COVID phishing: how the threat landscape shifted in two months
A briefing for managers: how attackers are exploiting the pandemic and remote work, and what to do without panic.
In March and April 2020, several organisations monitoring cyber threats recorded a sharp rise in phishing attacks using COVID-19 as a theme. The messages impersonate notifications from government bodies, medical organisations, banks, the WHO. Links lead to fake pages or malware downloads.
This is not a new technique. Attackers always use whatever is occupying people - major events, fears, expectations. A pandemic is an exceptionally convenient context: the topic is relevant to everyone, the information environment is changing fast, and people are stressed and less critical than usual.
What specifically changed
The bait themes. A few months ago a typical phishing email impersonated a parcel notification, a supplier invoice, or a bank message. Now the list includes: "official guidance" on COVID, links to "latest data" on the spread, emails purportedly from HR about remote work rules, "compensation" programmes from the government.
Targeted attacks on remote employees. The shift to remote work means that some communication has moved from corporate email to personal channels. An employee at home, in an unfamiliar environment, is less focused and more likely to click on something dubious than they would be in the office surrounded by colleagues.
Attacks on remote access infrastructure. VPN gateways and remote desktop systems have become a priority target for credential-stuffing attacks. Companies that have not enabled MFA are at considerably higher risk.
Fraudulent websites. Domain registrations containing keywords like "covid", "coronavirus", "mask" increased sharply. Most are fraudulent platforms or phishing pages.
Why traditional measures work less well
In the office there are several natural barriers: a colleague nearby to show a suspicious email to. A corporate device with managed security settings. A shared information environment that reduces the effectiveness of some lures.
In remote work, none of that is present. On top of that, many employees are working from personal devices with no corporate security controls.
What to do in practice
A few measures that work without complex technical implementation:
A short warning to employees. A simple email or message: phishing attacks using the COVID theme are currently active. Signs of a suspicious message - a request to follow a link, download a file, enter credentials. What to do - contact IT or ignore it. This takes minutes and works.
Check MFA on external entry points. VPN, corporate email, remote access systems. If there is no MFA - this is a first-order priority.
Remind about updates. Many attacks exploit vulnerabilities in browsers and operating systems that already have patches. On personal devices, updates are often postponed.
Create a simple channel for doubts. An employee receives a suspicious message - where do they turn? If there is no answer, they either ignore it or decide to click on their own. There needs to be an obvious address or chat.
The threats in this period are real, but manageable. The goal is not to create panic, but to give people concrete reference points.