Catches of the month: Phishing scams for February 2021

Cyber criminals have had constant success with coronavirus-related phishing scams, but their most recent campaign is the most dangerous we’ve seen.

There have been multiple reports of people receiving an email purportedly from the NHS, saying they can book an appointment to receive their first COVID-19 vaccine.

The sophisticated scam preys on people’s eagerness to be vaccinated and the much-publicised fact that the NHS is indeed emailing people to book vaccines.

If the attack is successful, the criminals gain access to the victim’s personal data, including their bank details.

Perhaps most concerning is that those first in line for a vaccine – i.e. the elderly and vulnerable – are the most susceptible to scams.

In this blog, we explain everything you need to know about this scam. We’ll also look at a scam that exploits a vulnerability in Microsoft email systems.

Phishing scam uses COVID-19 vaccination as bait

Twitter users have been sharing emails that appear to be from the NHS, telling them that they are eligible for their first COVID-19 vaccine. All they need to do is click a link to book an appointment.

Whether the recipient accepts or declines the invitation, they are directed to a fake NHS website stating that they were chosen for the vaccine based on their medical history.

Many users spotted that this was a scam, but those who may have been expecting to receive such a message – such as the elderly, care home workers, the clinically vulnerable and front-line staff – are liable to fall victim.

The attack is also conducted in such a way that those who have been tricked are unlikely to realise something is wrong until it’s too late. After being asked to submit their personal details, the page redirects to the real NHS site, leaving no trace that the victim has been scammed.

So, how can you avoid falling for this email? First, the email directs you to the website “nhs.gov.uk”, whereas the real NHS website is “nhs.uk”.

You should also look out for typos or other grammatical inconsistencies. For example, this message alternates between capitalising “Coronavirus” (the NHS website always spells it in lowercase).

There is also the lack of a definitive article when referring to the NHS, and an extra full stop at the end of the first paragraph. The email above is one of several messages within this campaign, but you can expect to see similar mistakes in all of them.

Moreover, if you follow the link, you are required to enter your personal information, including your name, mother’s maiden name, address, mobile phone number and bank details.

This should be an immediate red flag, because the UK government has made it clear that the vaccine is free. Under no circumstances are you required to provide bank details.

The NHS has also created a web page explaining how it will contact people to receive a vaccine, which includes tips on how to spot the difference between a legitimate message and a scam.

Watch out for Microsoft 365 scam exploiting read receipts

Security researchers have warned of a new BEC (business email compromise) attack that takes advantage of loopholes in Microsoft 365 read receipt and out-of-office messages.

Abnormal Security reported that scammers have manipulated email protocols to ensure the messages bypass spam filters.

In the case of read receipt scams, the attackers tricked the system so that the automated receipt would be delivered to the target instead of in response to the original message sent by the attacker.

As such, the message is delivered via a legitimate, albeit automated, Microsoft address, which makes recipients less likely to suspect that it’s a scam.

A similar attack exploiting out-of-office notifications works by tricking the system into sending the notification to a second target in the organisation rather than as a response to the initial email.

As with the read receipts attack, this ensures that the message is directed via a legitimate third-party email address.

According to Tom Pendergast, chief learning officer at MediaPro: “The reason the use of the auto-responder loop is so effective is that it enhances the ‘feeling’ of legitimacy for those who turned those on while they were away.

“The scam applies a veneer of legitimacy, but employees with the right sleuthing skills and training will see through this to knock aside the attempt.”

The attacks haven’t yet been used to deliver a malicious payload, which suggests that, at this stage, cyber criminals are simply trying out new strategies.

The good news is that Microsoft 365 doesn’t enable users to include attachments on automated responses. However, we’ve seen enough inventive scams to know that, should this technique prove successful, scammers will find a way to profit from it.

Can you spot a scam?

Make sure your staff know how to identify and avoid scams with our Phishing Staff Awareness Training Programme.

This 45-minute course uses examples like the ones above to explain how phishing works, what to look out for and the steps you should take to avoid falling victim.