Introduction

One of the dirtiest aspects of phishing campaigns in the wild is that they will take advantage of anything happening in the world today to make their job easier. Most notably and timely are the phishing campaigns taking advantage of the latest COVID-19 events to entice users to click on a malicious URL or to download an infected file attachment. 

For reasons ranging from it not being “socially responsible” to the simple fact that organizational employees are more stressed today than ever, some organizations are choosing to leave current events out of their phishing simulation programs.

This article will detail the top four reasons for using current events in your organization’s phishing campaign and the cons of including current events in your phishing simulations. We’ll leave you with valuable tips for using current events without getting too personal, thereby softening this effective yet realistic approach as much as possible.

4. Phishers are actively using current events in their phishing campaigns

One of the top reasons why you should use current events in your organization’s phishing simulation program is because they are currently being used, and they are working. Despite reports that some attack groups are pledging to not use COVID-19 as the underlying premise of their phishing campaigns, this is certainly not the case with all attack groups or even most of them. Phishing simulations should be as realistic as possible to be as effective as possible. 

The real-world examples of using current events like COVID-19 are limited only by the imagination of attack groups. Some real-world examples include phishing emails with subjects like “EXTERNAL: COVID 19 PREPARATION GUIDANCE” and “Work Remotely Enrollment (Action Required).” Phishers also use trusted names involved in current events to make their campaign as successful as possible. For example, phishing emails impersonating the World Health Organization (WHO) have doubled since early March 2020.

3. Including current events is not new for phishers

One thing that can be said about using current events in phishing campaigns is that it is not by any means new. For years (if not decades), phishers have taken advantage of current events to trick users into clicking and downloading things they should not. Looking at the holiday season alone, phishers have traditionally used emails playing upon people’s emotions and stress to entice some kind of user-generated action out of them. 

Other classic uses of current events include sports mega events, such as the World Cup, and vacation related emails during peak season of vacations. Do you really expect to get two free tickets to the World Cup if you simply click on a URL? I should hope not!

2. The mindset of the user

Possibly the most used tactic of phishing campaigns is exploiting the mental state of the victim. In times of high stress, such as pandemics, the holidays or any other current event that adds stress to the life of the victim, these are all potential triggers for phishers. This has always been in the arsenal of phishers because their end goal is to separate the victim from their money and phishers will use almost any emotional trigger to achieve this. 

COVID-19 is a major emotional trigger for how it may affect loved ones and the overall effect that quarantines and lockdowns have had on people and phishers will continue to exploit this. With this in mind, what well-meaning phishing simulation would not at least touch on this?

Phishers know that the effectiveness of phishing can be increased when it is in a life domain context for the user. This means it would affect the user’s health, financial, legal, ideological, security and social domains. 

1. Real-world examples that keep recurring, again and again

The four most encountered real-world COVID-19 phishing examples are:

  1. HR file share with COVID-19 information that is specific to your organization
  2. Money scam using the context of COVID-19
  3. COVID-19 safety awareness and prevention phishing
  4. New COVID-19 cases reported by WHO in your area

While details of specific successful breaches using COVID-19 themed phishing emails is scarce, the aggregate of these COVID-19 phishing examples is stark. For example, between February 25th and March 25th of 2020, successful COVID-19 phishing campaigns increased exponentially from 200 to 6,400 successful attacks per day. Moreover, in Q1 of 2020 alone, there were 48,000 hits on malicious URLs related to COVID-19.

Organizations can therefore realistically expect to receive some COVID-19 phishing emails along with the other usual phishing suspects. These examples can easily be modified and adapted for use in your organization’s phishing simulation program.

Cons

The biggest con associated with using sensitive current events as part of your phishing simulation program is potentially offending one of the users in your organization. This may be because they personally know someone with COVID-19 or that they have otherwise been impacted by the sensitive current event.

Organizations should strive to not use a sensitive current event in a phishing simulation program against a user that is known to have been impacted by the event. This will prevent potential for offense and allow the phishing simulation program to remain as effective as possible.

Tips for using current events in your phishing simulation program

  • Align your internal communication with your program’s training message
  • Communicate the goals of the phishing simulation program to your organization
  • Make sure to warn your organization about potential COVID-19 phishing emails both in the wild and in simulation to remove as much shock as possible from the user experience. After all, they should be at least aware that phishing emails based on sensitive current events are a possibility

Conclusion

Current events have long been the bait that phishers have used in phishing campaigns to trick users. These current events can range from the more mundane, such as the holiday season and major sporting events, to the more sensitive current events that may have affected people in a significant way. 

Organizations should be mindful of the impact of events like COVID-19 by specifically not targeting internal users who have been affected by it, and use it against others in the company only after efforts have been taken to warn users that emails using current events as a premise will be included in the organization’s phishing simulation program.

 

Sources

  1. 5 COVID-19 Threats & How to Develop your own COVID-19 Phishing Campaign, Hoxhunt
  2. Phishers play on emotions to fool victims, Decipher
  3. Malware authors and scammers adapt to current events with phishing and more, Forcepoint Blog
  4. Leave the pandemic out of your phishing simulations, Cofense says to industry, CyberScoop