In a blog post on April 17, Google says it has blocked 18 million daily malware and phishing emails related to COVID-19 over the past week. The search giant also says it has encountered over 240 million daily spam messages related to the novel coronavirus. On a typical day, Google blocks over 100 million phishing messages daily. According to Google, the cybercriminals use both fear and financial incentives to create urgency to prompt users to respond.
Majority of malware and phishing emails involve impersonation
Google says that the majority of malware and phishing emails involve impersonating government organizations such as the World Health Organization. Some of the coronavirus-related malware and phishing emails solicit fraudulent donations for various causes. In contrast, malware tricks attempt to deceive users into downloading files laced with malware on their devices. Other phishing attempts claim to possess information about the government stimulus packages for individuals and small businesses. Phishing scams targeting remote workers purport to be the recipient’s employer.
Most of the phishing emails appear so genuine that users are compelled to open them without a second thought. Additionally, many users are operating in a heightened state of panic, and most emails claiming to be from their employers raise the employees’ anxiety levels. Some recipients are also afraid of missing out on the proposed government stimulus package, hence the urgency of clicking spammy links. Similarly, the thought of incurring additional expenses from the supposed invoices attached by hackers causes most email users to click without a second thought. Other malware and phishing emails have directed users to urgently claim their tax returns or miss out.
Erich Kron, Security Awareness Advocate at KnowBe4 says that criminals are aware of the vulnerability of users during this crisis.
“The fact that 18 million Covid-19-related emails are blocked each day just by Google is a sign of just how prolific these attacks are,” Kron says. “In these times of high stress and change, cybercriminals know that humans are more vulnerable than ever to phishing and smishing attacks and are doing their best to capitalize on this.”
He says it is not surprising for criminals to exploit calamities for their benefit as “It is common for this type of thing to occur whenever there is a natural or a man-made event that draws significant news coverage, but the bad actors will use that to their advantage.”
He added that criminals are aware of the system vulnerabilities arising from employees working at home away from secure corporate networks.
“Because people are working from home and often miss out on the security benefits of corporate networks and organization managed devices, the bad guys know that many of the technical controls that can save people are now missing.”
Protecting from COVID-19 scams
The search giant notes that most of the malware and phishing emails are not new but are existing campaigns updated to exploit the panic and curiosity caused by the current pandemic. The company adds that its machine learning AI algorithm can block 99.9% of spam phishing and malware from reaching its users. Google is also working on other techniques, such as implementing the Domain-based Message Authentication, Reporting, and Conformance (DMARC), to prevent fraudsters from impersonating the www.who.int domain. This method will also prevent WHO messages from accidentally being filtered out as spam due to the frequency of similar fraudulent messages.
Google advises people to avoid downloading files from untrusted users. Additionally, the search giant recommends using its email preview inbuilt tool to view documents before downloading.
Microsoft had made similar observations concerning malware and phishing emails messages. The Redmond-based company said attackers repurposed older messages to fit the current crisis. Rob Lefferts, corporate vice president of Microsoft 365 Security, said Microsoft had observed a change in lures instead of a surge in attacks. Consequently, Microsoft made its AccountGuard software available free of charge to healthcare professionals. Similarly, Google added features to its Advanced Protection Program (APP), allowing it to protect android devices through Google Play Protect. Google also allowed users to enroll for Gmail protection using the same app. The California-based company also turned on G Suite’s advanced phishing and malware controls on by default to all users.
However, some experts have been critical of Google’s response to malware and phishing emails threats. Colin Bastable, CEO of security awareness training company Lucy Security says Google allows scammers to associate Gmail accounts with phishing links while virtue-signaling its users about security.
“Hackers use Gmail accounts with spoof names in BEC fraud and to associate Gmail accounts with phishing links in phishing campaigns,” Bastable said. “Google gets to virtue-signal while playing both sides of the fence.”
He added that Google and other companies mislead people to have a false sense of security through the use of SSL certificates, “Google is also using the ‘https:’ certificate requirement as part of their browser war with Apple and Microsoft, kidding people into thinking encrypted browser sessions keep people secure when using Chrome. Over 80% of phishing sites use certificates. People must always ask themselves what is in it for Google.”
Bastable was also skeptical of the email filtering as part of protection against phishing. “Relying on email filters, crypto, and firewalls to protect remote workers from opening the door to cybercrime is naïve,” Bastable said. “Hackers only have to get lucky once, and they are winning hands down. Patching people is the only way that we are going to win the war on cybercrime.”
Kron says organizations can help their employees remain alert through security education. This would allow employees to report on security threats and have them removed.
“The best thing organizations can do right now is to ensure that their employees have up-to-date training on how to spot and report phishing emails to their organization,” Kron noted. “By reporting these, organizations can have them removed from other mailboxes, limiting the exposure to these attacks within the organization.”
Will LaSala, Director of Security Solutions and Security Evangelist at OneSpan, says it is encouraging that companies such as Google are implementing security measures. He says that although consumers face the greatest risk, organizations should apply multi-layered defenses against malware and phishing emails threats.
“The onus shouldn’t be on the consumer alone, and it’s imperative that organizations implement a multi-layered approach to security in order to safeguard their customers against phishing attacks.
“This includes implementing multi-factor authentication methods that require people to prove their identity using two or more verification methods before gaining log-in access. So even if one factor is compromised in a phishing attack, hackers would still need at least one more barrier before breaking into the target.”