Threat Intelligence: Awareness Training Reduces Unsafe Clicks Amid Coronavirus Cyber Threats
 

We highlighted these trends and issues in Mimecast’s Global Cyber Threat Intelligence briefing for April 21, 2020, the fifth interactive web session to help protect and provide guidance against new cyber threats arising from the COVID-19 pandemic and its disruptions.

New Evidence Shows Awareness Training Dramatically Strengthens Resilience

As coronavirus-related malicious cyber activity continues at an extraordinarily high level, new data demonstrates security awareness training dramatically improves companies’ ability to keep employees safe from cyberattacks.

Based on monitoring activity for customers who use Mimecast Secure Email Gateway, employees at companies that don’t use Mimecast’s security awareness training click on bad sites 5.2x as frequently as employees at companies that do use awareness training.

Furthermore, the number of unsafe clicks at companies that don’t use awareness training leapt roughly 80% from January to April 8th — while the number of unsafe clicks at companies that do use awareness training stayed roughly flat.

The increase in unsafe clicks at companies that don’t apply security awareness training speaks to hackers’ relentlessness and creativity, and the need for equally active countermeasures. More than ever, strong security awareness training is the best way to help prevent mistakes by the vast majority of employees who are working hard and trying to do what’s right.

High Volume of COVID-19 Spam Continues

The latest data on cybercriminals’ attempts to weaponize the COVID-19 public health crisis shows attackers continuing to apply increased pressure through spam: 11% to 16% of total spam remains COVID-19 related. Criminals have temporarily deemphasized weaponized documents and ransomware attacks in favor of spam and phishing that exploits individuals’ desperate need for timely information from local governments, CDC and WHO websites, and other authorities.

Malware attacks have remained stable, except for a spike in reports of one trojan that exclusively struck South Africa.

However, organizations should remain extremely vigilant against all types of attack. Hackers’ early success in monetizing COVID-19 threats suggests they may have funds useful to adapting and developing creative new attacks.

Spoofing the IRS to Victimize Taxpayers

The COVID-19 pandemic hit during the peak of U.S. income tax season. Millions of taxpayers needed up-to-date information about the federal government’s last-minute decision to delay tax due dates. Meanwhile, the U.S. Internal Revenue Service was also assigned the job of distributing payments to households suffering from the pandemic’s economic effects.

Attackers have been quick to take advantage of the millions of Americans searching online for information about taxes and the status of their Economic Impact Payments. According to Elad Schulman, Mimecast VP of Brand Protection, “We’ve seen heavy activity trying to lure people to fake websites like irscoronavirus.org, irusmypament.com, and irsonlinepayment.com – hundreds of sites have been registered in the last few days or weeks, quickly being stood up and taken down. Hackers are sending emails asking people to fill in personalized information, or asking for fees to expedite IRS payments, all obviously aimed at stealing from them. When criminals find an event like this, where people are expecting something, they know they can strike harder.”

Planning for a Phased Return to Work

While many employees have been working from home during the pandemic, organizations are now beginning to think about a phased return to the workplace. The post-pandemic environment will present new opportunities for hackers, and new challenges for defenders. Dr. Francis Gaffney, Mimecast Director of Threat Intelligence, discussed the need to respond to these challenges at every layer of security, encompassing hardware, software, people, process, and partners.

The COVID-19 crisis has changed the security dynamics at each of these layers. At the hardware level, there are increasing burglaries of server farms and other facilities. With fewer people at work, physical access hasn’t been protected as robustly. Security guards haven’t always been present, and in some cases, police have focused on other priorities.

As employees return, they may be more susceptible to letting intruders tailgate into company facilities by claiming they’ve lost ID cards: those stories may sound more plausible now. When working at home, employees may not have been thinking about password-protecting their screens or locking up their laptops overnight. Will they start again when they return to the office? Consider a refresher “back to work” security awareness training session to reinforce the cyber hygiene that employees may have let slip away during the pandemic.

Beyond hardware and people issues like these, Gaffney and other members of the Mimecast Global Threat Intelligence team identified multiple software, process, and partner-related concerns associated with returning to “normal” work. For example:

Software: Are software certifications still up-to-date, and has all software been patched? Have you been running duplicate systems where business-critical data isn’t backed up? Are you using operating systems that are no longer supported, or never were? Are you at greater risk from malware that rides into your network on employees’ home devices?

Process: At many organizations, the work-from-home culture has meant that more work is being accomplished entirely through computer-based tools like email and Slack. As a result, people may have become careless about following formal payment processes. This is particularly dangerous for people in accounts payable, who are often targeted by attackers trying to initiate fraudulent payments. Right now, they should be even more vigilant about picking up the phone to confirm wire transfer requests, and ensuring that they respond only to known and trusted contacts. As Carl Wearn, Mimecast’s Head of Risk & Resilience, E-Crime & Cyber Investigation, pointed out, hackers have become extremely sophisticated at sounding authentic in phone calls, and are also evading security by calling individuals on their personal mobile phones.

Partners: Even if you’ve been careful about restoring good security habits, what about your partners and customers? Attackers may exploit them to attack your organization. Moreover, some partners may have disappeared due to the financial impact of the pandemic. Hackers may realize that before you do, and impersonate them to steal payments or compromise systems.

The Bottom Line

Attackers continue to use coronavirus-themed spam to exploit users, and successful early attacks have given hackers the resources to innovate dangerous new exploits. They’re continuing to spoof health authorities like the CDC and WHO, and are finding new opportunities spoofing the IRS.

The good news is that security awareness training dramatically helps reduce the risks of unsafe behavior among employees. As you plan a phased return to the workplace, consider refreshing cyber awareness training as part of a layered security approach that focuses on hardware, software, people, process, and partners to secure all aspects of your environment.

Mimecast has developed a set of best-practice recommendations for securing a phased return to the workplace — from keeping people informed of changing threats, to reviewing partner access and banning forwarding of “return-to-work” messages. Check our Coronavirus Response Center for information about evolving cyber threats, how to better support employees working remotely, and other resources to help you and your organization. We’ll continue supporting you with monthly threat intelligence briefings going forward. Our next briefing is set for May 19th, followed by monthly webinars on June 16th, July 21st, and August 18th. Please join us – and help make our briefings more valuable by sharing your challenges and concerns.