Threat actors are using the novel coronavirus to add credibility in recent Business Email Compromise (BEC) attacks. Below are three examples of how they are doing it. 

We are providing
ongoing updates
on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic.

In the first example the threat actor pretends to be a senior administrator requesting a payroll update. COVID-19 is mentioned briefly as the reason for the change. If the targeted staff member provides any paycheck information, it will most likely be stolen. 

Sender’s address:
my@outtoficemailbox.com

The second example uses a spoofed email address to target multiple members of a large software company. In it, the pandemic is used as an excuse to send ACH information that is fraudulent. 

The threat actor has CC’d the fake email address
ekirk@fusionlads.net to be sure the victim’s reply goes there by default. 

The final example is a very well-written lure impersonating the CEO of a global financial institution.
The email states they will be acquiring a foreign company because of COVID-19 and the victim is expected to assist in the acquisition. The sensitive nature of the transaction suggests the intent is to ultimately obtain company secrets or financial information. 

Sender’s address:
gateway-pluto@mail-transport-gateway.cc

Recently, the FBI has
reported an increase in BEC attacks. Already a highly-targeted attack relying mainly on social engineering, the added uncertainty around the pandemic is giving cyber criminals a new and persuasive element to add to their messaging.