Phishing in a Pandemic: How to Combat Social Engineering Attacks
By Rajesh Maurya, Regional Vice President, India & SAARC, Fortinet.
Over the past few months, threat intelligence teams around the world have been tracking a significant increase in phishing attacks. These attacks coincide with a temporary drop in more traditional attacks, indicating that attackers, like workers, are modifying their efforts in order to accommodate changes due to the pandemic.
More people are now working from home, and they are connecting back into the office from their home networks, and quite often, using their personal computers. Attackers are looking to target these users’ devices as a way into the corporate network or cloud. They attempt to lure unsuspecting victims into going to malicious sites, clicking on malicious links, or providing personal information via email or over the phone. They do this by impersonating legitimate organizations, such as the Centers for Disease Control and the World Health Organization, and offering fake informational updates, discounted masks and other supplies, and even promises of accelerated access to vaccines. Similar attacks target healthcare workers, political movements, or even the recently unemployed using the same sort of tactics.
Of course, such tactics are not new. We regularly see spikes in social engineering tactics around major events and catastrophes. Criminals respond to hurricanes and other natural disasters by pretending to be relief organizations, and major sporting events such as the World Cup where they lure victims with promises of discounted tickets or free streaming services.
Social Engineering Works
The reason that social engineering – an attack strategy that uses psychology to target victims – is so prevalent, is because it works. According to Verizon’s 2019 Data Breach Investigations Report (DBIR), nearly one-third of all data breaches involved phishing in one way or another. Cybercriminals are opportunistic, and they constantly prey on the only vulnerability that cannot be patched – humans.
Training Alone is Not Enough
Of course, cybersecurity awareness has grown – up to 95% of employees now receive phishing training so they can learn to spot suspicious emails. This is an important progress, as most breaches start with a phishing email followed by an unsuspecting employee who opens a malicious file or clicks on a bad link. The problem is not awareness – it is rooted in human behaviour. Safe password practices – using long passwords with non-sensical characters and numbers, for example – take extra effort to implement. And when it comes right down to it, employees have shown that, for whatever reason, the extra effort is not worth their time and energy.
Security 101: It’s All About People, Products, and Process
The first step is to help employees feel like they are part of the security team. Helping them understand the repercussions of a security event, and how it can personally affect them, is a good place to start. Seeing connections such as these – between safe cybersecurity practices and the positive impact they feel they are making when everyone is engaged and responsible – should lead to direct improvements in how people behave when they are confronted with suspicious cyber behaviour or questionable email or websites.
Thoughts on Fulfilling Security Responsibilities
Regardless of the details, the most important key to improving an organization’s risk profile is still getting employees involved, one way or another, in accepting and fulfilling their security responsibilities. With training, the right tools, and effective processes, including support from top-tier company leaders, security teams can help everyone take cybersecurity seriously — and take a serious bite out of cybercrime.