The past year has been a rollercoaster of history-defining events that we’ve collectively watched and experienced in a state of disbelief. While we’ve been focused on the ins and outs of a global pandemic we never expected to experience in our lifetimes, an economic recession, a contentious U.S. election and an array of wide-reaching natural disasters, cybercriminals have been watching carefully and taking advantage of our distraction.
For most of us, it’s unfathomable to think about capitalizing on tragedy for our own personal gain, but it’s a harsh reality that digital adversaries simply do not care. They are looking for the quickest route to the biggest payday, even if the means to the end are morally questionable. In this piece, we will explore the top five most surprising phishing attacks in 2020 to date and how individuals and organizations can not only identify these types of threats but protect their networks against them.
- The COVID-19 relief payment scam
In November, the IRS teamed up with multiple states and industry organizations to warn U.S. citizens of an SMS-based phishing scam teasing a $1,200 economic impact payment from the ‘COVID-19 TREAS FUND.’ It stated, "Further action is required to accept this payment into your account. Continue here to accept this payment …" The message then directed the user to a phishing site imitating the IRS.gov Get My Payment website, where the victims were asked to share their personal and bank account information.
- Imitating the CDC
There is also evidence of phishers sending emails posing as the Centers of Disease Control and Prevention (CDC). The messages often contain malicious links, claiming to direct readers to infection prevention measures and COVID-19 vaccine information. However, the links are laced with malware that can infect the user’s device, potentially opening the door to ransomware or serving as a foothold into the user’s company network.
- The small business loan lie
Cybercriminals know that businesses, particularly local and small ones, have been struggling to keep their doors open during the pandemic and have often turned to government loans to help prop them up through these tough times. Some particularly malicious hackers chose to imitate federal workers and contact business owners, asking for personal information under the guise of applying for small business relief loans through the CARES Act.
- Tax extension deadline schemes
Even before COVID-19 became a widespread threat in 2020, the IRS saw more than $135 million in falsified tax refund claims, which is astronomical compared to the $15 million seen in 2019 during the same two-month timeframe. With the Tax Day deadline extended to July 15 this year, phishers seized the extra time to send phishing emails, texts and phone calls to up their payday and steal tax refunds from hard working Americans.
- Holiday charity fraud
Criminals also recognize that people want to give back more than ever during the holiday season -- especially during such a tragic year. The FBI recently warned Americans to research charities that email them, and to not click on links or download attachments embedded in the notes. The donations and personal data should be going to the right place, not into scammers’ pockets.
Most of us have likely encountered at least one of these scam attempts in 2020, but their impact depends on our knowledge of phishing risks, including how to spot and prevent them. A shocking number of individuals regularly fall for these attacks and compromise not only their data, but potentially their employees’ networks, in the process.
According to the 2020 Verizon Data Breach Investigations Report, social engineering attacks, which include phishing, are behind nearly a quarter of breach cases, and 96% occur via email. Most often, credentials, personal data, medical data and bank data are targeted and compromised.
So how can you, as an individual, catch these attacks?
- Ignore unprompted emails, texts or phone calls that request an urgent response
- Check sender email addresses and domains
- Pay close attention to spelling/grammatical errors
- Hover over links to check their destination before clicking
- Don’t open attachments unless they are expected
- Use additional caution for unrecognized senders
- Contact the organization the email purports to be from if you’re in doubt -- and/or submit a query to your security team
What can an employer do?
While employees are the first line of defense, security teams can prevent phishing scams from succeeding -- and even halt malware or data exfiltration if they do slip through the cracks. To help their staff in the fight against digital adversaries, organizations should:
Run a simulated phishing test
Even with the best training, humans are prone to errors. Sometimes personal experience can get the message through much more effectively. For that reason, it may help to run a simulated phishing test to detect the company’s true risk level. There are multiple tools that can run simulated phishing tests. Basically, the security team should send its employees a realistic looking email that appears to be a phishing email but is not actually harmful. Depending on the tool, it can often track results like which employees opened the email or which employees clicked on the links in the email.
Check security access
Security professionals have long followed the principle of least privilege, which simply states that each user should have the lowest level of access necessary to do their work. By limiting what non-administrative users can do, security teams protect their organization, should someone compromise an employee’s credentials and use them to log into the network. Do a quick checkup of user account settings and minimize the number of people who have higher-tier access regularly.
Use email filters
Although software can help lock down employee emails, they should already have spam filters provided by the email solution the company uses. Encourage users to mark any spam email that makes it through to his or her inbox to ensure that the information helps the filters do a better job.
Prepare a response plan
No matter what protective measures companies take, an attack is always a possibility. They can ensure they’re prepared for such an event by putting together a response plan and investing in modern tools. The latest artificial intelligence technology, such as behavioral analytics, alerts security teams so they can identify odd behavior and abnormal activity such as unusual attachments or email source country that may be indicative of a phishing attack and take protective measures. Once they’ve educated their internal users, this technology can bring an added layer of security that ensures devices and servers remain safe.
While we all likely wish cybercriminals would see the stress this year has put on the world’s shoulders and back off, they’ve shown no signs of stopping. But with these personal and company-level steps above, we can make it a whole lot more difficult for them.