) (800) 642 7676. However, when dialing a 1800 number in Australia, only the next six numbers after 1800 will be accepted. When Australians dial the legitimate United States support number, they dial 1800 642 767 which has been registered by cyber criminals. On calling the number registered by cyber criminals, victims are asked to provide their name and date of birth for verification and are informed someone will call back shortly. The cyber criminal calls back and directs people to download a remote access program that gives the criminals access to their computer. Once access has been gained, the cyber criminal convinces the victim that their computer is compromised and that they need to pay a large sum of money for it to be fixed. The scammers are insistent that due to the COVID-19 conditions in Australia they are required to pay in untraceable cryptocurrency. The scammers will also try to extract banking details while they have remote access and drain people’s bank accounts and access any other sensitive information.
Case study 7: IT help desk scam
Cyber criminals are aware that increased numbers of Australians are working from home at the moment, and are crafting their scams accordingly. This phishing email below pretends to come from your employer’s IT help desk, requesting that staff log into a new portal in order to access the latest information about tasks. Recipients who click on the link are directed to a malicious website that seeks to collect their username and password, which the cyber criminals then use to gain unauthorised access to the company’s corporate networks.
Fraudulent payments over the internet and business email compromise
Cyber criminals continue to adapt previously successful methodologies to leverage the COVID-19 pandemic, and one such approach is known as business email compromise, or fraudulent payments over the internet. This method attempts to convince businesses and/or clients to redirect payments, such as payroll or supplier and invoice payments, to a bank account run by the criminals. Cyber criminals attempting to obtain fraudulent payments over the internet will often use a compromised email account or a spoofed/fake email address of the business, supplier, or client. Scams like this commonly target businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.
Case study 8: COVID-19 themed wire-fraud email
On 26 March 2020, a business notified authorities that one of their clients had received a COVID-19 themed fraud email. The business email account of their manager was compromised, which was then used to send the invoice-themed email. The email was identified as suspicious by the person who received the email.
Mitigation strategies for combatting COVID-19 scams and phishing emails
How to spot if an email or text message is phishing
There are some key details to look out for to help determine if a text message or email is phishing:
- Read the message very carefully, look for anything that isn’t quite right, such as spelling, tracking numbers, names, attachment names, sender, message subject and URLs.
- On a PC or laptop, hover your mouse over links to see if the embedded URL is legitimate, but don’t click.
- Google information such as sender address or subject line, to see if others have reported it as malicious.
- Call the organisation on their official number as it appears on their website (separate to any contact details in the received message) and double-check the details or confirm the request is legitimate.
- Do not contact the phone number or email address contained in the message, as this most likely belongs to the scammer.
- Use sources such as the organisation’s mobile phone app, web site or social media page to verify the message.
Protect yourself against phishing emails
As shown in the examples above, cyber criminals and scammers produce phishing emails that look legitimate. By following these simple steps, you can assist in protecting yourself against phishing emails:
- Before opening an email, consider who is sending it to you and what they’re asking you to do. If you are unsure, call the organisation you suspect the suspicious message is from, using contact details from a verified website or other trusted source.
- Do not open attachments or click on links in unsolicited emails or messages.
- Do not provide personal information to unverified sources and NEVER PROVIDE REMOTE ACCESS TO YOUR COMPUTER
- Remember that reputable organisations locally and overseas, including banks, government departments, Amazon, PayPal, Google, Apple and Facebook, will not call or email to verify or update your personal information.
- Use email, SMS or social media providers that offer spam and message scanning.
- Use two-factor authentication (2FA) on all essential services such as email, bank and social media accounts, as this way of ‘double-checking’ identity is stronger than a simple password. 2FA requires you to provide two things, your password and something else (e.g. a code sent to your mobile device or your fingerprint) before you, or anyone pretending to be you, can access your account.
We, at Bentleys, are doing everything we can to help businesses come out of this challenging time in good shape.
We will continue to update our COVID-19 resource hub with important developments, so please return soon.
Disclaimer: This information is general in nature and should not be relied on as advice. It does not take into account the objectives, financial situation or needs of any particular person. You need to consider your financial situation and needs and seek professional advice before making any decisions based on this information.