COVID-19: Phishing for Fear

As millions work from home with reduced IT security measures and an influx of COVID-19 emails, organizations must practice basic security awareness while also providing new best practices related to the pandemic.

The COVID-19 pandemic has forced millions of Americans to work from home, many for the first time. Seizing the opportunity to catch users unaware and subvert corporate security measures, malicious actors have ramped up phishing and malware attacks, which, Google reports, have surged to 18 million daily.

With IT and HR departments rushing to communicate new policies, procedures, and business updates in light of the pandemic, users are bombarded with emails and file attachments. It’s the perfect time for hackers to take advantage of employees conditioned to click on every email coming their way.

With nearly 90 percent of organizations having experienced a targeted phishing attack in 2019, this social engineering technique is one of the most common threats IT departments face. Now, hackers flavor their emails with COVID-19 buzzwords, in hopes of exploiting fear to get clicks on their malicious links and file attachments. Organizations and users should be on the lookout for emails from untrusted senders asking for donations, touting the most recent CDC guidance or virus statistics, insisting upon urgent action, and promising financial incentives.

While the end to the coronavirus is uncertain, organizations can act now to protect their users, systems, and data from phishing attacks. Inform all staff to:

  1. Open emails and file attachments only from known sources
  2. Only visit trusted websites for COVID-19 updates, such as the CDC, WHO, and the NIH
  3. Report suspicious emails to the IT department
  4. Brush up on social engineering basics and COVID-19-specific guidance
  5. Remember that security is everyone’s responsibility

Fostering effective user security awareness is always important, but now the message must be tailored to address the current crisis. Using the subjects above as key points, speak with employees about COVID-19-related phishing attacks and how they are the frontline in the fight against cyber crime.