Cyber security experts have warned that organised crime groups have developed a new phishing tool by leveraging the NHS brand name to lure victims into handing over their personal and financial data.
Cyber criminals have reportedly started a new COVID-19-related phishing scam that uses the NHS branding in emails sent out to victims. In this campaign the victims are sent emails with a link to a carefully designed website that resemble official government domains. It’s hard to identify as fake as this time there aren’t any grammatical or spelling errors.
The fake website associated with the scam states that the recipients have been selected for a shot of the COVID-19 vaccine based on their family and medical history. Victims need to update their personal information on the fake website in order to receive their shots.
According to experts at Mimecast, personal information like name, date of birth and financial details of Internet users were obtained through this phishing scam only to be either sold at the dark web or commit a fraud. Possibly buoyed by recent successes, fraudsters behind the phishing campaign has ramped up the email volume by 350% to target as many victims as possible.
Phishing scams related to COVID-19 have become more targeted and sophisticated with scammers moving beyond common themes to novel ones like unemployment, welfare benefits, and stimulus packages. Millions of people, even those in economically well-off regions, are now worried about whether they will be able to retain their jobs or find new ones, whether they will receive welfare benefits on time, whether their destroyed businesses will ever recover, or whether they will survive the pandemic.
With COVID-19 related lockdowns restricting people to their homes, people are using the Internet more than ever to connect with their loved ones, to do business, and to search for information about the pandemic and other areas of interest. This very trend has attracted online scammers who are experienced in exploiting people's curiosities and fears to win their trust and rob them of their privacy and money.
A recent study by Computer Disposals revealed that only 5% of the British public can accurately detect a phishing scam and differentiate between a genuine email and a scam email. Such being the case, the success of phishing scams leveraging genuine concerns related to the pandemic is almost guaranteed.
Commenting on the new COVID-19 phishing scam that leverages the NHS brand name, Sam Curry, chief security officer at Cybereason, says that COVID-19 related vaccine cyber scams are occurring at as rapid a pace as the vaccines are now being rolled out, and these phishing scams haven't reached their crescendo by any stretch. Once the vaccines started rolling out, it was only a matter of time before threat actors turned their attention away from the hospitals and researchers and focused on consumers.
“The year-long attacks on companies at the forefront of medical care and research had shown a cold-calculus, and now brazen phishing attacks against people looking to schedule a vaccine appointment are gutless and heartless. For anyone scheduling a vaccination, this isn't the first or last time social engineering will be used to steal proprietary information from you,” he added.
Boris Cipot, senior security engineer at Synopsys, said “Scammers and cyber criminals are good at taking advantage of situations in which people are emotionally and personally involved. Phishing emails and fake webpages are both tactics that have been employed for years to lure people into sharing their personal and financial data. These techniques and a close attention to detail have improved in the past few years, making it harder to identify a scam. One must trust their common sense and question everything that appears suspicious.
“Do not blindly comply with requests for data through email. Do not open email attachments or click on links. Moreover, do not enter any personal information into webpages you do not know. Even if the domain appears legitimate and the information on it seems plausible, you need to question it. Remember, there is no fast lane offered in the vaccination policy and even if there was, the government would not ask you for your financial details. You cannot buy a vaccination or a faster vaccination date,” he added.