Phishing attacks increase as hackers take advantage of pandemic

A new report has found that 70% of organizations have seen increased phishing attacks since the pandemic began.

According to Sophos’ Phishing Insights 2021, all sectors were affected, with central government experiencing the highest increase (77%), closely followed by business and professional services (76%) and health care (73%).

The report said the small variation between sectors – just 10 percentage points before rounding – affirmed that adversaries are “often indiscriminate and will try to reach as many people as they can to increase their likelihood of success.”

The survey also found that 98% of organizations had their phishing awareness program in place before COVID-19 hit. The most popular approach was computer-based training at 58%. Over half (53%) used human-led training, and 43% ran phishing simulations. A small portion (16%) of organizations combined all three techniques – computer-based training, human-led training and phishing simulations – in their awareness programs

However, the government sector lags in running cyber security awareness programs to address phishing, with the two bottom spots taken by local government (69%) and central government (83%). The report’s authors were concerned over this as government organizations are frequent targets for high-impact cyber attacks.

“Central government is most likely to experience extortion-style ransomware attacks, while local government is most likely to have their data encrypted in a ransomware attack,” the reports said.

Chester Wisniewski, principal research scientist at Sophos, said that one of the reasons for phishing attack success is its ability to continuously evolve and diversify, tailoring attacks to topical issues or concerns, such as the pandemic, and playing on human emotions and trust.

“The temptation for organizations can be to see phishing attacks as a relatively low-level threat, but that underestimates their power. Phishing is often the first step in a complex, multi-stage attack,” Wisniewski said. “Attackers frequently use phishing emails to trick users into installing malware or sharing credentials that provide access to the corporate network.”

He added that the ideal situation would be to prevent phishing emails from ever reaching their intended recipient.

“Effective email security solutions can go a long way towards achieving this, but this should be complemented by alert and primed employees who are able to spot and report suspicious messages before they get any further,” said Wisniewski.