The coronavirus pandemic has opened up many new avenues for cybercriminals, according to a recent report from Barracuda, which itself provides cloud-enabled security solutions.
The report explores how attackers are adapting to current events and using new tricks to successfully execute attacks. Among these tactics are things like spear phishing, business email compromise (BEC), pandemic-related scams and other vectors.
According to the survey, business email compromise (BEC) makes up 12 percent of spear-phishing attacks. That’s up from just seven percent in 2019.
The study also revealed that attackers prefer to use COVID-19 in their less targeted scamming attacks. Those types of attacks focus on fake cures and donations, according to the study. Indeed, 72 percent of COVID-19-related attacks are scamming, compared to just 36 percent of overall attacks.
Don MacLennan, SVP, engineering & product management, email protection, Barracuda, commented on the study:
“Cybercriminals adapt very quickly when they find a new tactic or current event that they can exploit, as their response to the COVID-19 pandemic proved only too well. Staying aware of the way spear-phishing tactics are evolving will help organizations take the proper precautions to defend against these highly targeted attacks and avoid falling victim to scammers’ latest tricks.”
Actionable Steps
Organizations should be advised to invest in protecting their internal email traffic as much as they do in protecting from external senders. Fully 13 percent of spear-phishing attacks came from internally compromised accounts, the study’s authors revealed.
It has been documented this year that hackers are impersonating WHO officials in order to steal money and confidential information.
To help avoid phishing attacks, employees are generally advised to ensure all of their devices are protected by security software, auto-updates are enabled and multi-factor authentication is enabled and used; all these preventative measures can be beneficial.
Employers, meanwhile, can help by offering regular employee training that includes elements of phishing simulation, in order to give users an idea of the types of lures that attackers are known to use.
