Posted: 3 Min ReadThreat Intelligence

SMS Phishing Campaigns Take Advantage of Coronavirus Pandemic

Symantec finds that 1 in 20 COVID-19 related SMS messages contain phishing attempts or other high-risk content.

As with all major newsworthy events, it was inevitable that criminals would take advantage of the COVID-19 pandemic. Symantec has already published blogs detailing how spammers and scammers are using coronavirus-themed lures in their malicious email campaigns, and how malicious Android apps are also exploiting the outbreak. However, a more direct method to target people, and one that is arguably more trusted by users, is via text (SMS) messages sent to mobile phones.

With this in mind, we analyzed links contained within more than 3 million SMS messages from hundreds of thousands of mobile devices from around the world that use Symantec’s mobile security technologies. Symantec Endpoint Protection Mobile (SEP Mobile) shields users from SMS phishing attempts by checking URLs found in text messages against the threat intelligence in Symantec WebPulse, part of the Symantec Global Intelligence Network (GIN), and alerting users when the links are suspect.

While malicious SMS messages often use URL shortening services to evade detection and hide destination URLs that would otherwise appear risky, our technologies follow the attack trail to the final URL destination.

We first began monitoring and evaluating the risk of COVID-19 related SMS messages soon after news of the virus began circulating in December 2019. We observed the first high-risk SMS phishing attack using COVID-19 as bait on January 24, 2020, roughly around the same period as the virus began to receive more media coverage.

Up until March, we observed very few incidents of SMS phishing attacks using COVID-19 as bait. From late January to early March, only 1 in 500 (0.2 percent) COVID-19 related SMS messages were rated as high risk. However, COVID-19 SMS messages sent by scammers followed the same trend line as the coronavirus outbreak, which was officially declared a pandemic in March 2020. The number of high-risk COVID-19 SMS messages quickly increased after this, and by the third week of March, roughly 1 in 20 (5 percent) messages were categorized as a phishing attack or other type of high-risk attack.

We observed several types of COVID-19 related SMS phishing scams. The criminals behind these scams all use the same tactic; taking advantage of people’s fears and financial hardships during the global pandemic in order to lure them in.

The following are just three examples of financial-themed SMS phishing scams that use COVID-19 related lures (Note: Symantec’s mobile security technologies do not collect user-identifying information from SMS messages):

Message: (Notification - ALERT ) Dear client, Scotiabank is working with the Government to make the Emergency Covid-19 Benefits deposits easier. To complete your Benefit demand. Please visit  :   www.Scotia-0nline.com

Included URL: www.Scotia-0nline.com

Platform: iOS

Apparent sender: [email protected]

 

Message: TD BANK: We doing an update due to COVID-19. Click to login.

Included URL: https://client-7492703.online

Platform: Android

Apparent sender: +15197551999

 

Message: URGENT: UKGOV has issued a payment of 458 GBP to all residents as part of its promise to battle COVID 19. TAP here to apply

Included URL: https://uk-covid-19.webredirect.org

Platform: iOS

Apparent sender: covid

 

SMS Message Trends vs. COVID-19 Outbreak

It's no surprise that SMS related texts and scams follow the same trend lines of the COVID-19 outbreak. What is surprising, however, is the amount of time it took for the scammers to catch up. We observed a significant increase in the number of SMS phishing scams over the third week of March.

Figure 1. All COVID-19 SMS messages March 1 to April 13
Figure 1. All COVID-19 SMS messages March 1 to April 13
Figure 2. High-risk COVID-19 SMS messages March 1 to April 13
Figure 2. High-risk COVID-19 SMS messages March 1 to April 13
Figure 3. Worldwide COVID-19 cases March 1 to April 13
Figure 3. Worldwide COVID-19 cases March 1 to April 13

Protection

Install a suitable security app, such as Symantec Endpoint Protection Mobile (SEP Mobile). SEP Mobile extends the power of WebPulse’s URL reputation to modern endpoints, ensuring they receive the same level of protection as traditional endpoints. Employees can safely access the web and apps on their mobile devices, without having to worry about false positives and productivity or latency issues, and organizations reduce the risk that devices will bring malware into the corporate network.

Mitigation

  • Be suspicious of texts that contain a call to action, such as a link or a request for you to call or text a phone number.
  • Be suspicious of messages that include anything suspicious or out of character, including misspelled words or improper grammar.
  • If you are unsure if a text has come from a legitimate organization, such as a bank or a hospital for instance, look up their number using directory assistance or other trusted source and call them to check whether they have tried to contact you.
Symantec Enterprise Blogs
You might also enjoy
Threat Intelligence6 Min Read

Text-Based COVID-19 Spam Wants Your Information, Money

Symantec’s Email Threat Isolation stops spammers as they continue to take advantage of coronavirus pandemic.

Symantec Enterprise Blogs
You might also enjoy
Threat Intelligence6 Min Read

COVID-19 Outbreak Prompts Opportunistic Wave of Malicious Email Campaigns

Spammers, scammers, and other threat actors quick to take advantage of global panic surrounding coronavirus outbreak

Symantec Enterprise Blogs
You might also enjoy
Threat Intelligence2 Min Read

Malicious Android Apps Exploit Coronavirus Panic

Symantec found almost a dozen Android apps that pretended to be monitoring the Covid-19 outbreak but were actually infected with malware.

About the Author

Kevin Watkins

Security Researcher

Kevin is a security researcher in Symantec's Modern OS Security (MOS) division. He's constantly researching new and innovative ways to automate discovery of threats impacting mobile users.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.