How Phishing Attacks Targeted Healthcare During COVID-19

Cyber criminals treated COVID-19 as an opportunity, flooding the internet with phishing emails at a rate that tracked infection numbers almost exactly. From the WHO to South African private hospitals, no healthcare organisation was off limits.

email-databaseemail-marketingimportant-announcements

We have partnered with Sendmarc to help make email safer for everyone. This guest post, written by Sendmarc, looks at the phishing surge that ran alongside the COVID-19 pandemic and what organisations can do to protect themselves.


Covid-19 brought one health crisis. Cyber criminals brought another.

The number of attacks on frontline healthcare providers surged almost in lockstep with infection numbers. The disruption was real, the risk to patients and staff was real, and the motive was straightforward: fear, urgency, and panic create opportunity.

In this article we will explore:

The healthcare industry victims

The WHO, hospitals, solidarity funds, and patients are under attack.

The phishing explosion

Impersonation attacks competed with Covid-19 for the fastest-growing crisis of 2020.

Sound the alarm

Interpol, the FBI, the CyberPeace Institute, Nobel Laureates, and Archbishop Emeritus Desmond Tutu called on governments to act.

How vulnerable is the SA healthcare sector?

Sendmarc studied 219 hospitals, clinics, and laboratories.

Is there a cure?

How to test your domain for vulnerability and stop impersonation attacks before they happen.


In March 2020, global security vendor Barracuda reported that phishing emails had spiked by over 600% since February. Criminals were capitalising on the anxiety generated by the virus. A third of those attacks used brand impersonation to steal money and data, or to deliver malware.

Antivirus company Avast confirmed the same pattern. CISO Jaya Baloo reported that Avast blocked over 1.3 million phishing attacks misusing the COVID-19 crisis between January and May 2020. "Healthcare providers perform critical operations and hold vital patient information, which makes them attractive targets for threat actors," Baloo said.

"The rate of growth in phishing attacks correlates almost perfectly with the rate of increase in Covid-19 infections."

In April, FBI Deputy Assistant Director Tonya Ugoretz confirmed that the bureau had seen a fourfold increase in cybercrime reports compared to the early months of 2020. Criminals targeted fraudulent internet domains, fake charities, fraudulent loan offers, and promises of PPE delivery.

"There was this brief shining moment when we hoped that cyber criminals are human beings too, and maybe they would think that targeting or taking advantage of this pandemic for personal profit might be beyond the pale," Ugoretz said. "Sadly that has not been the case."

When comparing phishing attack volumes against global COVID-19 infection numbers, the growth curves track each other closely. The graph below, compiled by Sendmarc from Barracuda and WHO data, makes the relationship plain.

Graph created by Sendmarc from Barracuda; WHO

"Healthcare providers perform critical operations and hold vital patient information, which makes them attractive targets for threat actors."

Jaya Baloo, Chief Information Security Officer at Avast

By May, the threat had become serious enough that the Geneva-based CyberPeace Institute wrote a formal plea to governments to protect healthcare institutions. Eight Nobel laureates signed it, including Archbishop Emeritus Desmond Tutu.

"These actions have endangered human lives by impairing the ability of these critical institutions to function, slowing down the distribution of essential supplies and information, and disrupting the delivery of care to patients," the Institute wrote. "Governments should assert in unequivocal terms: cyber operations against healthcare facilities are unlawful and unacceptable."

In April, Interpol issued a warning that criminals were using ransomware to hold hospitals and medical services hostage, blocking access to files and systems until a ransom was paid.

Example 1: The WHO

The World Health Organisation reported a fivefold increase in cyber attacks from early March compared to the same period the previous year. Attacks were directed at both staff and the public.

Towards the end of April, around 450 WHO staff email addresses and passwords were leaked online, along with thousands belonging to others working on the virus response. At the same time, scammers began targeting the public by email, posing as the WHO and soliciting donations to a fictitious fund rather than the genuine COVID-19 Solidarity Response Fund.

Example 2: University Hospital Brno, Czech Republic

Hospitals processing large volumes of personal data from COVID-19 testing became prime targets.

"It was believed that the hospital's IT infrastructure became encrypted with ransomware most likely originating from a fraudulent email."

In March, the University Hospital Brno, the Czech Republic's second largest hospital, fell victim to a major cyber attack that forced it to cancel planned operations and divert acute patients to nearby facilities. Ransomware, most likely delivered via a phishing email, encrypted the hospital's IT infrastructure.

Petr Spirik, a Prague-based cyber-incident responder with PricewaterhouseCoopers, described the incident as part of a broader pattern.

"The root cause for this rising level of successful attacks against our hospital sector is the overall underfunding in the IT security infrastructure," Spirik said.

Example 3: The Life Hospital Group, South Africa

Closer to home, Life Hospital Group suffered a cyber attack in June 2020 that hit its admissions systems, business processing systems, and email servers. Patient care was not directly affected, but hospitals across the group had to switch to manual processing, causing administrative delays.

Dominic White, CEO of cyber-security firm SensePost, pointed to ransomware as the likely cause. "Ransomware is pretty opportunistic and, because of the pressure on hospitals, attackers are guessing people will pay to make it go away quickly," White said.

Life Healthcare acting group CEO Pieter van der Westhuizen expressed the human cost plainly. "We are deeply disappointed and saddened that criminals would attack our facilities during such a time when we are all working tirelessly and collectively to fight the COVID-19 pandemic."

Is there a cure?

Interpol advises staff not to open emails from untrusted sources and not to click links they were not expecting. That is sound advice, but it places the full burden on the individual. Criminals have become skilled at forging legitimate-looking emails, which makes that judgement call harder every year.

The more reliable approach is to apply technical controls before an email ever reaches an inbox. One of the most effective is making sure your domain is DMARC compliant.

"As a first step, domain owners should know their domain safety score. Less than 3/5 requires action."

What is DMARC and why does it matter?

Cofense's 2016 Phishing Susceptibility Report found that 91% of cyber crime starts with a phishing email. Those attacks target staff, customers, patients, and anyone else a criminal can reach.

DMARC is a global cyber security standard built to stop criminals from impersonating your corporate email domains to commit spoofing and phishing attacks. It works at the infrastructure level, before a message lands in anyone's inbox.

For more on how DMARC works, visit Sendmarc.co.za and DMARC.org.

Sendmarc CSO and co-founder Sacha Matulovich offers a practical first step. "To help people determine the vulnerability of their domain name, we've come up with a free DMARC Safety Score tool. The tool allows you to input your domain, and a resulting score of less than four out of five means you should ask your IT provider to help you become DMARC compliant."

Frequently asked questions

How much did phishing attacks increase during COVID-19?
Security vendor Barracuda reported a spike of over 600% in phishing emails between February and March 2020. The FBI also recorded a fourfold increase in cybercrime reports compared to the early months of that year.
Why were healthcare organisations targeted by cyber criminals during the pandemic?
Hospitals and healthcare providers hold sensitive patient data and run critical systems that cannot afford downtime, which makes them willing to pay ransoms quickly. Criminals also exploited the fear and urgency around COVID-19 to make phishing emails more convincing.
What is DMARC and how does it protect against phishing?
DMARC is a global email security standard that stops criminals from impersonating your domain to send phishing or spoofing emails. It works at the infrastructure level, blocking fraudulent messages before they reach any inbox.
How can I check if my domain is vulnerable to email impersonation?
Sendmarc offers a free DMARC Safety Score tool. Enter your domain and if the score comes back below four out of five, you should speak to your IT provider about making your domain DMARC compliant.