No rest for the wicked – at least not for attackers. The recent outbreak of the global pandemic, COVID-19, once again made attackers act fast. Social engineers have been utilizing uncertainty and fear in phishing campaigns to spread malicious software and steal data.
According to Infosecurity Magazine, phishing emails went up by 667% since the end of February. Most common phishing attacks have been scams, such as brand impersonation, blackmail, and business email compromise (BEC).In this article, we wanted to share some of the attacks that our social engineering, content, and threat analyst teams have discovered. We will show you the messages and what’s ‘special’ about them.We understand that not all companies have a phishing training provider that is developing COVID-19 simulations for them. As an extra, we decided to give you a few examples and best practices on how to create your own COVID-19 related phishing simulation campaign. We truly hope that some of you find it useful.
The example below is mimicking a plain voicemail message. The subject line is ‘Important COVID-19 Update.’
Due to the current situation, most organizations have been communicating with their employees about the crisis. Social engineers are utilizing this fact. They try to get unsuspecting employees to click on a link that would lead them to a login page where they would type their login details.
The message below is a general 419 money phishing scam. If you are unfamiliar with the type of this threat, the FBI explains ‘419’ Fraud here.
This phishing email falsely uses the WHO as the authority and official regulatory information standpoint as a basis to spread a false message.
This message utilizes the natural curiosity of people by exploiting the rapidly growing number of new COVID-19 cases.
The message asks the recipient to read more. When the recipient clicks the link, he or she will be led to a download page or a fake login page.
If you have been responsible for developing phishing simulations for your organization and you are looking to create templates regarding COVID-19, we want to help you.We understand that it can be an overwhelming task to quickly react and create simulations that are relevant and believable. This is why we wanted to give you some tips on how to do that.Our customers have been already using COVID-19 simulations thanks to our fully automated solution that uses AI and ML to ensure that employees get the latest threats and they can learn from those.Now, you get some great insider tips on creating an internal phishing simulation campaign regarding COVID-19.
In these exceptional times, communicating within your organization is more important than ever before. Your friends and colleagues are both stressed and concerned, especially when the situation is constantly changing. You may have a crisis team or your regular internal communication team working full days every day to ensure that you communicate the correct information regarding policies and guidelines with all the relevant stakeholders.
This is why it’s extremely important to align your internal guidelines with your phishing training around COVID-19-based attacks. Include details about relevant information sources in your training, align your training with internal communication and your support teams to ensure all possible questions regarding COVID-19 policies and phishing campaigns are answered in the same way.
In addition to this, it’s extremely important that your users are aware of the upcoming phishing training campaigns around COVID-19 in your organization and that you explain to them why you conduct these campaigns. As cybersecurity professionals, we want to keep everyone safe and make people feel safe, which is why communication is extremely important in a time of uncertainty.
Remember: Communicate, communicate, and communicate!
What are the things you want your recipients to learn? This question should be driving you when you are developing your COVID-19 phishing campaign.Draft your template(s) and the learning material(s) around these goals. If you can, use a real-world phishing example as a base (see our examples above), and work out your learning goals from there.
Adapt your goals to your audience! Don’t make them too difficult for beginners, and don’t make them too easy for seasoned professionals.Think about these examples:
Don’t put too much information in one template! Often three good learning indicators are plenty enough for one template. More than that, and you risk your users being overwhelmed. Less than that, and the impact may be less due to a lack of context.
Remember: Clarity is key. When you know what your goal is, it’s easier to share it forward.
Hoxhunt is constantly monitoring the latest phishing attacks reported by our customers. Our content team is creating the latest training materials based on real-world examples. Our training includes the most common COVID-19 phishing attacks and customized training material based on real-world attacks. Your users will learn from the latest attacks, strengthening the cyber defense of your organization!
Want to learn more about our latest COVID-19 training content? Reach out to your Hoxhunt Customer Success Manager or turn to our sales team. We are happy to help and share more with you.