SMS Phishing Campaigns Take Advantage of Coronavirus Pandemic

As with all major newsworthy events, it was inevitable that criminals would take advantage of the COVID-19 pandemic. Symantec, a division of Broadcom (NASDAQ: AVGO), has already published blogs detailing how spammers and scammers are using coronavirus-themed lures in their malicious email campaigns, and how malicious Android apps are also exploiting the outbreak. However, a more direct method to target people, and one that is arguably more trusted by users, is via text (SMS) messages sent to mobile phones.

With this in mind, we analyzed links contained within more than 3 million SMS messages from hundreds of thousands of mobile devices from around the world that use Symantec’s mobile security technologies. Symantec Endpoint Protection Mobile (SEP Mobile) shields users from SMS phishing attempts by checking URLs found in text messages against the threat intelligence in Symantec WebPulse, part of the Symantec Global Intelligence Network (GIN), and alerting users when the links are suspect.

While malicious SMS messages often use URL shortening services to evade detection and hide destination URLs that would otherwise appear risky, our technologies follow the attack trail to the final URL destination.

We first began monitoring and evaluating the risk of COVID-19 related SMS messages soon after news of the virus began circulating in December 2019. We observed the first high-risk SMS phishing attack using COVID-19 as bait on January 24, 2020, roughly around the same period as the virus began to receive more media coverage.

Up until March, we observed very few incidents of SMS phishing attacks using COVID-19 as bait. From late January to early March, only 1 in 500 (0.2 percent) COVID-19 related SMS messages were rated as high risk. However, COVID-19 SMS messages sent by scammers followed the same trend line as the coronavirus outbreak, which was officially declared a pandemic in March 2020. The number of high-risk COVID-19 SMS messages quickly increased after this, and by the third week of March, roughly 1 in 20 (5 percent) messages were categorized as a phishing attack or other type of high-risk attack.

We observed several types of COVID-19 related SMS phishing scams. The criminals behind these scams all use the same tactic; taking advantage of people’s fears and financial hardships during the global pandemic in order to lure them in.

The following are just three examples of financial-themed SMS phishing scams that use COVID-19 related lures (Note: Symantec’s mobile security technologies do not collect user-identifying information from SMS messages):

Message: (Notification - ALERT ) Dear client, Scotiabank is working with the Government to make the Emergency Covid-19 Benefits deposits easier. To complete your Benefit demand. Please visit  :   www.Scotia-0nline.com

Included URL: www.Scotia-0nline.com

Platform: iOS

Apparent sender: [email protected]

 

Message: TD BANK: We doing an update due to COVID-19. Click to login.

Included URL: https://client-7492703.online

Platform: Android

Apparent sender: +15197551999

 

Message: URGENT: UKGOV has issued a payment of 458 GBP to all residents as part of its promise to battle COVID 19. TAP here to apply

Included URL: https://uk-covid-19.webredirect.org

Platform: iOS

Apparent sender: covid

 

SMS Message Trends vs. COVID-19 Outbreak

It's no surprise that SMS related texts and scams follow the same trend lines of the COVID-19 outbreak. What is surprising, however, is the amount of time it took for the scammers to catch up. We observed a significant increase in the number of SMS phishing scams over the third week of March.

Protection

Install a suitable security app, such as Symantec Endpoint Protection Mobile (SEP Mobile). SEP Mobile extends the power of WebPulse’s URL reputation to modern endpoints, ensuring they receive the same level of protection as traditional endpoints. Employees can safely access the web and apps on their mobile devices, without having to worry about false positives and productivity or latency issues, and organizations reduce the risk that devices will bring malware into the corporate network.

Mitigation

• Be suspicious of texts that contain a call to action, such as a link or a request for you to call or text a phone number.
• Be suspicious of messages that include anything suspicious or out of character, including misspelled words or improper grammar.
• If you are unsure if a text has come from a legitimate organization, such as a bank or a hospital for instance, look up their number using directory assistance or other trusted source and call them to check whether they have tried to contact you.