Recent Posts

Recent Blog Posts

The PhishLabs Blog

COVID-19 Phishing Update: Nigerian Prince Lures Evolve with Crisis

Posted by Jessica Ellis on Apr 3, '20

Threat actors are repurposing Nigerian Prince or 419 lures with novel coronavirus messaging to capitalize on the current pandemic. Today’s examples demonstrate how they are doing it.

We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic. 

 

Dept of Treasury


In the above, the subject line and email body impersonate the Department of the Treasury. The sender’s address however, comes from a known banking phish. The lure is a classic advance-fee scam, with the infrastructure edited to increase the probability of a reply.

 

419 plymouth

The second example is sent from a compromised email account belonging to a medical organization. It was likely because of this that the email was able to make it through the spam filter of the financial institution that received it.

 

The threat actor uses a burner gmail address who.specialfundsdpt01@gmail.com as the Reply To, further enhancing credibility by implying ties to the virus. 

 

The pandemic has given 419 scams another opportunity to evolve. As we see an increasing number of familiar lures leveraging COVID-19, it is clear that most threat actors aren’t reinventing the wheel, they are simply following the latest trend. 

 

For more intelligence on COVID-19 threats, see our ongoing coverage.

Topics: COVID-19

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all