As the COVID-19 vaccine roll-out plods forward, every week brings a few more drops of information about vaccination schedules, locations or eligibility. We wait for our turn to roll-up our sleeve, get jabbed in the arm, and get on with our lives. The tension is palpable, and email scammers and criminals have taken notice.
Preying on our collective anxiety, cyber-criminals have updated the lures they use to phish their vulnerable targets successfully. These lures include enticing promises of special offers to skip the vaccination priority line and confidential data about clinics with nearly expired doses eager to vaccinate anyone who wanders in at just the right moment. Desperate for anything, even vigilant employees are easily tricked into sharing credentials or downloading malicious software onto their laptops.
IT and security teams rely on tried and tested phishing training software to tackle this problem. This software simulates fraudulent emails and flags the recipient for additional training when they take the bait. But companies who have successfully relied on this style of training for years are suddenly reeling from the backlash from outraged end-users, who call into question the ethics and morality of intentionally spreading misinformation about vaccinations.
These simulations damage the relationship between the security team members and employees. Do this enough, and attackers will enjoy increased mobility as they exploit the wedge between these groups.
In September, just as US coronavirus deaths reached 200,000, the Tribune Publishing (publishing arm of the Chicago tribune among others) sent a phishing simulation that promised staff a $5,000-$10,000 dollar bonus as a thank you. Baltimore Sun crime and courts reporter Justin Fenton who was the recipient of such an email was one of several disgruntled employees that put the company on blast, tweeting: “After slashing our staff, closing newsrooms, furloughing reporters and cutting pay during a pandemic, @tribpub thought a neat lil way to test our susceptibility to phishing was to send a spoof email announcing large bonuses. Fire everyone involved.”
To address this problem, organizations should consider the following techniques to help blunt these attacks without the cultural fall-out.
1. Announce Before Testing (or Skip the Test Entirely)
Pre-warning employees about phishing simulations improve their effectiveness and are the final test at the end of what should be a comprehensive education effort.
2. Fill The Information Gap
Phishing lures are so effective because they exploit the confusion created by the absence of adequate information. Provide employees with officially sourced information in the venues they use every day: Slack, email, and other internal collaboration software and consider creating spaces for discussion between employees.
3. Incentivize Staff to Report Security Issues and Follow-up
To obtain the most benefit, teams should look for ways to increase this communication’s bandwidth and quality through incentives. Even without the financial incentive, creating spaces for employees to report concerning security issues that result in attention and prompt follow-up will break down many of the natural adversarial barriers that can naturally form between these parties.
Criminals will continue to make hay with misinformation campaigns that target vulnerable employees. Organizations should embrace more direct and effective means for combatting these threats and focus on building a relationship of honesty, transparency, and collaboration between end-users and security staff. Instead of reaching for simulation-based training as the first step, organizations should embrace more direct and effective means for combatting these threats and focus on building a relationship of honesty, transparency and collaboration between end-users and security staff.