The pandemic has presented many challenges for cybersecurity, especially COVID-19-related phishing attempts targeting employees working from home. However, security experts speaking at the Exabeam Spotlight20 virtual conference warned of an increase in spear-phishing and account takeover attacks.
“After we closed, which was mid-March, it was initially pretty quiet, but in the beginning of April we saw a strong uptick in spam and spearphishing, very targeted phishing attacks that we’ve never seen before,” said Michael St. Vincent, CISO at The Cosmopolitan of Las Vegas.
While his team was prepared for the rise in phishing attacks and were able to warn the targeted individuals about what was happening, St. Vincent said the shift to targeted spear-phishing in the wake of coronavirus and the shutdowns was dramatic.
It isn’t uncommon to see spear-phishing emails go to the CEO or the CFO with specific financial requests, for example, but in this case, those requests were coming from specific and legitimate-looking emails from department heads with well-crafted messages.
Tyler Warren, director of IT security at Prologis, saw a similar increase in spam and spear-phishing emails around the same time frame. The spam COVID-19 messaging was typical spam, he said, poorly written and sent to anyone, but he, too, saw the more specific, well-crafted spear-phishing.
The Use of Breached Accounts
What makes these spear-phishing attacks more dangerous than other phishing attacks? It’s because of the way attackers are sending the email: They are using the accounts of customers and vendors who have been the victims of a data breach. And they are using those accounts, said Warren, to request things such as invoice payments or to change payments to a new bank account.
“We’re used to seeing those types of emails because we have customers around the world,” he noted, which makes the spear-phishing emails using legitimate email accounts more difficult to discern.
This has created a cascade effect in phishing attacks. The weaker links—those who follow the directions in a less sophisticated phishing email—have already done their job for the hackers. That’s produced a new type of third-party risk, wherein the compromised accounts are known to the user and are designed to appear as a legitimate business request. This changes the way security teams have to respond.
“This is a very heavy third-party risk,” said Warren. You train your employees for phishing scams and what they should look for, but this type of email looks and sounds as though it is coming from a trusted source.
As painstaking as it may sound, the sophistication of these spear-phishing emails means that workers need to verify everything before they follow through on the request. And that means a phone call to the “sender,” Warren advised, because an email verification will simply go back to the cybercriminal, who of course will say yes, they are the real person and this is a real request.
When working in the office, employees could easily reach out to the security and IT teams to verify phishing emails, even if only by forwarding that email to the team. But there is a different mindset of people who are working remotely; they may feel like they don’t have the same sort of security or IT support.
As the shift from onsite to remote work happened, leadership was concerned about how security and IT teams would approach defending networks and devices. St. Vincent’s advice to his leadership was to just keep to the processes that were already in place. If something seemed unusual—or “phishy”—he wanted employees to reach out to the security team and let them know.
“We didn’t know what was going to happen,” St. Vincent said. This massive work-from-home effort was a new experience for everyone, after all. “Spam—we figured that would happen, and it did, although a lot more than we expected.” Plus, it was different than expected, coming as extremely well-targeted and crafted spear-phishing.
This spear-phishing has reshaped the third-party risk at a time when employees may be letting their guard down when it comes to phishing awareness. Security teams now need to be more aware of data breaches involving regular clients and vendors and be on the lookout for attempts to use this type of account takeover for threat actors’ financial gain.