Akankasha Dewan 07 April 2020 13:34:04 AEST 4 MIN READ

Warning: Email titled “IT COVID-19 Update” delivers phishing attack

The COVID-19 crisis has significantly affected the way we communicate and work, and cybercriminals are increasingly exploiting these disruptions to trick unsuspecting users.

MailGuard intercepted an email titled “IT COVID-19 Update’’ that contains a phishing link designed to harvest users’ usernames and passwords. The email uses a display name of “Brianna Milne”. Interestingly, the “to:” field contains the same name, along with the sender’s email address. This is a compromised email account and ends with the domain “@shdh.org.au”.

The email body informs the recipient that due to the recent COVID-19 outbreak, the IT helpdesk is working on an advanced portal for staff to ensure they can continue working effectively and stay on task/schedule. It directs the recipient to login to the staff portal to update it via a link that is titled "STAFF PORTAL."

The email body ends by stating that failing to update the portal will result in the users’ account being deleted, along with a signature from “IT Helpdesk”.

Here is a screenshot of the email:

COVID full scam

Unsuspecting recipients who click on the link to update their staff portal are led to a generic copy of the Outlook webmail login page. This is actually a phishing page that is currently offline.

We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.

This is a good example of how cybercriminals are leveraging on the uncertainty posed by the recent COVID-19 outbreak and its implications on the way we communicate and work. With many companies implementing new working policies (including remote work) for their employees, new and unfamiliar IT updates like these are increasingly expected from organisations as they try to ensure business continuity and “organize schedules”. Here are a few ways how cybercriminals have attempted to make this email look like a legitimate notification from an organisation:

  • use of the “IT Helpdesk” signature to inspire authority,
  • using a domain that ends with “.org.au” suggests the email is sent from a credible organisation and,
  • the threat of being removed from the database; this creates a sense of urgency and anxiety, especially among those users who might be working remotely and want to minimise the possibility of any IT issues or complications. This motivates users to take action immediately without checking on the email’s authenticity.

This practice of launching cyberattacks that are centered around ongoing trends isn’t anything new. Cybercriminals have long employed these tactics to take advantage of any disruptions and vulnerabilities in the hope that users’ uncertainties and fear around new changes will get better of them and they will not pause to check for the legitimacy of these emails.

Despite these techniques, eagle-eyed recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly, and that it contains several grammatical and spelling errors (e.g. “All staff/Empoyee”). The fact that the display name is also the same as the name used in the “To:” field is another big red flag that this email is, in fact, not addressed to the recipients.

Coronavirus-themed cyberattacks are often designed to play with human psychology and emotions, like this one we intercepted a few weeks ago. As such, we strongly advise being extra vigilant when you receive emails such as these and lookout for any tell-tale signs that might be suspicious.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

Don't get scammed

If your company’s email accounts aren’t protected, emails like the one above are almost certainly being received by your staff. Cybercriminals know people can be tricked; that’s why they send out millions of scam messages and put so much effort into making them look convincing.

People are not machines; we're all capable of making bad judgement calls. Without email filtering protecting your business, it’s just a matter of time before someone in your organisation has a momentary lapse of judgement and clicks on the wrong thing.

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates