How to protect your organization from coronavirus-related phishing attacks

Emails exploiting COVID-19 have risen, declined, and risen again along with the changes in the pandemic and the shift to remote working, according to the security company GreatHorn.

monthly-rise-june-2020-greathorn.jpg

Image: GreatHorn

Cybercriminals have been all too happy to take advantage of COVID-19 to deploy virus-related malware and cyberattacks. Phishing emails have been one popular method as they're designed to trap people concerned or anxious about the pandemic. But the focus of these phishing campaigns has shifted as the disease and its side effects have changed over the past few months. A report released on Tuesday by security company GreatHorn illustrates the ebb and flow of these attacks and offers advice on how organizations can fight them.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)  

For its report, GreatHorn tracked the volume of COVID-19-related email phishing attacks from January, when the virus began to surface, until June, when many countries and companies slowly started to resume operations. Beginning with a minimal level in January, the number of attacks jumped by 700% in February before shooting up by 644% in March. But then April saw a 22% decline in these campaigns, followed by further drops in May and June.

The rise and fall in the number of these attacks mimics the flow of the virus, the resulting lockdown, and the transition to remote working. As employees adjusted to working from home, attacks aimed directly at organizations and offices became less successful, prompting phishers to modify their tactics.

Now that many businesses are starting to bring workers back into the office, GreatHorn is finding a new wave of virus-related campaigns designed to exploit this shift.

In one particular attack also observed by Check Point Research, phishing emails try to entice returning workers with a subject line of "Mandatory Covid-19 Assessment for Employees." Using a Microsoft Office 365 logo, the emails claim to contain a voicemail alert with a button prompting recipients to click it to listen to the message. That button actually leads people to a malicious website that attempts to capture their Microsoft credentials.

phishing-scam-greathorn.jpg

Image: GreatHorn

To combat this type of malware, security professionals typically take the initial step of developing policies on specific phishing campaigns. But they often fail to refine those policies based on the variables in each new and related attack, according to GreatHorn. To remove all related phishing emails, security pros should look for any emails with the malicious URL, not just any one specific phishing attack.

SEE: The new normal: What work will look like post-pandemic (TechRepublic Premium)

Finally, GreatHorn offers the following tips to help organizations protect themselves from these types of phishing campaigns:

  1. Mass remediate and create email security policies in real time. Once you detect phishing attacks, identify and remove the emails across your organization. Develop a policy to mitigate subsequent attacks as well.
  2. Investigate and detect similar phishing attacks in real time. Search your organization's emails beyond the initially detected phishing attacks based on the malicious variables (e.g. domains, sender, etc.) to mass remediate and further refine email security policies.
  3. Understand the context specific to the user and organization. Is the name in the email someone with whom the user has communicated in the past? If so, do the email address and email domain match those prior communications? If not, the message should be treated with suspicion. If the metadata in a message doesn't match normal correspondence, it may not be legitimate.

Also see