You receive an email at work from human resources. The subject line reads “Severance_Benefits.pdf.” Do you open it?
A lot of people do. The “you’re fired” email is one of the most successful pandemic-fueled phishing campaigns currently making the rounds. Like real life, the goal of these campaigns is to trade on COVID-related confusion and work the email recipient into a heightened emotional state where they do something rash and out of character, like (in this case) clicking on a malicious attachment or link.
The Washington Post recently profiled the current COVID-inspired threat landscape, including analysis from Sherrod DeGrippo, Vice President of Threat Research and Detection at Proofpoint. According to DeGrippo, what makes this moment so fraught is not only the uncertainty, disinformation, and confusion around COVID, but also proving vaccination status online.
“This has gone from a panicky cultural mood to something that’s become this rote, operationalized bureaucracy,” DeGrippo told WaPo. “That almost makes it easier for the bad actors because people are getting used to: “Upload your negative test here, go download this covid form, fill it out.”
Threat actors go where the people are. Right now, people are back to messaging online about the Delta variant and proving vaccine status. But this was not the case even a few months ago. As vaccines became widely available in the spring and early summer, COVID concerns dwindled dramatically. Correspondingly, so did COVID-themed phishing attempts. As Delta took root in the U.S. in late June, pandemic-related phishing attacks jumped 33 percent.
These days, people are furiously researching this terrifying variant, trying to navigate what schools are doing and how this might affect their kids, and to a lesser but growing extent, proving vaccination status. As more companies, concert venues and restaurants institute vaccine mandates, people are getting used to downloading COVID forms and uploading vaccination status. Since there is no uniform standard, proof of vaccination methods varies wildly. Worse yet, some of these status forms contain personal information people might not want “out there.”
All of this plays directly into the hands of threat actors, who are constantly updating their tactics. Here are the four types of phishing campaigns we’re seeing right now.
Proof of Vaccination
Companies like Google and Facebook are requiring proof of vaccination before returning to the office. Use extra caution when encountering “proof of vaccination” type emails, as your vaccination card contains valuable information about your identity, including your birthdate. Proofpoint has discovered one campaign going around that purports to be from an HR Department asking recipients to submit information about their vaccination statuses. The email contains a link taking them to a fake Microsoft sign-in page. The goal of course is to steal the user’s login credentials.
Emails from Fake Health Organizations
It’s highly unlikely that an unfamiliar nonprofit organization needs your name, Social Security number and a copy of your vaccination card. It’s even more improbable they’ll ask you for it by email. Use common sense if you receive such a query. When in doubt, open your browser and type in the site directly. The goal of these campaigns is to collect as much information about you as possible to either impersonate your identity or sell it to the dark web for a future attack.
Emails Saying You’ve Been Fired
Emails about being fired because of the pandemic have higher “open rates” than typical phishing attempts. Whether it’s an attachment titled your “COBRA Compensation Package” or “Severance Package,” or the like, chances are you’ll be in a more emotional (and irrational) state, making you more likely to click and make a mistake.
“It quite literally is clickbait,” DeGrippo told WaPo. “They need you to click on them, so in order to get the person to take the action, you’ve got to escalate their emotional state to one that has them emotional, instead of intellectual — thinking with the smart part of the brain.”
Emails About Coronavirus Precautions and Treatment Options
According to the WaPo article and Proofpoint’s findings, “one malware campaign disguised itself as an email update on coronavirus protective measures for the office. The senders even included figures about coronavirus infections and deaths in the body of each email, further compelling recipients to open the attachment.” The attachment was an Excel Spreadsheet, but that was of course beside the point. Opening the attachment was enough to launch the malware.
How to Protect Yourself
If something feels off, it probably is. Look for misspellings and grammatical errors, awkward phrasing, and other nonsensical gibberish. For instance, Proofpoint researchers uncovered a phishing attempt with a subject line reading “covid-19 vaccinations for its mask mandate for the ongoing disaster which.”
Also beware of legit-looking emails that are in fact not legit. For example, a legitimate email from firstname.lastname@example.org might be changed slightly to HR@company.com. Speaking of human resources, always verify requests from “HR” and other entities by (in this example) calling someone in Human Resources directly. Did someone really send you this document?
Use different passwords for your work and home email addresses. That way, if someone does compromise your credentials, they can’t do further damage at your job, or vice-versa.
Finally, employ a healthy skepticism of anything that arouses fear or uncertainty. Delta is a terrifying COVID variant…it’s OK to research it on a trusted site or medical journal. What you don’t want to do is “research” anything in an inbound email.