The Government of India has issued an advisory on Covid-19 related phishing attack campaigns by threat actors. According to the Cert-In, the new phishing attack could imitate government organizations and can steal personal and financial information.
As per the new advisory, the phishing attack which is conducted by “malicious actors”, will be done in the disguise of a Covid-19 related directive and it is expected to start on 21 June. These attacks are believed to target both individuals as well as large and small business organizations.
Cert-in statement reads that the phishing campaign is expected to use malicious emails that masquerades as from local authorities in charge of distributing government-funded Covid-19 support initiatives. These emails will take the receivers to a fake website and are tricked to download malicious files or enter their personal or financial information.
The attackers are believed to be a part of the financial aid passed out by the government to deal with Covid-19. The malicious actors can ask the recipient for sensitive personal information as well as banking information which could be used by them to perform thefts. According to the advisory, these malicious actors have up to 20 lakh email IDs of individuals.
The attackers are planning to send emails with the subject free Covid-19 testing for all residents of Delhi, Mumbai, Hyderabad, Chennai and Ahmedabad, urging them to provide personal information. These email IDs will look very much similar to official government domains and can easily be mistaken for the original. The advisory claims an email ID like ‘[email protected]’ could be used in the phishing attack.
The government agency in charge of cybersecurity listed certain rules for the users to follow.
- Users must not download or open attachments from unsolicited emails.
- Avoid clicking on any URLs in such emails.
- Always make it a best practice to visit the original website and access the page.
- Check for any spelling mistakes or irregularities in the email.
The attackers try to convince the users by offering some rewards in their phishing emails. The receiver must not submit their personal or banking details, however convincing the email is.