Since the World Health Organization (WHO) declared the COVID-19 outbreak a pandemic on March 11, IBM X-Force has observed a more than 6,000 percent increase in COVID-19-related spam, with lures ranging the full gamut of challenges and concerns facing individuals — from phishing emails impersonating the Small Business Administration (SBA) and the WHO to U.S. banking institutions offering relief funds.

To better understand how effective phishing attempts exploiting the global health crisis could be against U.S. residents, IBM Security and Morning Consult conducted the 2020 Consumer & Small Business COVID-19 Awareness Study. The survey revealed the need to strengthen respondents’ understanding of the legitimate channels that government institutions use to communicate with constituents, as well as small business owners’ uncertainty regarding the resources made available to them by the U.S. government. Some key highlights from the study include:

  • Alleged emails from the IRS aren’t raising red flags — 35 percent of respondents expect to hear communication from the IRS by email despite years of warnings from the IRS, law enforcement agencies and the security community that the IRS will never email an individual about their tax filing.
  • Small business owners’ confusion grows ­— Only 14 percent of small business owners feel very knowledgeable about the process to get access to the U.S. government’s small business loan relief program despite the continuous guidance that government officials have been offering.
  • Stimulus checks and COVID-19 testing become the perfect clickbait — Over half of respondents said they would click on links or open attachments in emails pertaining to their stimulus check eligibility. Available COVID-19 testing nearby was the second-most enticing topic that respondents would engage with.

Cybercriminals are being very calculated with their attacks and continue to pivot their tactics to lure victims. In fact, IBM X-Force saw that more than 50 percent of all COVID-19-related spam observed since the onset of the pandemic was sent in the two first weeks of April alone, coinciding with when the U.S. small business relief loan program became available and stimulus checks started being issued.

Small Business Owners at the Epicenter of Spammers and Scammers’ Aim

IBM X-Force has observed spam campaigns that impersonate the SBA and promise recipients government relief funds. The malicious emails entice targets to open a spoofed application attachment that triggers a malware infection on their devices and, in turn, allows cybercriminals to collect sensitive information and even take control of victims’ devices.

Interestingly, the joint IBM Security and Morning Consult study revealed that nearly 40 percent of small business owners believe they’ve been targeted with malicious COVID-19 spam emails. The uncertainty surrounding the availability of funds and how they are being allocated increases confusion among small business owners and creates new opportunities for attackers. Surprisingly, 42 percent of small business owners surveyed were unfamiliar with the small business loans being offered by the government to mitigate the impacts of COVID-19. Even among those familiar, the questions are many.

Figure 1: Screenshot of COVID-19 spam sample claiming to be from the SBA

Stimulus Checks and Relief Funds Yield High ROI for Attackers

The latest reports show that 22 million Americans have found themselves unemployed or furloughed as a result of the pandemic, making them vulnerable targets for cybercriminals. During this period, IBM X-Force identified several spam campaigns spoofing banks that are offering coronavirus financial relief through stimulus payments, notifications of money transfers and more. Many emails include realistic logos and even spoofed websites to gain access to login credentials. Indicatively, some of the malicious spam themes we observed include:

  • American Express spam emails offering $2,400 in stimulus relief that requires authentication to claim the money. Once the recipient clicks the enclosed hyperlink to authenticate their identity, they’re redirected to a spoofed, benign-looking page to input their login credentials, which cybercriminals gain access to in real time.
  • Wells Fargo spam emails providing the recipient a relief payment from another alleged Wells Fargo customer, prompting the recipient to verify their account ownership in order to claim the funds. Through the spoofed account verification process, attackers are able to steal the login credentials of the recipient.

Figure 2: Screenshot of COVID-19 spam sample claiming to be from American Express

The study illustrated the increased risk that these spam campaigns present, revealing that over half of respondents would engage with these types of emails. In fact, 64 percent of adults who are recently unemployed would be most likely to engage with an email related to their stimulus relief eligibility.

How to Spot Scams and Stay Safe

This is not the first or the last time that we will see cybercriminals take advantage of current affairs and challenges for their personal benefit, but what the data and intelligence should remind us is that there is no honor among thieves. Cybercriminals will continue to view times of uncertainty as an opportunity, seeking new ways to exploit targets when they have their guard down. It’s essential that people take steps to reduce the risk of falling victim to these malicious acts, including:

  • Use trusted sources — When looking for information, go directly to the website of the organization instead of clicking on links to redirect you there.
  • Don’t open unsolicited attachments — Never open attachments or links from unknown sources.
  • Be on alert for COVID-19-related scams — Do not engage with unsolicited emails or texts pertaining to small business relief funding, the Paycheck Protection Program or unemployment funding. These emails will typically try to prompt you to share sensitive information, spoof login pages to steal sensitive account credentials or lure you in to open malicious attachments.
  • The IRS will never email you — For security reasons, the IRS will never email or call people — instead, you’ll receive communications from them via snail mail. The institution has been directing people to IRS.gov to address questions.
  • Watch out for fraud speak — This includes peculiar use of words, odd spelling (e.g., British English) and typos in emails that spread a sense of urgency or fear.
  • Update and patch — Nearly 90 percent of vulnerabilities spammers exploited in 2019 were traced back to known vulnerabilities. It’s essential to update your software and make sure your antivirus is always up to date.
  • Use multifactor authentication (MFA) ­— Use multifactor authentication on anything that enables remote access. For example, if you have MFA on your bank account and someone tries to log in, they can’t without your authentication.

Download the full report

For more information on protecting your business during the COVID-19 pandemic, visit IBM Security’s resources page on protecting and enabling your remote workforce. If you have experienced a cyberattack and need help, contact IBM X-Force Incident Response and Intelligence Services (IRIS).

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today