As cybercriminals continue to evolve their phishing techniques, one old-school threat has developed new relevance: fake messages purporting to be from government entities. The advent of the COVID-19 pandemic opened up new vistas of fraud for phishing scammers, and they didn’t hesitate to dive right in. Google reports uncovering 18 million daily malware and phishing emails in 2020. Phishing scams using government and quasi-governmental entities became a quick, effective way for cybercriminals to capitalize on the fear and uncertainty generated by tumultuous world events, and they haven’t stopped.
Automated security isn’t a luxury. See why Graphus is a smart buy.
More than 70% of organizations around the world experienced a phishing attack, resulting in an overall increase of 42% in phishing in 2020, while some categories and attack types like ransomware experienced triple-digit growth. Phishing threats took their biggest jump in Q2 2020, escalating an eye-popping 660% according to Google. Even in Q4 2020, the increase was lower but still hefty: phishing was up more than 220%.
Cybercriminals used social engineering tricks and clever design to great effect in pulling off audacious impersonation scams in 2020, especially scams related to the COVID-19 pandemic. An abundance of data making its way to the dark web provided ample fuel for phishing. The FBI IC3 reports receiving received over 28,500 complaints about phishing scams related to COVID–19. Those phishing scams came in all sorts of shapes and sizes, and far too many people got caught.
Early in the pandemic, a flood of emails that claimed to contain important information about the virus and lockdowns from government entities battered business defenses, many carrying ransomware. One notable scheme involved spoofing emails from the World Health Organization. In these messages, bad actors would entice victims to download a map of COVID-19 transmission in their area in order to deliver malware like ransomware. In a similar scam, phisher men pretending to be representing John’s Hopkins University capitalized on the trustworthy reputation of the venerable school and the popularity of its live Coronavirus COVID-19 Global Cases map to send out “updates” that were actually ransomware.
We’ll show you how to spot security risks fast with employee profiling! SEE THE DEMO>>
Another variant of this type of phishing involves cybercriminals angling to snatch credentials through bogus websites. An estimated 4,300 malicious web domains related to COVID-19 relief were registered in just March 2020, and Google reported stopping 18 million suspicious COVID-19 related emails per day. One of the most popular phishing scams that impersonated or spoofed government entities was falsifying notices and communications about pandemic relief. Disasters are a common source of exploitation for cybercriminals and COVID-19 was no exception. The advent of COVID-19 relief checks in the US created a new avenue of attack for bad actors using phishing emails to drive traffic to credential-stealing websites.
Cybercriminals haven’t backed off of using this technique in 2021 either. The US IRS (Internal Revenue Service) released an official warning in early April 2021 to alert tax professionals about spoofing emails supposedly sent from “IRS Tax E-Filing” with the subject line “Verifying your EFIN before e-filing.” The U.S. Financial Industry Regulatory Authority (FINRA) was also forced to issue a regulatory notice in March 2021 warning brokers of an ongoing phishing campaign. Attackers using carefully faked messages based on FINRA templates with bogus but believable URLs were sending out fake compliance audit notices, spurring companies to react – and get their credentials stolen.
What’s next in phishing? Find out in the 2021 State of Email Security Report! GET IT NOW>>
How can you keep this type of cybercrime away from your business? With a strong cybersecurity culture that’s buttressed by the defensive power of Graphus. Unfortunately, more than 40% of office workers in a recent survey admitted that they regularly open suspicious messages to avoid missing something important. In the same survey, 40% of respondents didn’t report suspicious messages to IT to stay out of trouble. Employee email handling errors are one of the biggest cybersecurity risks any business faces. By building a culture that doesn’t punish asking for help and equipping your staff with the tools that they need to combat phishing, your business benefits from reduced risk for expensive pitfalls like ransomware attacks.
The three layers of protection that Graphus provides give your business the antiphishing support that gives you an edge. TrustGraph stops most phishing email before it ever hits an employee inbox. It’s also smart, so it collects its own threat intelligence to make sure that your protection is up to date immediately, not after some distant patch releases. You won’t miss new opportunities either. Messages that are from new sources that pass muster are equipped with the EmployeeShield banner, allowing recipients to mark them safe or suspicious with one click.
But your protection doesn’t stop there. It’s essential that staffers feel comfortable seeking guidance on tricky email questions, and they’re more likely to ask for assistance if they have immediate resources at hand to consult when they receive a suspicious email. Enter Phish911. Staffers can quarantine an email in a flash, keeping it out of everyone’s inbox until administrators can review it.
Stop fake government and official email from being a menace to your business with Graphus. Set up a consultation with our experts now to learn more and let’s get started on putting the AI power of Graphus to work for your organization right away.