Researchers spot spike in COVID-test phishing emails

Consumers should be on the lookout for scam websites offering COVID test kits.


For the latest news and information on the coronavirus pandemic, visit the WHO and CDC websites.

Demand for home COVID testing has increased with the highly contagious omicron variant. Now, cybercriminals are trying to take advantage of people looking for these kits by using fraudulent emails to lure them to fake websites that steal credit cards and other personal information.

Cybersecurity experts warn that scammers are sending millions of test-related emails and tricking consumers into searching for COVID test-related information with fake websites. A new wave of demand – and scams – has been spurred by the rise of the highly contagious omicron variant. The recent launch of a government website offering free test kits also has the potential to spawn counterfeit sites, according to the Better Business Bureau.

“The bad guys are really good at staying on top of the news,” said Michael Flouton, vice president of product management at Barracuda Networks, which specializes in email security. “As the pandemic has evolved, so have they.”

Scams exploiting consumer interest in home testing are just the latest COVID-related scams. The emails started popping up at the start of the pandemic and spiked in March 2020 when stay-at-home orders started to go into effect. The rollout of vaccinations has also led to an increase in fraudulent vaccine-related emails.

Earlier this month, the US Department of Health and Human Services Inspector General’s Office warned that scammers are using telemarketing calls, text messages, social media platforms and even home visits to spreading COVID-related scams.

Now, testing related scams are on the rise. Between October and January, the number of fraudulent emails mentioning COVID testing jumped more than 500%, according to a Barracuda Networks analysis of nearly 3 million spear phishing emails sent during those months.

Fraudulent emails often offer to sell COVID tests or other medical supplies, such as masks or gloves, some of which turn out to be counterfeit products, according to Barracuda. Other emails pose as notifications of unpaid orders for testing and include links to PayPal accounts through which victims would be directed to make purchases. Sometimes emails are designed to impersonate labs, test providers, or test results.

While some cybercriminals appear to be after corporate networks and other large targets, the vast majority are designed to steal everyday people’s banking and login credentials, according to Barracuda.

Impersonation or brand abuse attacks, in which criminals attempt to impersonate legitimate businesses, government agencies, or individuals, have become a favorite of scammers. According to cybersecurity firm Outseer, which specializes in payment fraud protection, brand abuse attacks nearly tripled in the third quarter of last year on a year-on-year basis.

Armen Najarian, Marketing Director of Outseer, says the goal is always the same regardless of which entity is impersonated.

“What they want is information,” Najarian said of the scammers. “It’s financial gain through information capture.”

Seemingly innocuous personal information, such as names, home addresses and email addresses, can be used to bolster consumer profiles that could be used for bigger scams later, he said. If a victim hands over a set of login credentials, criminals can try these combinations with other online accounts, hoping that the victim used the same email and password for a bank account. or credit card that can be stolen.

Given typical scammer behavior, both Flouton and Najarian said they wouldn’t be surprised to see scammers start impersonating the US Postal Service’s legit free test website with both e- phishing mails and similar websites.

Najarian notes that the USPS site, where consumers can order their four free tests, is very basic, clearly states that it is an official government site, and only asks for the most necessary personal information, including a name. , an e-mail address and a postal address.

Therefore, any site that asks for anything else – like credit card information, email or social media login credentials – should be avoided.

Flouton says consumers need to think before they click.

“Always be skeptical, always be alert,” he said. “Just know that no topic will be off limits to criminals.”