In March, it was reported that phishing attacks had increased by 667% since the end of February, as Covid tightened its grip across the globe. The first Covid-related phishing scam actually surfaced as early as the end of January.
Fast-forward to August, and HMRC reported it was investigating more than 10,000 coronavirus-related phishing attacks with cybercriminals exploiting the pandemic via SMS, social media and phone scams. So, what happened in-between and how has Covid –19 increased the scope of the phishing landscape?
The health and economic crisis has cultivated the ideal breeding ground for major scamming opportunity. With the latest figures showing 7.5 million of us on furlough in June, and a further 500,000 individuals out of work or going unpaid by employers, cybercriminals have maximised on a wealth of vulnerable targets. The 2020 Phishing Attack Landscape Report reveals the frequency of phishing threats has risen considerably throughout the last few months, with companies experiencing an average of 1,185 attacks every month. The same survey exposes a major increase in time allocated towards attack mitigation, removal and incident response – time that many businesses can’t afford to lose in the current climate.
Not only is the danger increasing in frequency, the scale of damage caused by this type of scam is also growing. Among the 46% of businesses that have experienced breaches or attacks in the past 12 months, more than two thirds considered a phishing attack the single most disruptive type of attack.
What is it about lockdown that has made cybercriminals up the ante, and rendered individuals and businesses more susceptible to being hooked? (UK citizens have lost around two million pounds to Covid-19 phishing attacks!)
The answer may lie in our modern tendency to turn to the internet as our first port of call to acquire the latest information on the virus – along with the vulnerability of the healthcare and government sector to exploitation. When we encounter emails seemingly originating from a legitimate healthcare company offering comfort to combat the fear and uncertainty of finding a cure, it’s easy to forget to check the authenticity. And, with so many out of work or on a reduced income, cybercriminals impersonating government bodies offering loans and economic support are all too easily overlooked.
It was reported that phishing emails replaced web-based phishing as the delivery method of choice for malicious files by a factor of four to one between July and August, as cybercriminals seized on people’s hopes that a Covid-19 vaccine was on the horizon. Security firm Check Point revealed that the number of phishing emails incorporating deceptive vaccine-related subject lines was up – and the number of vaccine-related domains had doubled in June and July, with one in every 25 malicious Covid websites’ landing pages now being vaccine-related. Such websites also falsely claim to sell PPE like face masks, sanitizers, gloves and drugs, asking unsuspecting victims to enter their details and pay up front for the goods.
The events sector (specifically festivals forced online during the pandemic) has also come under attack. Facebook scammers are charging individuals to view free festival live streams and creating fake pages before an event takes place, aiming to redirect consumers to websites illegally charging for what should be a free service. Banking, eCommerce sites and the private sector also make the list for the worst-hit industries while accounting for the proportion of attacks.
So, when it comes to phishing, how much employee training is enough? According to this year’s Cyber Security Breaches Survey, in the last 12 months just 18% of businesses have performed additional staff training following their most disruptive breach or attack. Cybercriminals are now less concerned with targeting specific age categories and care less about where employees sit in the business hierarchy. No one is exempt, and the attacks are unforgiving, so it’s vital every employee is equipped with the knowledge and tools to fend off attacks.
With many UK businesses heading into September operating on a balance of remote and office working, ensuring every employee is up to date on the risks of phishing scams is paramount. Make time for remote training, create a comfortable environment with a solid action plan should staff fall victim, and invest in robust cybersecurity solutions to minimise the risk of a data breach.
Here are five clues to help spot a phishing email:
If you’re concerned about the increase in phishing scams, a robust security solution like Threat Vision from UKFast can make sure your network is protected against a landscape of threats.
Find out more about Threat Vision, UKFast’s suite of security products, designed for seamless integration and robust protection.