The ancient military strategist Sun-Tzu wrote that “in the midst of chaos, there is also opportunity.” He was referring to the ability to point your opponent toward the direction of your choosing. Cybercriminals have taken this philosophy to heart: They use the personal and organizational disorder brought on by the COVID-19 pandemic trauma associated with lockdowns and business uncertainty to facilitate their attacks.
Mental health professionals are studying the emotional impact associated with pandemic fears, economic uncertainty and strained personal relationships. It is anticipated that the COVID-19 pandemic will inflict long-lasting psychological trauma. In these difficult times, people are spending much more time online, searching for answers and often becoming susceptible to conspiracy theories, viral video, and fraudulent sites.
Cybercriminals understand human nature and that uncertainty and doubt offers them an opening to exploit people and organizations for financial gain. Point3 Security’s VP of Strategy Chloé Messdaghi noted many cyber outlaws don’t just hack computers, they hack people. “They exploit our fears using an emotional exploit called ‘Amygdala Hijacking,’ which is when a strong negative emotion causes an individual to lose the ability to think rationally,” she said, noting attackers are using the current pandemic to trigger our anger and fears simultaneously to trick us into trusting their message and malicious links.
Attacks Are Increasing
Numerous surveys and reports confirm that cyberattacks have spiked during the first half of 2020. In April, the FBI’s Internet Crime Complaint Center (IC3) reported that cyberattack complaints had increased by a factor of four. By mid-June, the IC3 had received as many complaints as it had in all of 2019.
Two additional surveys reaffirm that pandemic-inspired cybercrime has risen. The Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) reported that 63% of respondents to their survey have seen an increase in attack activity. Exabeam, in cooperation with Censuswide, found that 80% of the small and medium sized companies questioned saw “slightly to considerably more” cyberattack attempts.
“Leveraging a major event is an old technique for attackers,” said Saryu Nayyar, CEO of cybersecurity and fraud analytics company Gurucul. “The pandemic is a useful hook that increases attack success rates.”
Criminal Pandemic Bag o’ Tricks
Cyber brigands have many malicious tools available to them and they are deploying them all. They exploit people’s insecurities, fears, frustrations and even naivety brought on by the pandemic environment. Criminals have weaponized the pandemic by creating email campaigns that purport to contain valuable virus information such as pandemic maps. Phishing emails are designed to get people to inadvertently download malware including ransomware. Scammers also appeal to people’s willingness to help by soliciting donations for healthcare organizations and charities that do not exist. In April, Google was seeing 18 million phishing and scam emails related to the pandemic every day.
“False flag” websites are also a common attack vector. According to Palo Alto Networks, close to 100,000 of the million new websites with keywords related to the crisis are potentially malicious. Fake websites are optimized to appeal to people searching for virus-related information and are sophisticated enough to fool some firewalls.
How We Should Respond
Attackers exploiting pandemic trauma can be thwarted. The criminal element uses human nature against people, so countermeasures can’t be solely technological and must include individual action. Many of the techniques we are familiar with can mitigate email-based attacks, as Nayyar pointed out, “We have to be even more cautious than usual and recognize when our own situation may be playing into an attacker’s hands.”
Point3 Security’s Messdaghi recommends that people take a step back and don’t respond immediately. Instead, take the time to be sure that an email or website is legitimate. “Attackers’ phishing messages push for an immediate response, but we counsel that if a supposed work email comes in after hours, it’s best not to respond.”
There are many mitigating activities people can take, but the key is to be aware of your environment and to maintain a level of skepticism. Be careful when clicking on any links. Try not to conduct important tasks when tired or not fully alert.
Zero Trust is a security model in which no one is trusted by default; verification is required. This strategy can also work for individuals. Employees need to adopt a similar zero-trust mindset in which they reach out to people when there is a questionable solicitation. Although many are working remotely, it is still important to contact colleagues by another means (text, phone, business collaboration tool or social media) to confirm the legitimacy of a request. It may take a little extra time but the benefits are worth it: You are thwarting attackers. Also when the request is valid, the act of checking the legitimacy provides an outlet to engage with co-workers, customers, friends and family.
Finally, if you have a need to help, don’t look online. Instead, seek out local organizations or businesses.
This is a very stressful time. It is important not to become a victim of pandemic trauma-based cyberattacks.