By Eyal Benishti on April 20, 2021

Phishing: before, during and after Covid-19

Fifteen months ago, we all had a lot to learn. At that time, most of us had only scant details of a new virus, which had probably originated in China, and was apparently both more contagious and deadlier than the seasonal flu. But such things weren’t unheard of and were typically short-lived, before being contained and then fading out of the public eye.

We soon learned, of course, that coronavirus disease 2019, or COVID-19, wasn’t a typical infection. By mid-March of 2020, the virus had made its way around the globe, with death rates climbing and many countries enforcing strict lockdown policies. Offices and schools shuttered. Everyone adjusted to remote working — some more successfully than others.

Still, except perhaps for the infectious disease experts, most of us thought this would be temporary. We’d hobble virtually along for a couple of weeks, a month at most, and then things would get back to normal.

Again, we learned — this time, that we miscalculated. Because a few weeks stretched into a few months. And with each fresh wave of the virus, newly opened offices, shops, and restaurants were forced to close, then opening again (at partial capacity), and closing again, with no end in sight. Only then was it apparent we were woefully unprepared for this period of uncertainty.

The rise of the remote worker, the cloud, and elevated risk

All these months later, we’ve learned a great deal. Some lessons were painful, others practical.

On the practical end of things was technology. For months, IT teams were on a roller coaster of sorts, pitching this way and that, as businesses tried first to make do with existing tech, then head back to the office, then back to remote operations… until it was clear that longer-term solutions were needed.

To enable virtual teams to continue working efficiently for the foreseeable future, they would need something nearly identical to an in-office experience: the same tools, software, presence apps, and communication capabilities. That solution was the cloud, with its seemingly infinite number of applications and services, helping keep remote workers connected, productive and safely separated from officemates.

But both the cloud and remote work styles, though flexible and enabling, introduced new security threats, complicating an already challenging scenario. This new environment demanded stricter attention on identity and access management, perimeter security, insider threats, and plain old employee carelessness. (Because even during a global pandemic, people will click that malicious link. #phishersgonnaphish)

Preying on those vying to be vaccinated

The last few months have seen an uptick in emails, texts, and ads offering COVID-19 vaccines. Of course, most of these are entirely bogus phishing campaigns designed to trick people into sharing personal info, financial data, or both. These COVID-related scams had become so bad by the end of 2020 that the FBI issued a statement urging vigilance and caution.

According to CNET, the number of website domains mentioning vaccines grew significantly starting near the end of 2020. Scammers will typically do this while initiating a phishing campaign, giving their communications a legitimate-looking place to drive traffic/lure victims. Once the target arrives, malware is installed on the user’s device.

Finally, the US Centers for Disease Control (CDC) warned of a campaign spoofing its emails, which targeted Americans and other English-speaking victims with attachments regarding infection-prevention measures. In each of these cases, common sense, practical guidance was provided, e.g.:

  • Don’t open unsolicited email from people you don’t know
  • Be wary of third-party sources spreading information about Covid-19
  • Do not click links in emails and be wary of attachments
  • Do not supply any personal information, especially passwords, to anyone via emai

When uncertainty equals vulnerability

Even now, as we emerge from our semi-locked down state into a world that looks and operates more like the one we used to know, the security threats are persistent and pernicious.

Today, workers are cautiously returning to buildings they haven’t visited in months. Some enterprises are adopting hybrid remote/in-office policies. Business travel is taking off again, though it will no doubt be a turbulent start. Through it all, millions more people are vaccinated daily, but highly infectious variants impede progress toward normalcy.

Uncertainty remains — where and how will we be working in three months? Six months? A year? Will we be required to travel for business? What about offsite meetings, networking and association events, even a simple catch up over coffee?

The need for reliable access to business tools will remain if even a partial remote working environment (read: unending stops and starts) does. And as always, cybercriminals will be waiting to take advantage of the situation, assessing the next best time to attack an unsuspecting target, especially those unused to new cloud-based systems and apps, and therefore more vulnerable.

And through it all, your email, whether on-the-go via your mobile phone, docked at the office, or accessed via the cloud on your laptop (which hasn’t moved from your dining room table since last July), will remain a highly vulnerable target. And the criminals know it.

That’s why the US Office of the Inspector General keeps a running list of fraudulent COVID-related schemes and scams. Their guidance includes the following tips for defending against potential email threats

  • Do not respond to, or open hyperlinks in, text messages about COVID-19 from unknown individuals.
  • Be cautious of COVID-19 survey scams. Do not give your personal, medical, or financial information to anyone claiming to offer money or gifts in exchange for your participation in a COVID-19 vaccine survey.
  • Do not give your personal or financial information to anyone claiming to offer HHS grants related to COVID-19.
  • Be aware of scammers pretending to be COVID-19 contact tracers. Legitimate contact tracers will never ask for your Medicare number, financial information, or attempt to set up a COVID-19 test for you and collect payment information for the test.

Fight the phishers… from anywhere

Whatever happens in the coming months, wherever you're working and regardless of which devices you're using, your email security must be able to protect you.

Discover how IRONSCALES can help protect your organization against sophisticated phishing attacks. Our powerful email security platform helps you defend against threats at your most vulnerable point – your inbox. Contact us to learn more and request a free trial.

Published by Eyal Benishti April 20, 2021

Join thousands of your peers! Subscribe to our blog.

Ironscales needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.