Catches of the month: Phishing scams for May 2020

Coronavirus continues to dominate the cyber security landscape (and pretty much every other part of our lives), with cyber criminals cashing in on the disruption.

Whether you’re forced to work from home, out of work or otherwise preoccupied by the stress and discomfort of lockdown, we are all more susceptible to phishing emails than ever before.

The good news is that the NCSC (National Cyber Security Centre) has taken down more than 2,000 coronavirus-related since the pandemic began, and has created a service that allows members of the public to report scams they’ve received.

In this blog, we discuss some of those scams and explain what you need to do to stay safe online.


1. Tesco voucher scam

Supermarkets have had a chaotic month making sure shoppers and staff are safe and that their shelves are stacked, so the last thing they need to deal with is a phishing scam targeting their customers.

Unfortunately, Action Fraud has received dozens of reports about emails supposedly from Tesco that promise free vouchers during the coronavirus pandemic.

The email tells customers that Tesco “is giving [them] a chance to shop for free this COVID-19 season at any of our outlets or online by giving out free vouchers”.

It then directs individuals to a website that looks a lot like Tesco’s, but is in fact an imitation designed to steal login credentials.

The email should raise suspicions if you’re aware of how phishing scams work. For example, it’s addressed simply to ‘Customer’, whereas official correspondence from most organisations is tailored to refer to the recipient by name.

Likewise, the message is written clumsily, doesn’t contain any of Tesco’s branding and in fact spells the retailer’s name as ‘Tesc0’.

Nonetheless, this scam still represents a major threat, because plenty of people won’t pick up on these clues or are simply too curious to learn more.


Take a look at our dedicated blog on coronavirus phishing scams for more stories like this.


Tesco isn’t the only supermarket to be imitated in a scam like this. Morrisons has also been the subject of a supposed voucher giveaway, with people receiving emails offering money off their next shop if they complete a survey.

Some people have also reported receiving text messages claiming that their Morrisons “shopper ID” had been entered into a draw. The haphazard scam doesn’t state what the draw is for or what you might win by entering it, but it offers a link that one might imagine explains everything.


2. Tax rebate scheme

Tax scams are a staple of cyber criminals’ arsenals – whether they’re telling victims that they owe more money or are due a rebate – and the coronavirus pandemic has given them yet another way of tricking people.

One type of scam that Action Fraud received claims that recipients are entitled to a tax refund due to the disruption caused by coronavirus.

The email claims in broken English that “in corporation with National Insurance and National Health Services the government established new tax refund programme for dealing with the coronavirus outbreak in its action plan”.

If you stop and think about exactly what the email is saying, it should become pretty clear that there’s something dodgy about it. Why would the government take money away from the NHS and give it to citizens?

Unfortunately, the next sentence – “You are eligible to get a tax refund (rebate) of 127.34 GBP” – may be too tempting to ignore.

After all, the government has announced a series of financial schemes to help people affected by coronavirus, it did add COVID-19 to the list of notifiable diseases on 5 March and the email does include a genuine link to the NHS’s information page on coronavirus.

But these are simply incidental details that are designed to give the message an air of legitimacy.

When you follow the link, you are redirected to a fraudulent website that asks you to provide your financial details – including payment information – which the criminals could use to withdraw funds from your account.


See also:


3. Spear phishing campaign exploits executives at 150 organisations

Although coronavirus has taken over every part of our lives, this month’s biggest threat isn’t related to the pandemic at all. It is instead a spear phishing campaign with a boobytrapped PDF that’s already caught out high-ranking executives at more than 150 organisations.

The scam, conducted by a hacking group codenamed PerSwaysion, has primarily targeted the financial sector in a series of attacks that are remarkable in their simplicity.

Here’s how it works: victims receive an email from a legitimate, compromised email address that contains a PDF file as an attachment.

When the victim opens the file, they’re redirected to Microsoft Sway, the tech giant’s newsletter service, where they’re asked to provide their Office 365 login details.

Source: Group-IB

“For untrained eyes, this page resembles an authentic Microsoft […] page,” the researchers investigating the scam said.

“However, this is a specially crafted presentation page which abuses Sway’s default borderless view to trick the victim [into thinking it was] part of the Office 365 official login page.”

In other words, it’s a credential-stealing scam that’s designed like an infected attachment scam. Spam filters won’t alert you that the attachment is suspicious because it isn’t; it’s a normal file.

Indeed, the lack of a security warning – combined with the fact that the message has come from a genuine email address – makes this almost impossible to detect.

The only defence is to look carefully at every email you receive that contains an attachment or link. If you weren’t expecting to receive something from this person, try contacting them through another channel, such as by phone or instant message.

You may also be able to detect that something’s not right in the way the email is written.

Cyber criminals often have a hard time replicating the writing style of people they’re imitating, either because English isn’t their first language or because the recipient and sender have a particular way of communicating that can be hard to replicate.


One virus is enough

Phishing is just one of many security problems that the coronavirus pandemic is causing. With employees working from home and not protected by their office’s security systems, the threat of cyber attacks is greater than ever.

When you factor in the uncertainty of the pandemic, the prospect of depleted workforces in the coming weeks through illness or furlough, and the fact that cyber criminals can continue to operate from the safety of their homes, cyber security should be a top priority.

Nobody knows what the full effect of the virus will be, but one thing’s for sure: you have enough to worry about without the threat of a cyber attack or data breach.

To help you stay on top of your cyber security needs, we’re offering 25% off our certified online training courses throughout May.

Meanwhile, a wide range of our products and services are now available remotely, so we don’t need to be on-site to carry out things such as penetration testing, and we’ve put together a set of packaged solutions to help meet clients’ needs.

Find out more