Catches of the Month: Phishing Scams for May 2022

Welcome to our May 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over their personal data.

This month, we look at a scam targeting people seeking verified Twitter status, a phishing attack that uses harvested login credentials from NHS staff and a simulated social engineering test that backfired.

Scammers target people seeking Twitter verification

Cyber security researchers have identified a scam that targets people who are trying to gain verified accounts on Twitter.

Verified accounts are designated by a blue badge next to the person’s username and indicate that the social media firm has confirmed that the person behind the account is genuinely who they claim to be.

The status is usually reserved for public figures, such as celebrities, politicians, journalists, activists, as well as official accounts belonging to organisations.

To verify an account, individuals must provide Twitter with relevant documents. This includes ID cards, website references and information that supports your claim that you are ‘notable’.

Gaining blue-badge status is therefore both a sign of recognition and an indication that the account is among the most popular on the website.

However, a Bleeping Computer report has shown that scammers are using the allure of verified status to trick people into handing over sensitive information.

The bogus emails claim that there has been a problem with the recipient’s account and advise the victim to click ‘Check notifications’ to fix the issue.

Those who follow the link are redirected to a bogus site that prompts them to provide their login credentials.

Users who complies with the request are unwittingly handing their information to scammers, who use the stolen credentials to reset the user’s password and take control of the account.

NHS email accounts targeted by criminal hackers

More than 130 NHS email accounts were used to conduct a prolonged phishing campaign targeting Microsoft users.

The Cloud security firm Inky found that scammers sent 1,157 phishing emails originating from NHSmail between October 2021 and March 2022.

The majority of the emails contained a link to what appeared to be a document intended for them.

However, anyone who clicked the link was sent to a bogus Microsoft 365 login page, which asked them to provide their login details.

Inky reported that at least 139 NHS emails were compromised in the attack, but the true scope of the campaign could have been much larger, because the organisation only analysed phishing attacks made against its own customers.

It added that although the number of compromised accounts represents only a small fraction of the total number of NHS email accounts, it still amounted to a dangerous and widespread scam.

“Perhaps this is a moment to introduce the idea that phish can be like a leak in the boat. It doesn’t matter that the hole is small, it will still sink the boat eventually,” Inky wrote in a blog post.

“Even if only a few bad emails get through, with a malicious enough payload, a single successful attack can be life-altering. The NHS has been lucky so far. Credential harvesting by itself is small potatoes. But, of course, those credentials can be recycled in subsequent attacks with more dangerous results.”

Social engineering test criticised by labour union

One of the most popular ways to bolster an organisation’s phishing defences is to send a fake scam email to test how employees react. Indeed, IT Governance recommends Simulated Phishing Attacks as part of an organisation’s staff awareness training regime.

Simulated attacks are intended to review how adept employees are at spotting scams and whether they report suspicious emails through the correct channels.

However, the American Federation of State, County and Municipal Employees Local 328 has criticised the practice after OHSU (Oregon Health & Science University) conducted a simulated phishing attack on its staff.

The bogus message offered employees up to $7,500 in aid if they were struggling financially because of COVID-19. The email prompted employees to follow a link to claim compensation.

Those who clicked were directed to a website that explained that the message was a test and that no financial aid would be offered.

The labour union, which represents more than 7,200 OHSU staff, said the simulation was an exhibition of psychological warfare against its employees.

“The decision to send today’s email is a cruel reminder that, ultimately, OHSU does not truly care about its employees and their struggles, particularly their mental health,” the union wrote in a statement.

“At some point, perhaps someone at OHSU with authority will design a system in which the left hand and the right hand actually coordinate with each other,” the statement continued.

“Until that point, our members are subjected to the whims of OHSU’s worst ideas and behaviors, and this phishing email can now take its place with OHSU’s many other missteps.”

It’s easy to see where both sides are coming from. COVID-19 has been the pretext for a vast number of scams during the pandemic, and phishing attacks are most successful when they are emotionally manipulative – as was the case with the bogus message sent by OHSU.

The message that the organisation chose to send is a prime example of the most devious form of phishing and is equipped to determine just how vigilant employees are.

OHSU confirmed that the content of the message was taken verbatim from a real phishing scam that some employees received earlier this year.

But no matter how realistic the message was, it intentionally damages employee morale. When staff learn that their employer was behind the bait and switch, it is only natural that they would be angry.

It’s why most simulated phishing attacks make smaller promises, offering things such as cash prizes or asking the recipient to download an attachment.

OHSU has since said that it regrets sending the email. Sara Hottman, a spokesperson for the organisation, said: “First and foremost, we want to sincerely apologize to the OHSU community.

 “That was a mistake. The real scam was insensitive and exploitive of OHSU members – and the attempt to educate members felt the same way, causing confusion and concern.”

Can you spot a scam?

All organisations are vulnerable to phishing, no matter their size or the sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.