orange arrow

COVID-19 Smishing Campaigns

Written by Zachary Blenden

Mobile devices are aggressively targeted by cybercriminals during the COVID-19 pandemic with crafty smishing campaigns. In a smishing attack, the cybercriminal sends a text message containing a malicious link. If clicked by the recipient, the mobile device may be infected with malware or the recipient may be prompted under a ruse to enter sensitive information such as account passwords. In recent COVID-19 smishing campaigns, cybercriminals pretend to be equipment supply companies, popular streaming services, and government or healthcare organizations, among others. The text messages are usually delivered from a standard US phone number and contain information that is meant to lure the victim into clicking a link and ultimately providing sensitive information or downloading a malicious file.

The following image is an example of a coronavirus-themed SMS that serves as an example of what we routinely see. These messages may have different themes or content, but will primarily consist of the same 4 components:

  • Compelling or frightening message body designed to lure the victim into clicking on a malicious link.
  • A URL for the victim to click which directs them to a malicious webpage that will capture sensitive data.
  • Sender uses a standard US phone number.
  • “Reply STOP to opt out” or similar text that adds to the credibility of the message and helps the sender determine whether a recipient was reached.

Recent smishing campaigns include offers of free Netflix Premium or other online streaming accounts, advertisements of sought-after hygiene products (e.g. face masks, hand sanitizer, toilet paper) or survival equipment, and impersonations of loan officers or the IRS informing that the recipient is eligible for a stimulus check or loan.

Some media and research outlets suggest that there has been a shift in the context of smishing campaigns that correlates with the progression of the pandemic. For example, in the early stages of self-quarantine and lockdown measures, many campaigns centered on messages offering free premium streaming subscriptions or coupons. More recently with stimulus efforts underway, campaigns have shifted to financial relief, loans, or stimulus checks/promotions.

FBI Tweet regarding a fake Costco stimulus package promotion
FBI Tweet regarding a fake Costco stimulus package promotion

Cybercriminals will continue to capitalize on the pandemic and adapt tactics to take advantage of the latest developments. We expect to see more smishing attacks – and more well-crafted ones - emerging from actors who see a unique opportunity in this environment.


Recommendations

  • Ignore the Unknown Sender: Always, and especially during this pandemic, be suspicious of messages sent from an unknown sender. Before you answer the message, try to identify who the number belongs to or if it is someone you know. Don’t respond or click on any links if you cannot be sure who the sender is.
  • Beware of Free Services, Money, or Survival Help: Messages promoting special offers, stimulus assistance, or medical and other essential supplies should be ignored.
  • Do not reply “STOP”, “NO”, or anything else to these messages: Responding could still be useful to the cybercriminal whether or not you click the link.
  • Don’t Click: Any message containing a link should be highly suspect as soon as you see it. This applies to everyday mobile or computer use. If you cannot verify or do not recognize the link, do not click it.

About the Author

Zac Blenden is a Threat Intelligence Analyst at Q6 Cyber with a focus on cybercriminal activity. Prior to Q6, Zac was a Penetration Tester and Threat Intelligence Analyst.