COVID-19 Credit Card Phishing - Abnormal Security

COVID-19 Credit Card Phishing

In this attack, attackers are impersonating a major credit card provider and attempting to deceive victims into divulging their login credentials by sending COVID-19-themed emails that direct recipients to convincing landing pages.

Quick Summary

  • Platform: Office 365
  • # Mailboxes: More than 50,000
  • Email Gateway: Proofpoint
  • Email Security: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation, Email Spoofing

What was the attack?

  • Setup: This attack leverages the uncertainty around the spread of COVID-19 as everyone focuses more on safety and security during these times. As markets crash, the attacker knows that people will look to protect their financial assets, and thus be vulnerable to attacks claiming to secure their bank accounts.

  • Email Attack: This attacker crafted a convincing email and landing page that appeared to come from a major credit card provider. The email masquerades as an important notification asking recipients to secure their bank accounts during this difficult time.

  • Payload: The email contains a link to a fake credit card login page. The phishing page is hidden behind a redirect which hides the true URL of the page, which attackers likely control and will use to steal the victim’s bank login credentials.
  • Result: Should recipients fall victim to this attack, their bank account and other personal information stored on the bank’s website will be at risk.

Why is this attack effective?

  • Urgency: This attack utilizes uncertainty created by the COVID-19 pandemic, and urges the user to prevent fraud during the lockdown by logging in and updating their account. As a result, the user is preoccupied with securing their account rather than checking if the link is  legitimate, and therefore be less scrutinizing of the attack.
  • Spoofed email/sender: The email and landing page that the attacker created were convincing. The landing page almost replicates the true credit card provider’s landing page. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials.
  • Concealed URLs: The URLs were wrapped with redirect links so the user would be unable to tell if the links redirected to the authentic credit card provider’s webpage. Attackers likely expected that recipients would be too convinced by the landing page they created to double-check that the URL was valid.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Related content