Executive Summary:

Since January, ITC’s Security Operations Centre (SOC) has been monitoring threat actors against the healthcare sector and their attempts to take advantage of COVID-19.

The attacks were initially rudimentary. Victims were targeted with phishing emails pretending to be from the World Health Organisation. However, during the past couple of months these attacks, which capitalise on people’s fears, have started to employ more sophisticated intrusion methods. Even Advanced Persistent Threat (APT) groups have been using COVID-19 as a mechanism for their malware campaigns.

The SOC has monitored attackers using phishing emails pretending to be from the UK government. These feature links which, when clicked, install viruses or even ransomware on unsuspecting users’ machines.

The graph below shows the Top 10 Cyber Attack Methods seen since January, taking advantage of COVID-19:[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_single_image image=”10460″ img_size=”full” alignment=”center”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text css=”.vc_custom_1585742151526{margin-bottom: 0px !important;}”]Our intelligence over the reporting period clearly shows the increase in cyber-attacks. The data in the graph below shows over 1,100 different cyber-attacks being used in March:[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_single_image image=”10461″ img_size=”full” alignment=”center”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text css=”.vc_custom_1585742241751{margin-bottom: 0px !important;}”]


ITC’s SOC has deployed Covid-19 cyber-attack detection Use Cases to all managed service customers based on indicators of compromise (IoC) gathered. These IoCs are reviewed regularly to ensure any new intelligence is correctly reflected in our detection Use Cases.

Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are important to set up for your domains. This ensures integrity of your domains and helps stop attackers from sending emails on your behalf.

ITC Secure can provide you with a list of URLs currently being used in COVID-19 related cyber-attacks, free of charge. Please get in touch at [email protected].


Emphasise good cyber hygiene across your business, ensure all personnel are aware of the potential outcomes should they click on a link or download an attachment within a suspicious email. Given the current climate and the increase in remote working, educate staff so they are aware of Covid-19 threat actors and provide guidance on what to look out for.

Ask the following questions when faced with a suspicious email:

  1. Who has sent me this email? Look at the sender address. Spot the obvious, is Paypal trying to send you an email from an ‘@yahoo’ or @gmail’ public domain.
  2. Is the sender address spelt correctly? At an initial glance you may see ‘’, but really it is ‘@paypal.c0m’.
  3. Spelling, grammar and punctuation. Is the email written well with correct spelling and grammar?
  4. Suspicious links or attachments. Check the name of attachments, does the document claim to be a PDF but the file extension is different to ‘.pdf’? If there are a number of links, before clicking on the link see where it leads to. Are you confident you can hover your mouse over the link and see where it leads by looking at the bottom left of your screen?
  5. Does the email create a sense of urgency? Most emails will ask you to act NOW and act SPEEDILY because if the invoice is not paid within the hour you will be cut off from the service provided.

Attackers may also use this opportunity to pretend to be someone within the company in order to get you to open the email, a frequent impersonation we see is that of the CEO or CFO. If you have doubts, best practice would be to confirm with the person named on the email whether the request is legitimate. This should be done via a different method, such as a phone call, text message to a known number, or an IM message via Skype, Teams of an equivalent channel of communication.

If you have taken all the above steps and are still suspicious about the legitimacy of the email, delete the email.

Remember, be vigilant, and if in doubt, ask.

If you have any concerns or questions, please feel free to get in touch with us at [email protected].