We’ve all heard that COVID-19 phishing scams have seen a sharp uptick in the past few months. That fact itself may not be surprising, considering cyber criminals ramp up their activity anytime major events happen.
However, the actual statistics behind the frequency of recent phishing attacks are jaw-dropping.
Here are just a few fast facts:
- Security Magazine reported a 667 percent increase in COVID-19-related spear phishing attacks from February to March 2020.
- One cyber security company detected a total of 427, 825 phishing email attacks between March 1 and March 23.
- Google reportedly blocked 18 million COVID-19-related phishing emails during the week of Apr. 13-17.
So what do these stats mean to your business? They mean that your organization needs to implement comprehensive, ongoing cyber security awareness training, including phishing email simulations.
What are phishing emails?
Phishing is an attempt to obtain sensitive information or network access through a fraudulent email. Cyber criminals will use this tactic to gain personally identifiable information, credentials or other important information using deceit and urgency. These messages play on fear, uncertainty and doubt to get users to click malicious links.
Relative to COVID-19, it is an especially dangerous form of cyber threat, and it’s vital your employees know what to look for in order to spot phishing email attempts.
Importance of cyber security training
In today’s world, threats are not only increasing—they’re also always changing and evolving every single day. Endpoint protection, firewalls and email filtering are only the start of your journey toward an optimal IT security setup.
Your security stack, when configured appropriately, creates a strong force field around your organization’s data, but there’s still one liability you perhaps haven’t yet taken into account: your employees. Staff members pose the greatest threat to your system security. In fact, 90-95 percent of all cyber attacks originate from human error.
Your employees can unknowingly visit malicious websites, use unsecured passwords or be the victims of sophisticated, socially-engineered, phishing attacks. It only takes one click or one incorrectly authorized money transfer to cost your business thousands of dollars and hours of downtime.
Why phishing tests are an important part of a business’s cyber security awareness training
91 percent of cyber attacks begin with a spear phishing email, so it’s vital that you continuously cover this threat vector.
Phishing simulations help arm your business against these attacks by training your employees on what to look for in phishing emails.
And you do need to be sending out email phishing simulations right now. Cyber criminals aren’t slowing down, so you shouldn’t grow lax when it comes to training your staff either.
Times are uncertain, and your employees are already stressed
When conducting email phishing simulations, your goal is to educate end users who might need a training to help identify phishing or spoofed messages. It should not be to add extra work to their plate. By taking advantage of a simple simulation platform and training, you will be on your way to improving employees’ skills and securing your business.
It’s understandable that you, as a small business owner, are concerned about the health and safety of your IT systems, and you should be. Just keep in mind your strategy, metrics and plan. Put these in place before starting a simulation program. And consider the following tips to successfully conduct simulations during the COVID-19 pandemic.
1. Use an appropriate tone to suit the context
The tone of your messaging should not instill additional fear or anxiety, so if you believe that the coronavirus messaging is inappropriate, there are plenty of other phishing email simulations you could send, such as:
- Delivery updates
- Updating or confirming account information
- HR or other company announcements
- Holiday coupons
The list is endless, and the templates available from organizations that specialize in phishing tests are customizable to suit your needs.
However, if you are going to phish test your employees with COVID-19-specific simulations, use care in crafting your emails. KnowBe4, a company that provides phishing simulation services, suggests using an entire educational campaign that explains the situation, outlines expectations, and provides additional edification on the subject, should users click on a “malicious” link.
For instance, one idea is to send out a COVID-19 simulation, perhaps an email from a company leader or executive detailing the company’s response to COVID-19.
It’s something that an employee may be more likely to click on, and if they do, the post-click messaging that appears should further educate that end user, explaining that this was just a test, but that cyber criminals are exploiting the fear, uncertainty and doubt around the coronavirus, so users need to be vigilant and remain skeptical of all email messages they receive. Notice that the message serves to educate him or her about the ongoing situation, so as to keep it from happening with an actual phishing email.
2. Determine an adequate process for your simulation and training
Follow these suggestions to provide more effective, email simulations:
- Provide timely and ongoing updates about the state of the situation, particularly how cyber criminals have been using current affairs to target people’s anxieties and uncertainties.
- Announce that you will be requiring employees to undergo awareness training, including the completion of video modules and other necessary components.
- Send out phishing tests around this time as well. A higher frequency of simulations is okay, but always be aware of the tone you are using. However, don’t announce the tests, as this could put your employees on high alert and skew performance results.
- Remind your users to be skeptical and to maintain constant vigilance— do so regularly and encouragingly.
(checklist derived from this KnowBe4 article)
Remember these signs and avoid costly mistakes
Phishing emails, especially those focusing on COVID-19, will continue to plague our inboxes, but by knowing what to look for and what to avoid, you can keep your organization safe from cyber attacks.
Signs that an email might be a phish:
- Misspellings and poor grammar
- A sense of urgency or requests that cause you to act hastily
- Information requests you never instigated
- Suspicious links in the body of the email or unfamiliar return addresses
Start training your employees with phishing email simulations today
It’s important that your staff are prepared for working in today’s digital world, especially as scores of our workforce do business from home.
CoreTech provides quick implementation of phishing simulation services, so you can find out how your organization is performing today. Contact us to learn more.