In response to the COVID-19 pandemic, CIOs and other C-suite leaders must transform how they think about “experience” – for both customers and employees – or risk losing them.
Remote security: 5 common myths about phishing scams
Phishing scams are rising in the time of COVID-19. With expert help from IT leaders and security pros, we debunk 5 misconceptions
Scammers will always try to capitalize on a crisis, and the COVID-19 pandemic is no exception.
Government agencies, security firms, and other organizations have been regularly issuing warnings about various online threats related to the public health crisis. They include a rise in phishing attacks that use COVID-19 – and related topics like medical supplies or government financial assistance – to attempt to dupe people into sharing login credentials, sending money, installing malware, and other mistakes. Plenty of “classic” phishing attacks are increasing too, targeting stressed, time-pressed people.
“In both the U.S. and UK, we are seeing a huge increase of scam emails offering quick access to government money, as well as cold-calling tactics where people get tricked into passing over bank account details in order to receive payments,” says Laurence Pitt, global security strategy director at Juniper Networks.
There’s a reason why malicious actors continue to use this seemingly tired, old tactic: Phishing works. That’s particularly true in a crisis. Cybercriminals are essentially betting that the anxiety and turmoil that so many people are currently experiencing will make them more likely to fall for the con. Add in large segments of the workforce suddenly and unexpectedly working from home – and relying on email, Slack, videoconferencing, and other digital communication tools more than ever – and you have a security tempest on the horizon.
[ How do containers help manage risk? Get the whitepaper: Ten Layers of Container Security. ]
5 phishing myths, busted
This is all compounded by a false sense of security among many of us. Phishing has been around forever, and most of us think we can spot a scam email or robocall with little effort. That is the first of five critical misconceptions about phishing that we’re here to debunk – with expert help from IT leaders and security pros.
Myth 1: Only rubes and noobs fall for phishing scams
This isn’t true even in normal conditions – and current conditions are anything but normal.
“The biggest misconception about phishing attacks is that tech-savvy users won’t fall for it,” says Matt Wilson, chief information security advisor at BTB Security. “When working with organizations and testing their security posture, we regularly succeed in carrying out a staged phishing attack, even when targeting IT, InfoSec, and senior management.”
The related misconception here is that all phishing attacks are obvious. That’s not true, either.
“Many phishing emails look exactly the same as a normal email from the relevant party,” Mike Bursell, Red Hat's chief security architect, noted recently. “To be clear, it is impossible for anyone, even an expert, to ascertain at first look whether a polished and sophisticated phishing email is genuine or not. There are ways to tell, if you’re an expert, by looking in more detail at the actual details of the email, but most people will not be able to tell.” He notes that he has nearly been caught recently, as have his family members.
Moreover, phishing attacks have become increasingly targeted to their individual recipients, making them harder to detect than most people expect.
“Attackers are increasingly mining data available via social media to tune their messaging and increase the chance of someone clicking on their malicious link,” Wilson says.
Pitt points out that even the practice of hovering over a link to see if the underlying URL looks valid isn’t foolproof: His team has noticed an increase in the use of obfuscated links that appear legitimate but then redirect to a malicious site.
Even before COVID-19, CIO Jason James of NetHealth became a fan of frequent, specific phishing training for users - including, and especially, he says, C-suite executives. “Security awareness must be frequently tested to determine effectiveness,” he notes. “Use your security awareness solutions to create phishing attacks that are specific and relevant to your users, similar to how hackers could target your user base.” If it is tax season, send users a link for them to download their W-2 forms, he says. If a longstanding team member is retiring, create a LinkedIn request.
“I have been called sneaky or even mean because of some of the phishing tests I have created,” James notes, “but seeing a decline in successful internal phishing attempts reinforces why I must continue to test and reinforce awareness.” For more advice from James, read How to fight deepfakes and ransomware: Better security training.
Myth 2: This is the same old phishing threat
Again, these are not normal times. Even an apparently obvious phishing attempt – like the email with the subject line “Attractive prices for surgical mask in stock” that recently landed in my spam folder – can fool people in times of crisis. When their work and life in general has been upended, people may become more likely to open emails, click links, or download attachments that appear to be from a trusted source. Distraction is high.
“This is what the bad guys are relying on,” Pitt says. “It’s why these types of emails very often arrive at 3 p.m. on a Friday when people are getting ready for the weekend and therefore more likely to click first and think later.”
While phishing has been around forever, a “same ol’, same ol’” attitude is misguided. Abnormal conditions create abnormal risks.
“In a controlled environment with no stress, most people would laugh at the thought of their superior asking them to send a $1,000 worth of gift cards to them right away to save a big deal,” says Jerry Gamblin, principal security engineer at Kenna Security, who adds that stress has been shown to lead people to make riskier decisions. “Now, with people at home and worries about job security, people are willing to do things they wouldn’t have a few days ago.”
Myth 3: Phishing risks are similar when working from home
With so many people suddenly working from home, phishing-related risks are fundamentally higher. Think about how many messages people are receiving at the moment, including from their employers, schools, and other trusted sources. Consider how many times a day people are now signing into different platforms and applications, some of them probably new or with far greater frequency. And again, consider the outsized levels of stress and distraction people are experiencing. The risk landscape has changed.
“Remote employees need to be extra vigilant for phishing attacks,” says Arun Kothanath, chief security strategist at Clango. “The rapid proliferation of work-from-home policies driven by COVID-19 creates a potentially serious identity and access management vulnerability, and offers a rare opportunity for bad actors to pose as employees to access critical information by exploiting and profiting from this crisis.”
The type of scam targeting remote workers that Kothanath’s firm is seeing most frequently right now is a phishing campaign where the sender poses as an IT manager (or similar title) at the person’s employer that preys upon the abrupt transition to remote work.
“The email will typically ask employees to sign in to an online portal using their credentials to ensure they still have access to a business-critical resource [from home],” Kothanath says. “Attackers will capture those credentials and then can move laterally and vertically throughout an organization until they capture the data or access they desire.”
Let’s break down two more phishing myths: