Over the last year, there has been a significant rise in cases of phishing attacks by eCriminals all over the world – which is set to continue in 2021. Adversaries sought to take advantage of the chaos and confusion infused by the pandemic. It created the perfect scenario for eCriminals to make phishing campaigns their primary weapon of choice by tailoring these campaigns to prey on human emotions and behaviour, the most exploitable of which are greed, curiosity, fear and the desire to help others especially during a global pandemic. With organisations managing a distributed workforce and planning to return to the office, it potentially represents another opportunity for eCriminals to target organisations that are going through the transition. Before we look at the potential threats, let’s get into the depth of phishing attacks.
What are phishing attacks?
Phishing attacks are a type of cyberattack that uses email, SMS, phone or social media to make contact with a victim and lure them into sharing sensitive information such as passwords and account information. These attacks can also lure the victim to inadvertently download and install malicious code on their devices. Adversaries will usually pose as a trusted entity, which could be a person or an organisation that an individual engages with on a regular basis.
There are various types of phishing attacks being deployed, the most common ones being spear phishing, pharming, smishing, vishing, session hijacking, whaling, cloning, and domain spoofing. Phishing campaigns are designed based on the interests of the victims and topics or content that actively encourages a human response. With organisations planning the return of their remote working staff back to the office, we can expect another wave of phishing attacks targeting the vulnerabilities potentially exposed by the move.
Returning to the office represents an opportunity for adversaries
In 2020, we witnessed that the majority of the organisations all over the world had to change the way they function and embrace the new normal where employees were working from home. This meant that security teams had to quickly establish new protocols and procedures to ensure the safety of their endpoints, especially with the increase in the use of personal devices for work. Fast-forward one year, the new reality is that organisations are now used to working with a distributed workforce, so that it is likely that many organisations will continue operating with a hybrid working model, with a portion of their employees working remotely on a permanent or semi-permanent basis.
A distributed and diverse workforce represents its own challenges for security teams as it may not give them consistent visibility of every endpoint (which may include personal devices) connecting to their corporate systems and networks. Remote work also gave rise to the rapid adoption of applications that enabled people to work from anywhere which, due to the urgency of the situation at the time, may not have undergone a thorough security assessment and vetting process.
To securely manage the move back to the office or to a hybrid working model, organisations must look at taking a Zero Trust approach – one that continually monitors and validates the access privileges and rights of users and their devices. For staff returning to the office, the experience will generate a certain amount of concern related to health, hygiene, new policies, social distancing norms, etc. and these individuals can easily be targeted with new phishing campaigns. In all circumstances – whether they are working from home, while travelling or in the office – educating your employees about cybersecurity and safe user behaviour will be critical, as it will ensure that they are aware of the latest threats and follow secure practices to protect themselves, their devices and your corporate assets from cyberattacks.
Lessons from 2020
The uncertainty generated by the pandemic meant that people were scared and looking for answers. Concern over the pandemic presented a valuable subject for targeted intrusions and this gave rise to COVID-19 themed phishing campaigns. People were frantically looking for information and searching for assurances from their employers, government, health experts and other pertinent specialists. In such a situation, imagine receiving an email that looks like it is from one of these entities, purporting to have important new information or updates about COVID-19. It is likely that such an email won’t receive close examination and, a hasty click later, the victim’s device can be easily compromised.
Organisations must learn from the way adversaries exploited the pandemic in 2020 to target victims, and expect more of the same in 2021. Vaccine manufacturing and distribution is a hot topic of discussion in most countries around the world, and it has generated a lot of curiosity among individuals everywhere. It is likely that adversaries will target individuals looking for information with campaigns specifically designed to look like they will give insight into vaccine distribution timelines, safe ways to get vaccinated, the efficacy of various vaccines, information on new variants of COVID, etc. to lure victims to give a response. Information around vaccine roll-out plans will be a major target for intelligence gathering especially by nation-state adversaries looking to derail their rival state’s vaccination efforts.
2021 represents a year of hope and organisations must tread carefully while managing the move back to normality. Adversaries all over the world will try their best to create more chaos and prey on the insecurities of people with phishing campaigns. Security teams must learn lessons from 2020 and understand that adversaries will look to take advantage as organisations might be distracted by managing the transition in their working arrangements. Taking a Zero Trust approach, and ensuring ongoing security awareness amongst your staff will be the key to tackling cybersecurity challenges, particularly those presented by the various forms of phishing attacks.
By Nitin Varma, Managing Director India, Crowdstrike