Corporate security has stepped up phishing related monitoring and awareness activities to counter the threat
Hackers looking for opportunities to ingress into organizations have found COVID-19 an ideal hook to exploit by tapping into the human emotions of fear, anxiety and uncertainty. Phishing attacks using COVID-19 as a catch are growing rapidly and getting more sophisticated.
Experts managing corporate security corroborate this threat. Says Rahul Chandak, CISO at Grasim Industries, Aditya Birla Group, “We have witnessed a significant growth in the number of COVID-related phishing attacks during the lockdown. The situation is alarming as it is a challenge for employees to distinguish between a genuine email related to COVID-19 from a spear attack.”
According to a report by Barracuda, a technology provider of security, networking and storage services, there has been a steady increase in the number of COVID-19 related spear-phishing attacks since January which shot up by 667% from end of February to March. Between March 1 and March 23, Barracuda researchers detected 467,825 spear phishing email attacks, and 9,116 of those detections were related to COVID-19, representing about 2% of attacks.
In mid-June, the India’s cyber security nodal agency, CERT-In had issued advisory warnings to look out for large-scale attacks against individuals and businesses using the Coronavirus as a lure to distribute malware, steal credentials, and scam users out of money. The potential phishing attacks could impersonate government agencies, departments and trade bodies that have been tasked to oversee disbursement of government fiscal aid.
The advisory outlined steps for protection that warned against opening attachments in unsolicited emails; urged extensive use of encryption, anti-virus tools, firewalls and filtering services and report unusual activity or attack to CERT-In.
Corporate security has stepped up phishing related monitoring and awareness activities to counter the threat. This includes education campaigns on digital platforms, trainings and discussions via virtual meetings followed by simulation exercises wherein employees are asked to distinguish between spear attacks and genuine emails from the company.
Companies are also deploying anti-phishing email tools to meticulously watch out for email domains, and missing headers and then attaching a cautionary alert for suspicious emails. These measures along with security best practices such as installing corporate antivirus on personal devices, restricting access to corporate networks via VPNs have so far enabled companies to thwart phishing attacks.
Says Gurprit Singh Grewal, DGM and ISO, IDBI Bank, “Our security team is painstakingly examining and reviewing emails to identify and isolate spear attacks, validate rules and update them and initiating refresher sessions with employees more frequently.”
As a financial services organization, IDBI Bank is vulnerability to spear attacks and often senior executives with privileged information are targeted with emails sanctioning unauthorized transactions. Therefore, IDBI used to conduct regular sessions at zonal offices and hold orientation sessions for freshers, which is now being replaced with digital interactions followed by simulated exercises wherein users are taught to recognize phishing emails.
According to a widely acclaimed research by Professor Matthew L. Jensen, University of Okhlahama, Professor Michael Dinger, University of South Carolina, Upstate and Professor Ryan T. Wright, University of Virginia, phishing attacks can be successfully mitigated by using mindfulness techniques as opposed to rule-based training.
The research pointed out the inadequacy of rule-based training wherein employees become complacent after having completed the training as a routine, letting down the defences to become a victim of phishing attack.
The mindfulness approach advocates individuals to be attentive during evaluating messages, increase awareness of context, and become cautious of suspicious messages. These techniques are critical to detecting phishing attacks in organizational settings but are unaddressed in rule-based instructional trainings.