Catches of the Month: Phishing Scams for March 2022

Welcome to our March 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over their personal information.

This month, we look at a phishing attack targeting Ukrainian citizens, the latest campaign imitating Tesco and a warning from HSBC.

Ukrainian citizens targeted by phishing attacks

Ukraine’s CERT-UA (Computer Emergency Response Team) has warned citizens that phishing attacks are being used to compromise the country’s infrastructure.

As the Russian invasion continues, many cyber security experts have advised that conflicts could play out in cyberspace.

The Ukrainian government and its military were targeted by DDoS (distributed denial-of-service) attacks, while a pro-Ukrainian group attacked the Belarusian railway system with ransomware after discovering that it was being used by Russia to transport tanks and weapons.

On 23 February – a day before Russia began its full-scale invasion – the Ukraine SSSCIP (State Service of Special Communication and Information Protection) issued a statement:

“Phishing attacks on public authorities and critical infrastructure, the spread of malicious software, as well as attempts to penetrate private and public sector networks and further destructive actions have intensified.”

Meanwhile, the CERT-UA posted on Facebook that it had detected a widespread phishing campaign targeting Ukrainian military personnel.

It attributed the attacks to an APT (advanced persistent threat) group tracked as UNC1151, which is based in the Belarusian Ministry of Defence.

Speaking to Computer Weekly, Mandiant director Ben Read said: “We’re monitoring reports of widespread phishing of Ukrainian individuals by UNC1151. We are able to tie the infrastructure reported by CERT-UA to UNC1151, but have not seen the phishing messages directly.

“However, UNC1151 has targeted Ukraine and especially the Ukrainian military extensively over the past two years, so this activity matches their historical pattern.

“These actions by UNC1151, which we believe is linked to the Belarussian military, are concerning because personal data of Ukrainian citizens and military can be exploited in an occupation scenario and UNC1151 has used its intrusions to facilitate the Ghostwriter information operations campaign.

“Leaking misleading, or fabricated documents taken from Ukrainian entities could be leveraged to promote Russia and Belarus friendly narratives.”

Tesco warns customers of voucher scam

Supermarket voucher scams often crop up when people are struggling with money – and this is undoubtedly the case in the UK, with rising energy bills and soaring petrol prices.

Unlike many other scams, which lure victims by tempting them with luxuries, supermarket voucher scams target people who are looking for necessities and may be in desperate need of support.

As millions of Britons face economic uncertainty, it’s therefore no surprise to see a wave of scams imitating Tesco.

Action Fraud received 197 reports in one week about fake emails claiming to be from Tesco.

The bogus message stated that the recipient could win £500 worth of “free groceries” by entering a competition. However, the links provided in the email lead to phishing websites that are designed to capture the victim’s personal and financial information.

Action Fraud advised anyone who receives a suspicious message to contact the organisation the correspondence is allegedly from to verify it.

Beware of remote access takeover scams

HSBC has warned customers that fraudsters are stealing financial information with remote access takeover scams.

Remote access tools enable people to use a computer while not physically present. The technology is often used by IT teams to troubleshoot technical issues where it’s not possible to go to that person’s desk.

The technology became more common during COVID-19 and the increase in remote working, but even before then it was often used by software and hardware providers if you called their helpline with a technical problem.

HSBC has learned that scammers are calling customers, claiming to be from a well-known company and saying that there is an issue that requires urgent action.

The scammers typically state that:

  • There has been an issue with a refund;
  • They’re trying to solve a technical problem with the customer’s computer or Wi-Fi; or
  • The customer has been defrauded.

The caller instructs the customer to download a remote access tool or mobile app so that they can protect you.

Anyone who complies is handing over control of their banking session to the fraudster, who can access the customer’s details and steal money.

HSBC reminds customers that a genuine organisation will never call unexpectedly and request remote access. The bank adds that customers can take extra precautions by not sharing personal information, including payment details, with callers.

Can you spot a scam?

All organisations are vulnerable to phishing, no matter their size or the sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.