Since the World Health Organization (WHO) declared the COVID-19 outbreak a pandemic on March 11, IBM X-Force has observed a more than 6,000 percent increase in COVID-19-related spam, with lures ranging the full gamut of challenges and concerns facing individuals — from phishing emails impersonating the Small Business Administration (SBA) and the WHO to U.S. banking institutions offering relief funds.

To better understand how effective phishing attempts exploiting the global health crisis could be against U.S. residents, IBM Security and Morning Consult conducted the 2020 Consumer & Small Business COVID-19 Awareness Study. The survey revealed the need to strengthen respondents’ understanding of the legitimate channels that government institutions use to communicate with constituents, as well as small business owners’ uncertainty regarding the resources made available to them by the U.S. government. Some key highlights from the study include:

  • Alleged emails from the IRS aren’t raising red flags — 35 percent of respondents expect to hear communication from the IRS by email despite years of warnings from the IRS, law enforcement agencies and the security community that the IRS will never email an individual about their tax filing.
  • Small business owners’ confusion grows ­— Only 14 percent of small business owners feel very knowledgeable about the process to get access to the U.S. government’s small business loan relief program despite the continuous guidance that government officials have been offering.
  • Stimulus checks and COVID-19 testing become the perfect clickbait — Over half of respondents said they would click on links or open attachments in emails pertaining to their stimulus check eligibility. Available COVID-19 testing nearby was the second-most enticing topic that respondents would engage with.

Cybercriminals are being very calculated with their attacks and continue to pivot their tactics to lure victims. In fact, IBM X-Force saw that more than 50 percent of all COVID-19-related spam observed since the onset of the pandemic was sent in the two first weeks of April alone, coinciding with when the U.S. small business relief loan program became available and stimulus checks started being issued.

Small Business Owners at the Epicenter of Spammers and Scammers’ Aim

IBM X-Force has observed spam campaigns that impersonate the SBA and promise recipients government relief funds. The malicious emails entice targets to open a spoofed application attachment that triggers a malware infection on their devices and, in turn, allows cybercriminals to collect sensitive information and even take control of victims’ devices.

Interestingly, the joint IBM Security and Morning Consult study revealed that nearly 40 percent of small business owners believe they’ve been targeted with malicious COVID-19 spam emails. The uncertainty surrounding the availability of funds and how they are being allocated increases confusion among small business owners and creates new opportunities for attackers. Surprisingly, 42 percent of small business owners surveyed were unfamiliar with the small business loans being offered by the government to mitigate the impacts of COVID-19. Even among those familiar, the questions are many.

Figure 1: Screenshot of COVID-19 spam sample claiming to be from the SBA

Stimulus Checks and Relief Funds Yield High ROI for Attackers

The latest reports show that 22 million Americans have found themselves unemployed or furloughed as a result of the pandemic, making them vulnerable targets for cybercriminals. During this period, IBM X-Force identified several spam campaigns spoofing banks that are offering coronavirus financial relief through stimulus payments, notifications of money transfers and more. Many emails include realistic logos and even spoofed websites to gain access to login credentials. Indicatively, some of the malicious spam themes we observed include:

  • American Express spam emails offering $2,400 in stimulus relief that requires authentication to claim the money. Once the recipient clicks the enclosed hyperlink to authenticate their identity, they’re redirected to a spoofed, benign-looking page to input their login credentials, which cybercriminals gain access to in real time.
  • Wells Fargo spam emails providing the recipient a relief payment from another alleged Wells Fargo customer, prompting the recipient to verify their account ownership in order to claim the funds. Through the spoofed account verification process, attackers are able to steal the login credentials of the recipient.

Figure 2: Screenshot of COVID-19 spam sample claiming to be from American Express

The study illustrated the increased risk that these spam campaigns present, revealing that over half of respondents would engage with these types of emails. In fact, 64 percent of adults who are recently unemployed would be most likely to engage with an email related to their stimulus relief eligibility.

How to Spot Scams and Stay Safe

This is not the first or the last time that we will see cybercriminals take advantage of current affairs and challenges for their personal benefit, but what the data and intelligence should remind us is that there is no honor among thieves. Cybercriminals will continue to view times of uncertainty as an opportunity, seeking new ways to exploit targets when they have their guard down. It’s essential that people take steps to reduce the risk of falling victim to these malicious acts, including:

  • Use trusted sources — When looking for information, go directly to the website of the organization instead of clicking on links to redirect you there.
  • Don’t open unsolicited attachments — Never open attachments or links from unknown sources.
  • Be on alert for COVID-19-related scams — Do not engage with unsolicited emails or texts pertaining to small business relief funding, the Paycheck Protection Program or unemployment funding. These emails will typically try to prompt you to share sensitive information, spoof login pages to steal sensitive account credentials or lure you in to open malicious attachments.
  • The IRS will never email you — For security reasons, the IRS will never email or call people — instead, you’ll receive communications from them via snail mail. The institution has been directing people to to address questions.
  • Watch out for fraud speak — This includes peculiar use of words, odd spelling (e.g., British English) and typos in emails that spread a sense of urgency or fear.
  • Update and patch — Nearly 90 percent of vulnerabilities spammers exploited in 2019 were traced back to known vulnerabilities. It’s essential to update your software and make sure your antivirus is always up to date.
  • Use multifactor authentication (MFA) ­— Use multifactor authentication on anything that enables remote access. For example, if you have MFA on your bank account and someone tries to log in, they can’t without your authentication.

Download the full report

For more information on protecting your business during the COVID-19 pandemic, visit IBM Security’s resources page on protecting and enabling your remote workforce. If you have experienced a cyberattack and need help, contact IBM X-Force Incident Response and Intelligence Services (IRIS).

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today