Hackers see any crisis situation as an opportunity to maximize the impact of their attacks and take advantage of the weaknesses and lack of vigilance generated by crises. The global spread of COVID-19 is not an exception to this “rule.”
Ever since the first reports on the global health crisis were released, hackers have launched several campaigns of attacks, including phishing, to take advantage of the instability and uncertainty created by the situation. Several malicious programs and numerous phishing campaigns using coronavirus-related information to lure the users have been detected by cybersecurity specialists.
Businesses remain the primary target during this COVID-19 crisis, particularly medium- and small-sized businesses. Some companies had to face for the first time an unprecedented crisis, and their entire business was challenged. Hundreds of thousands other companies were facing difficulties among those were those that had not previously planned for continuity of service plans.
No effort on the part of hackers has been spared, all types of attacks have been explored, and all potential targets have been aimed, starting from Ransomware campaigns targeting hospitals, to exploiting the security vulnerabilities of web-based conference tools, such as the famous Zoom, widely used during the crisis, and finally the numerous phishing campaigns that take advantage of the human emotions and personal and professional uncertainty in which they live.
We will try to detail in this article the main reasons that led hackers to target companies and professionals during the COVID-19 health crisis. In particular, we will focus on the type of attack called Phishing, where cybercriminals try to get a person to download malware or give confidential information by email or phone by exploiting their personal information.
1. Companies occupied by the continuity of their business
Companies and professionals have faced an unprecedented crisis that has heavily impacted their businesses, so everyone was busy finding solutions to ensure the continuity of services and in particular to overcome the problem of the shift in working remotely for all or most employees and workers all over the world.
The panic and lack of vigilance did well to the hackers who took advantage of this situation to generalize the phishing attacks and double the efforts to reach the maximum number of victims. Indeed, very few companies had a continuity plan to ensure the continuation of operations in the face of a crisis of this magnitude. If we take the case of small- and medium-sized enterprises, ensuring the continuity of their services in the face of any crisis is in the majority of cases non-existent.
In my job as a security auditor, I have had the opportunity to audit several companies of this type, and the business continuity plan is indeed very rarely drawn up by them, and when it is written, it is never tested virtually. Thus, during the health crisis, the level of vigilance of companies was reduced considerably and all the attention of managers, directors, and workers was focused on the business.
2. Noncompliance with internal and standard processes
During the COVID-19 health crisis, it was noted that many companies were no longer following the internal standard processes to perform the usual tasks, such as billing, accounting, supplier relations, etc. Many of these tasks that went through well-controlled workflows in normal times had to go in circuities in order to achieve the desired outcomes, which created an advantage for hackers.
Several invoicing and supplier relationship activities have been handled simply by phone calls, as the supplier is also in crisis and cannot access its internal network to use the usual invoicing tools. Phone calls that make it possible to get paid bills remind us of the famous phishing attack called “the call of the fake boss.” In this case, people with communication skills make fraudulent calls to employees under pressure to make transfers or pay for false invoices. During the health crisis, the vigilance of employees also decreased and thus benefited malicious people to develop all possible and imaginable types of phishing.
3. Lack of employee security awareness
Another reason that may be mentioned in this article is the lack of employee security awareness. Many companies do not take enough time outside of crises to make employees aware of cybersecurity risks. Human awareness is one of the foundations of an information security management system, because a company can put in place all possible and imaginable security tools, if it does not raise awareness among its employees, its information system will remain exposed to attacks that exploit the weakest link: the human.
Phishing attacks exploit human vulnerability in particular, employees who are not trained and made aware of these risks, or are put in extra pressure from working remotely, are an ideal target for attackers. Normally, this type of employee is already widely targeted by hackers, but during COVID-19, this vulnerability has become even more critical. Many employees have had to manage their personal lives, take care of their children at home, and at the same time manage their professional activities with more pressure because a lot of businesses are at stake.
The lack of support for the employees was felt during this period, especially for those who saw their loved ones affected by the disease and faced an uncertain future. There have been cases that these employees focused all their attention on their personal lives and were less and less concerned with the fate of their businesses.
The sense of belonging in the company is a pillar of vigilance. Nevertheless, during this unprecedented crisis, this sense of belonging has been largely affected. In particular, the lack of contact between employees following remote working and mandatory lockdown have been substantial to this.
This is where phishing attacks come to play. The lockdown has considerably limited verbal exchanges that employees of a company or a team usually have within a company. This limitation favors isolation and then benefits hackers who exploit the most vulnerable employees, the most timid, those who do not dare to disturb others by phone to ask a question after receiving a suspicious mail or an unusual phone call.
4. Use of unusual (often free) tools
Another reason that can explain the growth of phishing attacks is the use of unusually deployed tools by companies and professionals. During this health crisis, several companies used web-conference tools, open-source, or free project management and task-sharing tools. This has significantly increased the risk of leaking and capturing sensitive data that allow hackers to collect information needed for phishing attacks.
