What We’ve Learned (So Far) from COVID-19 Phishing Attacks

The rapid global expansion of the COVID-19 virus brought with it a similar proliferation of phishing attacks and social engineering schemes. Leveraging subject lines that include urgent topics such as medical supplies, financial assistance, and government stimulus news, cybercriminals are capitalizing on the vulnerable, a common yet loathsome method for those with little scruples and high dollar expectations.

These villains are working hard to convince users to share login information, donate money to fake charities or on spoof websites, and install ransomware and other malware. A number of reputable agencies and associations are being spoofed, including the Centers for Disease Control, the World Health Organization, and yes, the IRS.

With extensive work from home orders in place, employees are even more at risk than they would be otherwise.

The good news? The world, and especially the IT community, are coming together to combat these coronavirus-related attacks. Cybercriminals are out for a profit, and absolutely no one should be surprised at the methods they will use to take down an already struggling business.

At the very least, there are lessons we can all learn from these challenging times. Here are just a few things everyone should pay attention to moving forward.

1. Everyone is vulnerable

The first thing we’ve learned is that no one is immune from cyberattacks, and everyone is in the crosshairs of these criminals. This may seem obvious to some, but in unprecedented times likes these, all assumptions are off the table. The fact is many phishing emails look precisely like the messages being sent by respected banks and businesses, as well as agencies, trusted officials, and friends. Not all of these schemes are easy to identify. No strange email addresses and misspellings, and even when there are mistakes, they are subtle, and with reader anxiety at a high, the chances of catching those errors are dramatically lessened — which leads to the next point.

2. The threat landscape has changed

Regular office employees are still adjusting to working from home (not always an easy task) while juggling the fears of contracting COVID-19, teaching their kids between meetings and other activities, and maintaining a decent work-life balance. With all that added stress combined with a new, likely un-secured work environment, it’s easy for cybercriminals to capitalize on user distractions.

Remote work itself, even without those additional pressures, is a phishing haven, especially when employees are unfamiliar with the experience. For example, workers may pick up additional responsibilities such as updating and patching software (especially if using personal computers) as well as learning how to deploy and utilize VPNs and other advanced security measures. Employees also have to make an extra effort to keep in touch with their management teams and co-workers.

3. More protection is needed

While there is evidence that phishing kits are increasing in price (showing that email security software is becoming harder to penetrate), there is still much work to be done to secure your SMB clients. Consistent communication is critical, especially with users who rely on close support and regularly depend on internal IT teams to bail them out of issues. If everyone is not on the same page, mistakes are bound to happen. While email security training is always essential for businesses, those programs are even more important now. MSPs should continuously be reminding everyone to review and adhere to their companies’ electronics/security policies and to do all they can to avoid risk, including what things to look for to spot a phishing attack.

Up the Ante

Whether employees typically work remotely or are new to that concept, MSPs cannot follow the pre-COVID-19 game plan. You need to work proactively to combat the constantly changing and increasingly sophisticated threat landscape.

Lean on existing security practices and policies, but understand that more attention will be required to ensure end-users comply with existing standards. Increase phishing training, test business cybersecurity measures regularly, scrutinize password management practices, and develop additional strategies to safeguard your clients’ employees and devices.

When it comes to cybersecurity, MSPs can never be too careful. Consider the struggles of your clients’ temporary and permanent remote worker force and step up monitoring and communications. In times like these, the SMB needs providers with the flexibility to accommodate changes while ensuring their business information and people are appropriately protected.