Cyber crooks are trying to steal passwords for small-business Microsoft accounts in the U.K. by sending phony emails promising government relief funds for businesses shut down by the coronavirus.
In a blog posting yesterday (June 10), researchers from Abnormal Security say the email phishing campaign is posing as correspondence from the UK Government’s Small Business Grants Fund (SGF).
- Best antivirus: stay safer online with watertight virus protection
- VPN: add a layer of extra protection thanks to a virtual private network
- See Also: Where to buy face masks and coverings online
“This attack is attempting to exploit current efforts by the government to provide relief funds for small business owners affected by Covid-19 closures and shelter-in-place orders," the Abnormal Security report says.
“Although the requirements vary by country, applicants do have to provide documents proving their eligibility," it says. "Since applicants are expecting email correspondence, this provides attackers with a unique opportunity to impersonate legitimate authorities and extract sensitive information from customers.”
Thousands of scam emails sent
The phishing email, estimated to have been sent between 1,000 and 5,000 times via an official Dropbox domain, asks recipients to click on a file called “COVID-19-Relief-Payment.PDF”.
Abnormal Security explains that the attack is a two-step process.
“The first step is the link provided in the email that leads to a standard Dropbox transfer landing page with the enablement [sic] to download the file. After clicking on the download button, the page is redirected to a phishing landing page.”
The second step directs users to a landing page containing an Office 365 image and a button that asks the user to “Access Document”. The researchers warned that this is where the intent is revealed, which is to gain access to the user’s Microsoft username and password.
Once the recipient follows these instructions and fills out the provided forms, the researchers say that their Microsoft credentials will be compromised and can result in financial loss.
This attack is effective for several reasons. Users are asked to complete the form urgently, the email comes from a convincing sender and uses legitimate email headers, and the user may be expecting correspondence anyway if they’ve already applied for the fund.
To make sure you don't fall victim to this scam, enable two-factor authentication on your Microsoft account. That will make it much more difficult for crooks to access the account, even if they do manage to steal your username and password.