How to Fight New Phishing Scams in the Midst of the Coronavirus

So far, the COVID-19 pandemic has shown the world a myriad of flaws, risks, and vulnerabilities in the everyday systems and behaviors that we take for granted. This extends to healthcare infrastructure in much of the world, obviously, but it applies just as strongly to the global supply chain, telecommunications networks, and cybersecurity. Toilet paper and hand-sanitizer shortages are rampant (at least in the US), remote work is taking a tremendous toll on existing mobile and Wi-Fi networks, and phishing attacks aimed at a nervous and wary populace are on the rise.

This last fact shouldn’t be too surprising—hackers will latch on to whatever happens to be in the news (whether that’s a global pandemic or a big sporting event), and they love to capitalize on a crisis. New web domains related to the coronavirus are cropping up online every day, and studies have found that those domains are 50% more likely than average to be run by malicious actors seeking to saddle you with malware or steal your email login credentials. We’re seeing the paramount importance of good physical hygiene—from frequent handwashing to covering up coughs and sneezes—but this global uptick in malicious web activity shows that it’s just as important to talk about good digital hygiene.

How Phishing Works

Of course, phishing isn’t just a COVID-19 problem. In the past five years, at least twelve percent of American businesses experienced a data breach, with the average cost of the breach in 2019 climbing to about $73,000. As attacks designed to steal corporate data are becoming more of a concern for CEOs and upper management, they’re also becoming more sophisticated. In the past, an attacker might have sent out dozens or hundreds of spam emails to see if anyone would take the bait, but today you’re more likely to find that individuals are being targeted specifically through spoofed email accounts that look like they’re coming from coworkers, management, or (more on this below) trusted organizations like the CDC.

In a typical attack, the malicious email might claim to be from a vendor who needs you to log in to their system to make a change to your account. When you’re redirected to a login page, the attacker steals your login information and uses it to impersonate you to that vendor, for instance. For coronavirus-related attacks in particular, hackers have been especially… creative, shall we say. According to the BBC, hackers have promised everything from a more accurate map of current infections to an actual cure for the virus:

  • In one phishing campaign, hackers misrepresented themselves as the World Health Organization, telling email recipients to click on an attached document to learn more about how to prevent the spread of the virus, saying, “This little measure can save you.” When users click on the attachment, the AgentTesla Keylogger infects their computers and sends a record of all of their keystrokes to the hackers.
  • Another campaign from hackers pretending to be the Centers for Disease Control and Prevention (CDC) warns users in the email subject line, “Covid-19 - now airborne, increased community transmission.” It instructs them to follow a link to a fake Microsoft login page, where it can steal victims’ credentials and gain access to their Microsoft accounts, before redirecting them to the real CDC’s actual advice page.
  • Another CDC forgery—with a fairly convincing address and signature—asks recipients to donate Bitcoins to help researchers find a vaccine for the virus. The CDC does not, in fact, accept Bitcoin donations.
  • Still more campaigns are asking users to enter their information into malicious form in exchange for a secret cure to the virus, or a government stimulus check.

These are just a few examples of a wider trend, which could easily encompass hundreds of individual campaigns

In each of these cases, hackers are preying upon people’s fears, uncertainties, and confusion—meaning that even conscientious users might be fooled. Sure, it’s easy enough to remind email users not to click on emails from recipients they don’t recognize, to warn people against opening attachments that they didn’t specifically ask for, and to always confirm with coworkers in person or by phone that they’re actually sending the emails in question, but even that’s not always enough. On the corporate level, it only takes one less-than-cautious user to cause a data breach, and the losses can add up at a startling rate.

Other COVID-19-related Attacks

Up to this point, we’ve mostly talked about business email compromise (plus personal email compromise) as it relates to the coronavirus. In these cases, attackers mostly seek to profit, whether that’s through ransomware (i.e. extorting money from businesses in exchange for the removal of malware) or stealing login information. We’re even seeing attackers targeting healthcare facilities that may be understaffed or understocked with certain items like face masks, gloves, gowns, or respirators. In these instances, hackers might email a hospital or other medical facility promising to supply them with these items, in order to convince them to operate outside of their pre-established sourcing and invoicing workflows. From there, attackers can gain access to financial accounts and information, potentially even rerouting invoices from legitimate suppliers to themselves.

Then there have been the attacks aimed not at immediate profit but simply at slowing down the response to the virus. For instance, in the US, hackers launched a DDOS (dedicated denial of service) attack at the Health and Human Services Administration (HHS), meaning that they overloaded the agency’s system in order to make it impossible for users to perform basic tasks. While it’s not clear exactly what the motivation is for these attackers (i.e. whether they expect to somehow profit from the attack in the future or if they’re simply trying to sow discord), it does fit clearly into the pattern that we’re trying to describe in this article: chaotic moments like the one we’re experiencing bring an increased element of digital risk no matter who you are. As such, everyone from private email users to large government agencies needs to be doing everything possible to maintain security standards. The question is, what does that actually look like?

