New research from both KnowBe4 and Barracuda Networks has revealed the extent to which phishing campaigns during the Covid-19 pandemic could impact organisations. KnowBe4 benchmarking has found that 37.9 percent of users without social engineering awareness training will fail a phishing test, up 8.3 percent from last year, suggesting that non-specific cyber-awareness is declining.
This comes at the same time that Barracuda Network researchers, who have been monitoring the global phishing activity surrounding the coronavirus outbreak, saw a rise of 667 percent in such incidents to date compared to February: a total of 9,116 phishing attacks directed related to the pandemic.
Dean Russell, the MP for Watford and a member of the Health and Social Care Select Committee, said that this is "a new low for cyber-criminals, who are acting like piranha fish, cowardly attacking people in mass when they are at their most vulnerable. It’s vital that the public remain vigilant against scam emails during this challenging time".
The KnowBe4 benchmarking report also found that, on average, that number drops to 14.1 percent after 90 days of simulated phishing testing and computer-based awareness training. KnowBe4 security awareness advocate Javvad Malik told SC Media UK that as cybercrime continues to surge, "security leaders must understand that there is no such thing as a perfect, fool-proof, impenetrable secure environment".
Too many organisations are still falling into the trap of trying to "use technology as the only means of defending their networks and forgetting that the power of human awareness and intervention is paramount in arriving at a highly secured state," Malik added.
The question is whether it is too late to effectively train staff who are now working from home, given the increased targeting of this distracted group and the stresses already placed on IT support departments.
"This pandemic is global and on the front of everyone’s minds," said Chad Anderson, Dev Ops Manager at DomainTools. "The scammers think in terms of what they can leverage, and this is a powerful fear for them to utilise."
However, Anderson sees a positive in that organisations are not alone as they strive to raise awareness about the possible threats to their employees.
"There are sharing groups, various research partners and other industry partners. It’s all about sharing information and being as transparent as possible," he told SC Media UK.
Dan Pitman, principal security architect at Alert Logic, agrees that the need for awareness is more important than ever, and presents a human challenge like much of security.
"With the distractions and increased confusion for people working from home, and increased stress across the board, constant re-enforcement is key," Pitman told SC Media UK. He advises "more integration of security into regular communications and working to make them stand out".
"Plenty of companies are issuing email updates to their employees on a daily basis with their policies and protocols around Covid-19. Make sure your employees can tell which emails are officially sent from company management," warned Amit Serper, VP of security strategy and principal researcher at Cybereason.
This is such an important factor, as threat actors will exploit any lack of certainty to their favour with phishing campaigns.
“The most effective way remains to regularly test users through phishing emails and provide relevant and timely awareness," Malik said. “If delivered through a SaaS platform, this can scale-up effectively to all employees regardless of where they are based."
Adam Palmer, chief cyber-security strategist at Tenable pointed out that laying responsibility on users to identify and stop email threats is like blaming the chicken for being eaten by the fox.
"The farmer has to accept his role in making the coop fox-proof and it’s the same principle for cyber-security," Palmer told SC Media UK. Most of the organisations where Palmer worked as a security leader, he recounted, users were educated to avoid taking unnecessary risks. "However, it is still the organisation’s responsibility to ensure systems are secure."
The fact remains that threat actors rely on security teams being distracted, alongside home workers, so both need to be vigilant right now. Sachin Nayyar, CEO of Securonix, argues that there are actions security teams can take to deactivate some of the risks that phishing poses.
"We've detected multiple campaigns and identified emails impersonating official organisations, containing updates and recommendations connected to the disease, and in certain cases, including malicious attachments," Nayyar said.
"In cases where blocking is prohibitive, enabling use cases that track increased activity to these newly registered domains or rare domains, and any signs of beaconing or C2-like behaviour, can be an effective way of identifying early indicators of suspicious activity and taking steps to protect employees," he added.