The companies that used these tools did not have the time or resources to assess their level of security or perform a risk analysis to identify the potential risks on the internal information system and the business. The urgency of the situation has led these companies to choose completely unknown tools by simply searching the internet search engines. The risks of making a bad meeting and deploying tools containing malicious spyware climbed to the ceiling.
Some companies, not only took the risk of deploying tools totally not controlled from a security point of view, but even when it was found that one of these tools was vulnerable, they were unable to change it or replace it because the pressure of business continuity was so strong.
Take a case that has generated a lot of ink during the COVID crisis, the case of the Zoom web-conferencing tool. As the global COVID-19 pandemic has abruptly shifted everyone’s working environment from office to home, virtual meetings quickly became a necessity for just about everyone I know.
As a result, the use of Zoom reached an all-time high usage in mid-March thanks to its incredibly easy-to-use multiplatform video conferencing service. Several thousand companies around the world have opted for this tool. Nevertheless, in April 2020, several security vulnerabilities were revealed, such as the disclosure of users’ personal data to Facebook, or eavesdropping issues while holding video conferences and calls, or even exposure of the windows passwords to other users.
Well, despite all this information about the proven flaws of this tool, companies have continued to use it and continue to use it until today because of a lack of alternatives. It is of course necessary to mention that these vulnerabilities have been corrected by Zoom.
5. The technical barrier between personal and professional life is crossed
The last reason that can be mentioned in this article is crossing the barrier between personal and professional life of employees, from a technical point of view. This has been manifested clearly and concretely through the use of work tools, such as the smartphone or the computer, as personal tools, or vice-versa!
Many companies have been obliged to tolerate the personal use of the tools made available to employees. Or in the opposite case, some companies have had to rely on the advantages of BYOD (Bring Your Own Device) to enable workers to carry out their activities using their own equipment.
Unfortunately, these uses have only made things worse and therefore increased the risks of phishing attacks. Indeed, these uses were due, for example, to the attribution of the rights of employees’ administrators on their professional machines, so that they could install non-standard tools such as web-conferencing tools.
Beyond this case, the use of children’s entertainment tools on these machines has also become a source of threat to the information system and the business.
Concerning smartphones, for example, the explosion in the development of entertainment applications especially for children was remarkable, several cases of malware have been detected on these apps installed millions of times on smartphones used for business purposes.
Some Phishing Statistics
The sudden outburst of phishing attacks during the COVID-19 period is a fact that has been noted by many cybersecurity specialists, such as Barracuda Networks, Cisco Systems, McAfee, Symantec, Radware, etc. In an interview conducted in France and published on their website on 5th of May 2020, France Inter welcomed Mr. Didier Schreiber, Marketing Director at Zscaler (4,000 customers worldwide, the monitoring of more than 150 data centers worldwide). In this interview, Mr. Schreiber emphasized the frightening increase in phishing attempts detected by Zscaler in saying:
“Our job is to analyze more than 100 billion requests every day (that’s ten times more than Google, for example), and of those 100 billion, we analyze more than 150 million threats that we block every day. Since January 2020, with the coronavirus crisis, there has been an increase of over 30,000% in phishingtype computer attacks, malware, malicious sites targeting remote users. In January, there were 1,200 Covid-19- related cyber-attacks… and 380,000 cyber-attacks in early April!”
Then, he goes on to cite the techniques used during this period: “We know that cyber hackers have used fear, fear of people with websites created in a few hours, new domain names, fake interactive cards on the number of cases infected country by country, the number of deaths… or fake masking sites.”
Phishing Attempts Have Increased by 667% during COVID-19
Another very interesting example, according to Barracuda, the provider of cloud-enabled security solutions, is that a 667% increase in phishing attempts was recorded in March. $12 billion has already been lost as a result of harpooning and account takeovers.
According to the report, between March 1 and March 23, Barracuda detected 467,825 spear phishing email attacks, and 9,116 of those attacks were related to COVID-19, representing about 2%. In order to make a comparison, a total of 1,188 coronavirus-related email attacks were detected in February, and just 137 were detected in January.
How Can Companies Prevent Phishing Attacks?
Crises significantly promote the growth of phishing attacks, but the risk of phishing attacks, which is becoming more and more severe, can be significantly reduced through a security approach that includes the following processes:
- Consider employees to be the first line of defense and the weak link generally targeted by attackers. Therefore, it is critical that each organization focuses on training and awareness of data security practices.
- Build and test business continuity and recovery plans to avoid panic and disruption of services during crisis periods. These plans should detail the processes and tools to be used in times of difficulty to avoid risky uses and malware.
- Implement and reinforce attack detection through the use of security detection tools or cloud outsourced services. Cybersecurity teams should also work in conjunction with fraud risk management teams to coordinate detection and response activities. Perform regular security checks by auditing systems, networks, and exposed servers.