Cyber criminals have added monkeypox to their arsenal of tricks used to scam victims into revealing personal information.
Researchers at Mimecast Threat Intel have discovered an email phishing campaign that is attempting to use the emerging monkeypox outbreak to con employees into sharing their personal information.
Tim Campbell, head of threat intelligence at Mimecast, says: “Monkeypox is high on the news agenda so it comes as no surprise that cyber criminals are exploiting it.”
He says attackers tweak their phishing campaigns to be as timely and relevant as possible, and use a range of attack methods to exploit newsworthy, current events to try to lure people who are busy and distracted into clicking on links in emails, applications or texts.
In this latest instance they are using monkeypox as an opportunity to send phishing emails to company employees for ‘mandatory monkeypox safety awareness training’.
This new campaign sees recipients being asked to click on a link to complete ‘mandatory training’ as part of purported new company policy.
The phishing email is carefully crafted to look like an internal company email, putting staff members at risk of clicking the link and entering their login details, which will then be harvested and used to access systems within the company to exfiltrate information.
Phishing scams remain a popular attack method against local organisations, with 65% of respondents in Mimecast’s State of Email Security 2022 reporting an increase in these attacks over the past year.
This latest campaign shines the spotlight on the fact that threat actors will exploit the fear and uncertainty caused by this recent news, as well as the need for cyber security awareness training within businesses to lessen the chance of employees falling for this type of scam.
Campbell said it’s widely understood that when it comes to cyber attacks, it is a question of “when”, not “if” one will happen. “It is important for organisations to have adequate, cyber security measures in place as well as a well-rehearsed cyber resilience response plan.”