Awareness training vitally important as Covid-19 phishing scams increase

The amount of phishing attacks targeting individuals and organisations alike during the Covid-19 pandemic are increasing massively. KnowBe4 benchmarking has found that 37.9 percent of users without security awareness training will fail a phishing test, up 8.3 percent from last year. That is a worrying amount of people.

Research from various organisations who monitor global phishing activity have seen a rise of nearly 700% surrounding the coronavirus outbreak compared to previous months. More than 9,000 phishing attacks were directly related to the pandemic.

Dean Russell, MP for Watford and member of the Health and Social Care Select Committee, commented:

“This is a new low for cyber criminals, who are acting like piranha fish, cowardly attacking people on mass when they are at their most vulnerable, it’s vital that the public remain vigilant against scam emails during this challenging time”

In our opinion, many organisations are still using technology as the only means of defending their networks. That is never going to end well. Remember, staff can be your strongest protection but only if they are adequately trained and there is a corporate ethos of not playing the blame game. Human awareness is vital in achieving a secure environment.

Is it too late to train your staff?

Is it too late to train staff who are now working from multiple locations (i.e. their home) to be mindful of the increased targeting of this dispersed workforce and the stresses already placed on their IT departments?

Chad Anderson, Dev Ops Manager at DomainTools, said

“This pandemic is global and on the front of everyone’s minds, the scammers think in terms of what they can leverage, and this is a powerful fear for them to utilise.”

It is important to share information amongst ourselves and other industry partners, we need to share as much information as possible.

That is exactly what Domain Tools have done; they are providing a free daily updated list of internet domains that are involved in the spread of Coronavirus/COVID-19 attacks and scams.

The list as of March 25th 2020 contains nearly 69,000 unique internet domains. The list can be downloaded here.

Organisations can add the domains listed to their block list on their email servers, and even provide the list to users, who can see if suspected spam emails have domains referenced on the list.

What else can you do?

Lots of companies are emailing updates to their staff on a regular (sometimes daily) basis with their guidance around Covid-19. Make sure your staff can tell which emails are legitimately from company management. This is such an important point, because threat actors will jump in to exploit anything in their favour with phishing campaigns.

Be vigilant, even more so than normal. If you receive an email that just doesn’t seem right, listen to your instincts, it probably isn’t.

The BBC has a great article on how they tracked 5 phishing campaigns relating to COVID-19 here.

Be safe people, working from home will help stop the spread of Coronavirus. It doesn’t mean that you have to help spread the other kind.