Do you remember the last time you fell, or almost fell, for a phishing email? I do.
I received an email notification while I was checking my phone: “Unlock your Amazon account”, apparently coming from an amazon.com address. Although unexpected, it was feasible, I had made a purchase on Amazon recently and had changed settings that could have locked the account.
Concerned, I opened the email.
The design matched Amazon’s style, there were no typos, and my phone’s email app interface just showed me the sender’s name rather than their email. I inspected the link and noticed it was fake.
It was one of the best phishing emails I’ve received in recent times. It managed to make me feel concerned while reading it. That’s the key.
Phishing is both simple to implement and effective. A relatively low-effort attack that can have a high reward. According to Verizon’s 2020 Data Breach Investigations Report, attackers used phishing in 22% of the investigated breaches. The quality of the attacks varies: we can go from the obviously fake, to sophisticated spear phishing campaigns that are fully customized.
The most effective phishing emails are typically those that tap into strong emotions that drive action. In “Thinking, Fast and Slow” Daniel Kahneman, Nobel Prize of Economics, proposed that humans have two modes of thought "System 1" which is fast, instinctive and emotional, and "System 2" which is slower, more deliberative, and more logical. Humans feel before we think. We are emotional beings.
Coronavirus presents a wonderful opportunity for cybercriminals to exploit our emotional selves, “System 1”, much easier. It’s a situation that’s intrinsically concerning, and that demands a high level of engagement to stay updated with the latest alerts and announcements. Imagine the spectrum of campaigns that would tap into a strong emotion:
- Concern / Fear: Infected near you, new negative effects, tracking apps
- Curiosity: remote work, fake cures or vaccines, meeting requests, refunds, fake package delivery
- Despair / Necessity: Medical equipment, financial aid
- Compassion / Kindness: Charitable contributions
Imagination is the limit.
What’s the Landscape as of May 2020?
The COVID-19 Cyber Threat Coalition, a coalition of cybersecurity experts working to protect individuals and organizations from COVID-19-related cyber threats, releases weekly threat advisories. Phishing appears constantly in these posts, as it’s one of the most prominent threats organizations face.
The phishing landscape has changed significantly since the pandemic started. Shortly after COVID-19 was officially declared a pandemic by the World Health Organization (WHO) on March 11th, registrars saw a spike in COVID-19 related domain name registrations, with a peak of around 5000 high-risk domains registered per day in the week of March 16th.
This number has gradually decreased since then, especially after domain registrars were requested to increase scrutiny around COVID-related sites by the New York Attorney General.
Source: DomainTools
However, as per the latest advisory from the Cyber Threat Coalition, it seems that the domain registrations shifted to the latest trend in the pandemic: masks.
Google’s threat analysis group reported that they’re detecting 18 million malware and phishing Gmail messages per day related to COVID-19, with health organizations and health agencies becoming targets as a result.
What Can We Do to Protect Ourselves And/Or Our Companies From This Constant Threat?
Phishing attacks tend to have one of these three main goals:
Credential Theft
Typically involving a link that sends the user to a fake look-alike website that requests credentials to login.
If the account is not properly secured with methods like Multi-Factor Authentication (MFA), the credentials obtained could result in an account takeover. The compromised account could then be used to access internal systems, which could cause a data breach that could have compliance-related consequences as per the relevant data privacy laws such as GDPR and CCPA.
Often involving impersonating an executive to trick someone into transferring funds or buying gift cards. This could have a high financial cost to the organization if it succeeds.
Malware Delivery
Usually involving downloading an infected document, or app that can cause a high impact disruption, like what happened with the WannaCry ransomware attack in 2017
These goals can help us categorize the preventive measures we can take:
Security Awareness
Empowering users to detect and report phishing attacks helps protect the organization no matter the type of phishing. It also helps the security team react faster thanks to their reports. We’re providing a free user awareness guide to help you raise awareness internally, and we’ve released some of our internal phishing training in our YouTube channel voiced by someone you would not expect 😉
We wouldn’t recommend doing fake internal phishing campaigns using Coronavirus as bait since it can be too distressing in this situation, and it may hurt trust within your organization. We would recommend rolling out awareness material constantly, explaining what the communication style is in the organization, sending alerts, or sharing examples of real phishing emails transparently, not as a test campaign.
Multi-Factor Authentication(MFA)
MFA protects your employees from an account takeover in the event of credential theft. Implementing it and rolling it out is very easy with Auth0.
Endpoint Protection
Antivirus solutions can protect your employees in the event of malware. There are plenty of options for the enterprise, so choosing one that fits your organization and culture will boost your defenses with minimal disruption.
Verification Processes for Payments and Invoices
Establish an internal verification process that requires multiple people to approve a payment or expense before wiring the money, and define specific methods to do so (e.g., no gift cards)
On top of all of this, it’s key to have an easy way for your users to be able to report these attacks to your IT or Security team, such as a dedicated corporate email address, and that the team can efficiently respond to these reports.
How can you stay updated on the latest COVID-related phishing trends?
Here’s where you can more closely monitor the situation as it evolves:
- FBI alerts
- Cyber threat coalition: weekly advisory and town hall, IP blocklist, community
- CISA (US) and NCSC (UK) alerts
Phishing is an ever-evolving threat that’s constantly present for most companies across all industries, and for most end-users alike. Whether it’s a generic bait, or a message adapted to the circumstances of the moment, like COVID-19, tax filing season, or Black Friday, it’s almost guaranteed to be a threat to consider at all times for companies of any size. Rather than being overwhelmed by the challenge, training employees, creating and sharing clear processes, and enabling measures like enforced MFA can be the difference between a bad data breach and creating a resilient organization with the ability to adapt in an evolving threat landscape.
About Auth0
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.
About the author
Annybell Villarroel
Security Culture Manager