If the internet is to be believed, up to 10% of the world’s population are in quarantine, or at least in lockdown, to prevent the spread of the coronavirus. That’s a few hundred in the US, the same in Europe, a few thousand in a ship off the coast of Japan, oh and about 760 million people in China!
On the face of it, that’s quite scary. Were that not enough, there are an army of people churning out misinformation, disinformation and outright scams for their own pleasure or profit, like most other natural disaster, disease outbreak, famine or concerning global happening,
Take these examples that are happening right now:
- The pharma company that is just about to release the cure/vaccine for coronavirus – buy the stock now before the price goes through the roof!
- The texts offering free masks or saying deliveries had been delayed, in the hope of getting private information.
- And possibly most brazenly, the email supposedly from the CDC asking for donations in Bitcoin to fund the public health response.
So far, so insidious. But the same tactics that are fooling ordinary people out of their own money and login details are a threat to your organisation as well, like these:
- Emails purporting to be from the CDC or WHO will direct users to pages where the need to enter login credentials to continue, or simply ask the user to open an attached file and deliver it’s payload.
- The extremely damaging Emotet trojan that has been circulating in Japan in emails looking like official notifications from public health centers.
- Scammers sending fake internal emails supposedly from the company president with the ‘official’ company Coronavirus advice attached.
In a report cited by ZDNET.com, while 96% of respondents knew about phishing, only 5% were able to identify all types of phishing scams, and according to the Verizon 2019 Data Breach Investigations Report, C-Level executives are 12x more likely to be the target in social engineering attacks than other employees.
Phishing attacks can lead to identity theft, malware attacks, data breaches and business email compromise, and the financial and reputational cost to these can be ruinous to a company’s earnings.
Protection from phishing attacks does not lie only in software solutions. Good security policy is the start, and that comes from thorough analysis of the internal environment and external threats. However a policy unread or ignored is little more than useless. Security awareness training and then regular testing are the key to ensuring that every employee from the CEO down doesn’t fall prey to the scammers.
People want information to protect themselves or help others, or maybe make a few dollars out of a crisis, and in these times of high alert, employees are more likely to disregard normal security procedure.
Contact the experts at TBG Security to discuss how they can help with every aspect of phishing and business email compromise prevention, creating effective security policy and even full Red Team testing including the all important social engineering.