4 reasons why you should include current events in your phishing simulation program
Introduction
One of the dirtiest aspects of phishing campaigns in the wild is that they will take advantage of anything happening in the world today to make their job easier. Most notably and timely are the phishing campaigns taking advantage of the latest COVID-19 events to entice users to click on a malicious URL or to download an infected file attachment.
For reasons ranging from it not being “socially responsible” to the simple fact that organizational employees are more stressed today than ever, some organizations are choosing to leave current events out of their phishing simulation programs.
Phishing simulations & training
This article will detail the top four reasons for using current events in your organization’s phishing campaign and the cons of including current events in your phishing simulations. We’ll leave you with valuable tips for using current events without getting too personal, thereby softening this effective yet realistic approach as much as possible.
4. Phishers are actively using current events in their phishing campaigns
One of the top reasons why you should use current events in your organization’s phishing simulation program is because they are currently being used, and they are working. Despite reports that some attack groups are pledging to not use COVID-19 as the underlying premise of their phishing campaigns, this is certainly not the case with all attack groups or even most of them. Phishing simulations should be as realistic as possible to be as effective as possible.
The real-world examples of using current events like COVID-19 are limited only by the imagination of attack groups. Some real-world examples include phishing emails with subjects like “EXTERNAL: COVID 19 PREPARATION GUIDANCE” and “Work Remotely Enrollment (Action Required).” Phishers also use trusted names involved in current events to make their campaign as successful as possible. For example, phishing emails impersonating the World Health Organization (WHO) have doubled since early March 2020.
3. Including current events is not new for phishers
One thing that can be said about using current events in phishing campaigns is that it is not by any means new. For years (if not decades), phishers have taken advantage of current events to trick users into clicking and downloading things they should not. Looking at the holiday season alone, phishers have traditionally used emails playing upon people’s emotions and stress to entice some kind of user-generated action out of them.
Other classic uses of current events include sports mega events, such as the World Cup, and vacation related emails during peak season of vacations. Do you really expect to get two free tickets to the World Cup if you simply click on a URL? I should hope not!
2. The mindset of the user
Possibly the most used tactic of phishing campaigns is exploiting the mental state of the victim. In times of high stress, such as pandemics, the holidays or any other current event that adds stress to the life of the victim, these are all potential triggers for phishers. This has always been in the arsenal of phishers because their end goal is to separate the victim from their money and phishers will use almost any emotional trigger to achieve this.
COVID-19 is a major emotional trigger for how it may affect loved ones and the overall effect that quarantines and lockdowns have had on people and phishers will continue to exploit this. With this in mind, what well-meaning phishing simulation would not at least touch on this?
Phishers know that the effectiveness of phishing can be increased when it is in a life domain context for the user. This means it would affect the user’s health, financial, legal, ideological, security and social domains.
1. Real-world examples that keep recurring, again and again
The four most encountered real-world COVID-19 phishing examples are:
- HR file share with COVID-19 information that is specific to your organization
- Money scam using the context of COVID-19
- COVID-19 safety awareness and prevention phishing
- New COVID-19 cases reported by WHO in your area
While details of specific successful breaches using COVID-19 themed phishing emails is scarce, the aggregate of these COVID-19 phishing examples is stark. For example, between February 25th and March 25th of 2020, successful COVID-19 phishing campaigns increased exponentially from 200 to 6,400 successful attacks per day. Moreover, in Q1 of 2020 alone, there were 48,000 hits on malicious URLs related to COVID-19.
Organizations can therefore realistically expect to receive some COVID-19 phishing emails along with the other usual phishing suspects. These examples can easily be modified and adapted for use in your organization’s phishing simulation program.
Cons
The biggest con associated with using sensitive current events as part of your phishing simulation program is potentially offending one of the users in your organization. This may be because they personally know someone with COVID-19 or that they have otherwise been impacted by the sensitive current event.
Organizations should strive to not use a sensitive current event in a phishing simulation program against a user that is known to have been impacted by the event. This will prevent potential for offense and allow the phishing simulation program to remain as effective as possible.
Tips for using current events in your phishing simulation program
- Align your internal communication with your program’s training message
- Communicate the goals of the phishing simulation program to your organization
- Make sure to warn your organization about potential COVID-19 phishing emails both in the wild and in simulation to remove as much shock as possible from the user experience. After all, they should be at least aware that phishing emails based on sensitive current events are a possibility
Conclusion
Current events have long been the bait that phishers have used in phishing campaigns to trick users. These current events can range from the more mundane, such as the holiday season and major sporting events, to the more sensitive current events that may have affected people in a significant way.
Organizations should be mindful of the impact of events like COVID-19 by specifically not targeting internal users who have been affected by it, and use it against others in the company only after efforts have been taken to warn users that emails using current events as a premise will be included in the organization’s phishing simulation program.
See Infosec IQ in action
Sources
- 5 COVID-19 Threats & How to Develop your own COVID-19 Phishing Campaign, Hoxhunt
- Phishers play on emotions to fool victims, Decipher
- Malware authors and scammers adapt to current events with phishing and more, Forcepoint Blog
- Leave the pandemic out of your phishing simulations, Cofense says to industry, CyberScoop
In this Series
- 4 reasons why you should include current events in your phishing simulation program
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness