Fishing hook on key on computer keyboard showing increase in phishing during pandemic

Phishing In a Post-Pandemic World

From cancelling important events to converting our dining room tables into offices, the COVID-19 pandemic disrupted nearly every aspect of our lives. Unsurprisingly, cybercriminals took advantage of our collectively distracted attention spans and less-than-stellar security practices. The result? An uptick in cyberattacks, with phishing the most common form in 2020.

In the early days of the pandemic, organizational leaders and IT professionals worked quickly to ensure employees had the technology to work remotely. As a result, many relied more heavily on cloud-based emails and file-sharing platforms, like the one you’re probably using right now.

Organizations began transitioning to cloud-based systems about 10 years ago, but the pandemic accelerated the transformation. Though they’ve proven to be a quick, convenient way for teams to connect and share documents, these systems offer minimal cybersecurity protection, and certainly not enough to defend against today’s caliber of threats.

Cybercriminals know this, and wasted no time preying on individuals and organizations in these newly vulnerable positions.

Threats are evolving in quality and quantity

To protect your organization’s information, you may have installed a legacy secure email gateway (SEG). Though once the gold standard for server protection, SEGs aren’t built to handle the volume and types of incoming threats like business email compromise (BEC), internal and vendor impersonations, supply chain attacks, account takeover (ATO) and other financial frauds hyper-targeted against organizations.

That’s not hyperbole. The number of cyberattacks more than doubled between 2019 and 2020, and the average cost of a data breach reached $21,659 per incident. Victims lost nearly $2 billion to BEC attacks in 2020 alone.

During the height of the pandemic, cybercriminals realized that working in a home-based environment can invite distractions, which means employees may not be paying close attention to suspicious communications. They may be more tempted to use work tools for personal reasons, and adopt a generally casual, laissez-faire behavior, putting their employers at greater risk. This is especially risky when those same employees are deciphering whether COVID-related emails are legitimate or not.

Cybercriminals prey on our vulnerability

The last few months have seen an increase in illegitimate COVID-related emails, texts, and ads. Before that, according to CNET, the number of website domains mentioning vaccines grew significantly at the end of 2020. It’s a classic tactic: cybercriminals give their communications a legitimate-looking place to drive traffic/lure victims. But once the target arrives, instead of useful information, the user unknowingly gains some malware instead.

The U.S. Centers for Disease Control (CDC) even warned of a campaign spoofing its emails, which targeted Americans and other English-speaking victims with attachments regarding infection-prevention measures. The U.S. Office of the Inspector General warned the public of these forms of fraud, and recommended:

  • Do not respond to, or open hyperlinks in, text messages about COVID-19 from unknown individuals.
  • Be cautious of COVID-19 survey scams. Do not give your personal, medical, or financial information to anyone claiming to offer money or gifts in exchange for your participation in a COVID-19 vaccine survey.
  • Do not give your personal or financial information to anyone claiming to offer HHS grants related to COVID-19.
  • Be aware of scammers pretending to be COVID-19 contact tracers. Legitimate contact tracers will never ask for your Medicare number, financial information, or attempt to set up a COVID-19 test for you and collect payment information for the test.

These tips are true for emails and texts that aren’t COVID related, too.

Proactivity is essential

The highly contagious delta variant of COVID-19 will likely give cybercriminals another avenue to target their victims. We saw pandemic uncertainty lead to more careless decisions regarding emails from suspicious senders, and we know the unfortunate consequences of this. Get ahead of new threats and ensure your employees are taking proactive measures to protect your organization’s valuable information by having them:

  • Back up all important files, and store them independently from your system
  • Verify they are on a company’s legitimate website before entering login details or sensitive information — every time
  • Diligently review the validity of an email and its sender before opening and links or responding — every time
  • Develop a healthy skepticism for any email or text message that comes from a source outside of your organization

Enforce a culture of security

As an organization, you must take additional security measures to protect your data and your employees. Though legacy SEGs aren’t strong enough on their own, there are other forms of back-up to defend against cyberattacks, including:

  • Keeping the latest anti-virus software installed on computers and mobile devices
  • Strengthening home networks
  • Securing system admin vulnerabilities that attackers could abuse
  • Disabling third-party or outdated components that could be used as entry points
  • Downloading mobile applications or any other software from only trusted platforms
  • Performing regular health scans on your computers and mobile devices
Unsurprisingly, there's an uptick of #phishing attacks as #cybercriminals took advantage of our collectively distracted attention spans and less-than-stellar #cybersecurity practices during the pandemic. #respectdataClick to Tweet

As a leader in your organization, it’s your responsibility to model safe cybersecurity behaviors, and continuously support and encourage your colleagues to do the same. Build it into your organizational culture. Whether we enter another round of lockdowns or have the pandemic completely behind us soon, the cybersecurity of your organization and employees remains vulnerable and should be among your top concerns.