Studies show that roughly 1 in 20 COVID-19 related SMS messages contain phishing attempts or other high-risk malicious content.

With the cloud that is COVID-19 hanging over the world right now, we had considered it inevitable that cybercriminals would take advantage of this pandemic to pursue malicious activity. We have published a few blogs about how these criminals are already using coronavirus-themed scas in their malicious email campaigns, and how malicious mobile apps are also exploiting the current news. However, a more direct targeting method, that is arguably even more effective, is via text messages sent to victims personal cell phones. Malicious SMS attempts often use URL shortening services to evade detection.

This trend had first been monitored during December 2019, when the first news of the virus started appearing. It took until late March for the problem to become widespread, much like the virus itself. From January to early March, only 0.2% of COVID-19 related text alerts were rated as possibly malicious. When the virus was officially declared a pandemic near the end of March, the number of malicious COVID text alerts quickly increased. Roughly 5% of text messages, that’s one in every 20, were categorized as a malicious attempt.

Numerous different types of SMS phishing attempts related to COVID-19 began to pop up. Though different in method, they were the same in nature. They all use the same tactic; taking advantage of people’s fears and hardships during the global pandemic in order to lure them in, and gain from their misfortune. 

An example of these phishing attempts could be a legitimate looking text from your bank alerting you of the possibility of relief funds. Such as, “ALERT – We have issued payments to all of our loyal customers to help battle COVID-19. Please follow this link to claim your payment.” This attempt would surely catch many, all due to their desperation in these difficult times. 

 

Protection

Install a comprehensive security application on  all of your personal devices, and your company’s devices as well. Employees should be able to safely access the web and work-apps on their mobile devices, without having to worry about false positives or decreases in productivity, and your organization reduces the risk that devices will bring malware into the corporate network as well. Proper security cannot be overstated in 2020.

Mitigation

  • Be suspicious of texts that contain a sort of “call to action”, like a request to click a link or sign up for something. Or to text or call a certain number. Be weary and always double check the source. 
  • Be suspicious of messages that include out of character words, grammar, or links. 
  • If you are unsure if the text you’ve received is legitimate, we advise at least looking up their number using a trusted directory or source, and call them to check whether they have tried to contact you. Remember, in most cases these institutions will never reach out to your first, especially with the flood of requests they’re getting as-is with the pandemic.