How Can You Prevent Phishing?

When it comes to phishing in particular, there are a number of best practices that users and organizations alike can take.

For users:

  • Always think before you click, especially on links and attachments. If something doesn’t look right, it probably isn’t—only clicking on trusted links and attachments is the best way to prevent malware from being installed on your computer.
  • Examine links by hovering your cursor over them: this will show you what URL you’ll be led to, so that you know whether you’re really headed to CDC’s website or not.
  • Be wary of entering your personal or account information into forms or sending that information over email. For coworkers, vendors, and anyone else you might be communicating with, you can always restart communication through an alternate means before handing over information, such that you can be sure you’re talking to the right person.

For companies:

  • Run trainings with your staff, and send out periodic “test” emails that mimic phishing messages to see if your employees or users take the bait.
  • Share information with other companies in your field or area, to see if attackers are using similar tactics to target similar companies.
  • Mandate two-factor authentication and frequent password rotations to minimize the damage of a user’s password being compromised.

All of these best practices are important to good digital hygiene—especially in an era when targeted attacks are on the rise and users are vulnerable to fearmongering. By taking these precautions, you certainly decrease the odds of an attacker installing malware on your system. That said, according to CrowdStrike, most data breaches aren’t the result of malware. More often than not, it’s less a question of opening the right attachments and more a question of getting everyone in your operation to trust only the right people with their information. Even with best practices employed this is easier said than done—particularly now that we’re spending so much time and conducting so much business online.

Automated Email Encryption

So now, the question becomes: what else can you do to protect yourself and your company in an era where online infrastructure is hugely important and hugely under threat? As a baseline, we recommend developing strong email encryption protocols for your business.

Why? Simply put, when encryption is deployed correctly it solves three critical problems:

  • Confidentiality—whether or not someone else can read or see your communications
  • Integrity—whether your communications have been changed or tampered with.
  • Authenticity—whether the person you’re communicating with is really who they claim to be.

While it may be obvious, or at least make intuitive sense, that encryption can address the first problem (confidentiality), not everyone realizes how impactful it can be for the other two. Sure, a malicious email sender could impersonate your CEO by spoofing her email address, but if they don’t have her private encryption key, there would be no way to impersonate her over an encrypted channel (thus, authenticity). The same issue would arise for the attackers if they were trying to intercept corporate communications and alter them before they reached their intended recipients (integrity).

At the end of the day, this is the only way to take the guesswork out of who you should trust online. Instead of wondering whether your CFO has really emailed the company asking you to log in in to your healthcare portal for COVID-19 information, proper encryption protocols can let you know for sure whether you’re talking to who you think you are. And this doesn’t just apply to email communications: banks and other companies making secure transactions need to be sure now more than ever that no one is maliciously interfering with secure payments or transfers.

How p≡p Seamlessly Automates Email Encryption

Here you might object: “We already tried that, and our users couldn’t or wouldn’t use PGP to manage encryption—it was too difficult for them to keep creating, managing, and changing keys manually.” It’s a common enough refrain, which is precisely why automation is more important in this space than it ever has been. If you’re able to automatically manage encryption for your enterprise email users (to say nothing of other use cases) in a way that’s easy to install and virtually invisible to users, you can decrease your vulnerability to phishing overnight. Instead of guessing which emails are trustworthy and which aren’t, you can exchange “trust words” at any point in an interaction to establish a contact as either “secure and trusted” or not—all based on those automatically managed encryption keys. All you have to do is look out for the red light that warns you away from unverified email senders.

At p≡p, our mission is to offer just that to our clients. Our solution provides fully decentralized, fully automated encryption end-to-end—it automatically generates public and private keys for all of your email users, and uses those keys to verify communications channels between senders and recipients. We use a trust on first use (ToFU) approach to ensure that communications are secure and verified from the very first interaction, which prevents both phishing attempts and man-in-the-middle attacks by automatically letting users know whether they’re speaking to a trusted source or not. Fraudulent messages—even the most convincing ones—are flagged as ‘mistrusted’ by our system, while legitimate messages come through unimpeded.

The best part? Your end users don’t have to do a thing. We offer seamless integration with existing systems, combined with automated key management. The result is that your users don’t have to think about encryption at all—they just follow the color-coded indicators to see who’s a trustworthy source and who’s not. Even as keys are periodically changed out, p≡p’s software manages everything from behind the scenes.

This isn’t a replacement for maintaining other best practices, practicing good cyber hygiene, and keeping your systems up to date—but it can greatly reduce the likelihood of a compromised account or transaction. Even in a world where COVID-19 didn’t exist, leaving phishing protection to chance would still be too big of a gamble.

Would you like to know how p≡p can help your company?

Contact Us