The increase in global cyberattacks in 2020 is off the charts! So far, during the current COVID-19 pandemic, the number of phishing email attacks is up over 600 percent, according to a recent Barracuda Networks report.
“Of the COVID-19 phishing attacks, 54% were classified as scams, 34% as brand impersonation attacks, 11% blackmail and 1% as business email compromise (BEC).”
Sadly, the news gets worse before it gets better. The trend during the pandemic has been to target individuals, healthcare and hospitals, and remote workers. This trend is part of a wider trend of cyber criminals becoming more adept at targeting specific groups of people based upon their profile and vulnerabilities.
In the past, phishing attacks were generally blasted out to a large audience with a strategy that a wide net would trick significant number of people into clicking on emails or other social media messages. Today phishing attacks are often directed at specific groups on specific topics.
What happens if you click? There are many potential outcomes to falling for phishing attacks, ranging from a clicked link that takes you to a malicious website, to malware that installs a keylogger that steals sensitive data, to ransomware that paralyzes the business by encrypting its data. During the pandemic, ransomware has crippled hospitals, disrupting patient care and even costing lives, as recently happened in Germany.
And remember that phishing is not just limited to email messages. Staff need to understand that phishing can also come from a telephone call or a text message. And these targeted attempts to gain access to sensitive information are going after medical records, personal information, company intellectual property, classified intelligence information and much more.
Reasons and Methods
Perhaps you wonder: Why is this happening now? Or, why is this exploding so fast in 2020? Let’s discuss the evolution of phishing attacks.
First, there is phishing. In phishing, the bait is a clever message and you are the fish. We fall for the phishing bait, because the phishers are masters of disguise and manipulation. The bad guys play on our emotions and desires.
Most phishing scams cast a wide net trying to get a reaction from as many people as possible. They do this by imitating trusted brands like Wells Fargo Bank, PayPal, UPS, Google or Microsoft in their messages.
Although the wide-net approach is still commonly used, phishing attacks evolved to be more sophisticated and “spear phishing” became common. Spear phishing is similar to phishing, except the attack is more targeted, sophisticated and often appears to be from someone you know such as a company colleague, your bank, a family member or a friend. The message may include personal information like your name, where you work, and perhaps even a phone number or other related personal information – unfortunately, information that is all-to-easily purchased on the dark Web. Spear phishing is also done by phone (vishing) where calls appear to come from a trusted organization (e.g. your bank, lender, phone company) and have a local area code and prefix displayed on your phone’s caller ID.
The phishing evolution continued with increasingly sophisticated attacks including whaling and business email compromise (BEC) attacks. Whaling is a form of spear phishing attack where the criminals go after the big fish (or top executives). Attacks are often carried out via multiple channels in addition to email. BEC attackers use email fraud to trick employees into performing an activity to the detriment of the organization by impersonating the organization’s executives, key staff, or their vendors, partners or customers. Cyber criminals commonly use BEC attacks to steal money through invoice or payment fraud, but also to steal sensitive data and communications.
In 2020, phishers added a new attack strategy focusing on the pandemic, going after individuals and businesses when most vulnerable. By crafting their messages around hot topics such as COVID-19 case and death counts, prevention methods, testing and vaccines, phishers played on peoples’ fear and anxiety when their defenses were down.
What Actions Can You Take to Protect Against Phishing Attacks?
Phishing attacks are becoming increasingly sophisticated and your employees are both the prime targets as well as your best defense. Here are seven strategies that businesses should follow to protect themselves and their employees against increasingly target phishing attacks:
- Educate your employees. Provide a comprehensive security awareness training solution to employees that not only provides phishing training, but addresses all the threats employees face, such as the Security Awareness Training Program offered by Security Mentor.
- Provide targeted security awareness training. Many phishing attacks focus on executives, specific work roles, and today remote workers. Provide training to these targeted employees that addresses the unique threats they face.
- Conduct phishing simulation. Identify vulnerable employees and train them to resist phishing using simulated phishing campaigns. Deploying an effective phishing simulation program requires a thoughtful approach that must be adapted over time to current events and the current threat environment.
- Consider doing a “roadshow” for key staff. A security roadshow is an information sharing meeting or forum for key staff, where you can raise awareness of the latest phishing attacks and online fraud techniques. Yes — include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions.
- Review existing processes, procedures and separation of duties for financial transfers and other important transactions. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalyzed given the increased threats.
- Consider new policies related to “out of band” transactions or urgent executive requests. An email from the CEO’s Gmail account should automatically raise a red flag to staff. Employees need to understand the latest techniques being deployed by the dark side. You also need authorized emergency procedures that are well-understood by all.
- Review, refine and test your incident management and phish reporting systems. Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.
In conclusion, addressing the evolving, increasingly-targeted phishing threats requires a multi-faceted approach that focuses on both people and processes.