BSI warns of increase in COVID-19 phishing campaigns

15 April 2020

BSI, the business improvement company, is advising organizations to remain vigilant and alert to phishing attacks during the current COVID-19 pandemic to maintain information resilience. According to researchers1 the greatest volume of attacks united by a single theme - COVID-19 - is currently taking place and with the continued increase in remote working, cyber attackers are using this opportunity to target businesses and their employees.

Several false web domains relating to COVID-19 have been registered and are being used to link to phishing and credential attacks. In the UK specifically phishing campaigns include BEC (Business Email Compromise) attacks whereby the attacker pertains to be a colleague or someone you know requesting a payment to be made. These types of emails can also include ransomware and malware disguised as links to click for further information on meeting notices or company updates. Additional emerging threats cover attackers that are mimicking charities, health organizations or business and financial supports.

Stephen Bowes, Global Practice Director, Security and Information Technologies, BSI Consulting Services, explains: "We are living through an exceptional time at present with many employers focused on their staff's welfare and business continuity. World events like COVID-19 provide vast opportunities for cyber attackers to infiltrate companies and gain user data such as login credentials or financial information. We are seeing attackers increase their presence due to the crisis and with many of the global workforce now working remotely. Most recently Interpol has alerted healthcare institutions of targeted ransomware attacks that have the potential to lock them out of their critical systems. Phishing is one of the highest causes for cybercrime and all online users, in work and at home, need to be alert as cases of fraud are rising during this time."

"We want to urge employers and employees to remain vigilant and be aware of the increased risks and make sure you get your information from reputable sources. Don't get caught off guard by clicking on links in emails and report any suspicious emails to the IT department. If in doubt about the legitimacy of an email that is requesting a payment or specific action, we would advise that you contact the sender by phone to get verification first."