Scammers Targeting New Remote Workers with Fake IT Emails

man using computer

Security researchers have spotted scammers targeting new remote workers with fake emails from their employers’ IT departments.

Inside the New Wave of Opportunistic Scams

In a recent campaign detected by AppRiver, malicious actors sent out an attack email purporting to originate from their employer’s IT Helpdesk. The email claimed that IT personnel were working on creating a staff portal for the purpose of helping personnel keep track of their assigned tasks. At that point, the email instructed recipients to update their section of the new staff portal by visiting a shortened bit[.]ly link that redirected them to an OWA phishing page.

David Pickett, senior cybersecurity analyst at AppRiver, said that threat actors could turn to a different medium as another way to conduct their scams:

"Skilled social engineering actors may also conduct these types of scams via phone or in-person. It’s typical for these attackers to use automated tools such as Social Mapper or the numerous LinkedIn scraping tools to gain intelligence from social media sites and employment listings. These tools allow anyone to gain tremendous company data - including employees titles, organizational structure, known contacts, and even technologies the target company utilizes in order to help increase the sense of legitimacy in their attacks."

Other Reports of Email Scams Targeting Remote Workers

AppRiver is not alone in its reporting of these types of ploys. For instance, the Wall Street Journal covered a rise in phishing email attacks in which malicious actors used information about recipient organizations’ remote-work plans as a lure. They said they would give this information to recipients if they handed over some personal and/or work-related information, presumably as a means of stealing access to their accounts and spreading the ruse throughout the organization.

Colm McDonnell, head of risk advisory at Deloitte, also witnessed these attack attempts. He went on to explain that these and other malicious efforts are likely to become increasingly commonplace as more employees move to remote work in light of the ongoing health crisis. As quoted by Newstalk:

"Over the coming days and weeks more people will be logging on remotely to their company VPNs, who previously may never have. As these people might be unfamiliar with the portal page or MFA, they may be more susceptible to rogue e-mails from third parties masquerading as genuine company IT, VPN provider or MFA provider."

In the process of adjusting to their new working situation, employees might also not be in the right frame of mind to spot phishing attempts or raise a query to protect others, noted McDonnell. This could further augment the success of these types of attacks.  

Protecting Remote Employees Against Fake IT Attacks

On March 13, 2020, the U.S. Department of Homeland Security (DHS) published a series of digital security insights for organizations in this moment of crisis. DHS specifically urged them to secure systems that enable remote access by setting up a VPN, implementing system monitoring to watch for abnormal behavior, requiring all employees use multi-factor authentication and ensuring that all remote work machines have properly configured firewalls and anti-malware solutions. Organizations should test these solutions to determine their compacity, and they should make sure to proactively educate their remote workforce about these solutions and how employees can use them properly.

Steve Salinas, the VP of Product Marketing at Deep Instinct, also emphasized the importance of organizations deploying password management software across all workstations, remote and on-premises, and working with employees to limit the types of tasks for which they can use their work-related devices.

“If working from home is new to your employees, you need to make sure they understand that the corporate laptop is for work purposes only,” Salinas explained to the author in an email. “Of course, you don't need to worry about the employee getting weather or news updates on the computer, that is normal, but what you don't want to find out is that their 14-year-old son used it to stream FIFA 2020 on Twitch from midnight to 4 am. While he may have no malicious intent, his use of the computer opens up the potential for an attacker to entice him to click on a link or open a document that could silently install a malicious application. Now the attacker has struck gold with a backdoor into a broader corporate environment. The remedy here is an easy, non-technical one. Grab a large sticky note and write in big, bold letters – WORK COMPUTER – DO NOT TOUCH – and affix to screen.”


Finally, organizations should consider investing in an email security solution that’s capable of scanning incoming messages for IP addresses, patterns, IP addresses and other signatures that are associated with known attack campaigns. This tool should conduct this analysis in real-time, all while allowing legitimate business correspondence to reach their intended destinations.

Defend your remote workers with Zix’s advanced threat protection tools today.