Majority of COVID phishing attacks coming from US IP addresses, report finds

TechRepublic, 27 May 2020: COVID-19 phishing emails have been bombarding inboxes since the virus began to spread in December and January. Cybercriminals have tried to push all kinds of scams to the masses using coronavirus-related topics, headers, and organizations to get people to open malicious emails, files, or links. Complaints about phishing attacks have tripled since the concerns about COVID-19 became widespread, according to the FBI’s Internet Crime Complaint Center. Cybersecurity company INKY pored through the months of coronavirus-themed phishing emails and compiled a report on where most of them were coming from, finding that the majority of IP addresses found in email headers originated from the United States. Dave Baggett, CEO of INKY, acknowledged that these IP addresses might be easily spoofed by more skilled attackers but explained that there were a number of reasons most attackers would be in the US. “The majority of our users are American. Phishers prefer to target victims within their own geography because it’s easier to research and impersonate since it’s the same culture and language,” he said in an email interview, adding that non-American attackers may also want to spoof a US origin to evade geographical filters. The report does an in-depth examination of 34 phishing email templates that the company has seen over the past few months in its work protecting clients. INKY researchers found that in addition to the majority of IP addresses being sourced from the US, 44% came from North America. Another 26% came from Europe and 18% from Asia, while most attacks involved malicious links or attachments. “Scammers are creating campaigns relating to bonus reports, COVID-19 disaster relief, pandemic food distribution, office shutdowns, FedEx packages, quarantine protocols, and even information from the World Health Organization (WHO) and the White House,” Baggett wrote in a blog post about the report. The report includes snapshots of dozens of emails that look real with accents to make them look legitimate. Some of the emails look like they contain legitimate information from government organizations about how people can protect themselves from COVID-19 while others look like financial payments for small businesses from the CARES Act. Baggett noted that some of the most worrying new trends with phishing emails were those that came with real company logos, trademarks, copyrights, and HTML/CSS. The report includes multiple emails made to look almost identical to legitimate emails from insurance companies like Humana and Cigna asking people to click a link for more information about changes to their healthcare plans. “In 2019, the IC3 received a total of 467,361 complaints with reported losses exceeding $3.5 billion and the main culprit driving these numbers was phishing.4 Imagine what 2020 will hold if the number of complaints is already tripling,” Baggett suggested everyone use verbal confirmation for any and all financial requests. People should avoid using links directly in emails and instead should type the link in a browser. “If a link has to be used, hover over it to ensure it’s not misleading. Beware of unfamiliar attachments types like SLK, IMG, RAR,” he added.