The coronavirus. George Floyd. Hurricanes. Fires. Mysterious seeds arriving from China. U.S. elections on the horizon. It would seem that in a world where so much that is real is sensationalized, there would not be a need for hackers to serve up disinformation to further their own nefarious agendas, whatever those agendas might be.
But it is precisely within a foundation of truth that lies and misinformation can bloom and flourish.
High emotion, controversy, and front page news serve as phish fodder
As race relations and the Black Lives Matter movement once again move front and center, and these important topics fuel real life and online dialogue and disagreements, getting people to click on email messages and links—even from uncertain or blatantly sketchy sources—is easier than ever.
In my company we’ve seen a significant rise in DNS domain names containing “blacklivesmatter” or “George Floyd” and there’s a high likelihood some of these are owned by people with malicious intent. Social engineers— those that practice the art of manipulation, influence and deception— know that newsworthy events offer ample opportunity to pique peoples’ interest and drive them to click on malicious links or download malware.
Researchers at Barracuda observed a spike of 667% in Covid-19-related phishing attacks since January. And now, with the ongoing attention the Black Lives Matter movement continues to receive, attackers have a new area of focus. Election season in the United States – always a highly contentious and polarizing time – ratchets up the tension even more. This all serves as chum in the water for cybercriminals and nation-states to further their nefarious goals, and even for opportunistic people hoping to monetize curiosity and controversy via clickbait.
Preying on those on both sides of the issue
Cybercriminals are jumping on the bandwagon, spreading malware through phishing attacks and tricking people into giving away sensitive information like login details, banking information, medical information, and more. These miscreants are indiscriminate, preying equally on people in need seeking help and also on upon our innate human nature to help others in need. And, of course, they also work the outside of every issue—prodding people to action through missives designed to fuel outrage.
Here’s the shocking truth: these players don’t really care whether you’re for or against any particular issue—they deliberately play both sides of controversial issues to maximize the opportunity not only to misinform but to agitate— to stir up discord, promote mistrust in legitimate news sources, and wreak havoc.
How these phishing attacks work
As Cyber Florida at the University of South Florida reports, phishing scams leverage emails that appear to come from legitimate government officials. “The phishing email urges receivers to anonymously vote for the BLM movement while a well-known banking Trojan malware called TrickBot hides in a Word document waiting to be executed.”
These types of scams are very hard for employees to ignore, putting organizations at significant risk. How much risk? In the title of a recent article, CPO Magazine asks the rhetorical question: “How much can a phishing scam cost a small organization?,” and provides the answer: “For a Texas school district, the bill was $2.3 million.”
You might think that the looming threat of such a large monetary loss would cause many companies to consider a significant investment in technology tools to help deflect these scams. Unfortunately, technology alone will cannot mitigate this issue.
How companies can combat phishing scams
It is chilling to note that the most sophisticated technology in the world is not enough to combat phishing scams. Phishing scams aren’t designed to break through firewalls or circumvent email gateways or endpoint security. Phishing attempts are focused not on technology, but on people. Having evolved in sophistication over the years, phishing attacks exploit psychology and human nature. They bypass the technology entirely.
In the case of Black Lives Matter and other newsworthy events that spark dissension, discord, and debate, these attacks seek to leverage people’s curiosity and the hard-to-ignore compulsion of clicking on a compelling headline. They’re emotional appeals that most of us find hard to ignore. So we do exactly what the bad actors hope we do: we click.
The best offense, they say, is a good defense. That’s certainly true when attempting to ward off the damage that even one rogue click can create. Companies need to educate employees about the risks involved in not taking the time to think before acting: “Stop and think before you click!” is our mantra and something we continually reinforce with our clients and their staff. Whenever we feel an emotion-driven impulse to click on something, it’s probably a good idea to take a deep breath, slow down, and approach the situation with caution.
At all times you are either building strength or allowing atrophy. So you can’t afford to treat security education as a one-time event. Employees need consistent reminders of the important role they play helping to keep the bad guys out. Media events around issues like BLM, COVID-19, and election-related controversies represent a great opportunity to reinforce the importance of not falling prey to social engineering attacks seeking to exploit heightened emotion. Teaching your employees and upper management how to think critically about the many messages that come across their screens every day can help them resist that urge to click. You’ll be glad they did.