It's well known in the IT world that when crisis hits, hackers tend to leverage that disruption to their advantage—and the new coronavirus pandemic has been no exception.
An analysis from cybersecurity company Barracuda Networks found that phishing scams tailored to the pandemic jumped 667% between February and March. In fact, between March 1 and March 23, Barracuda detected 9,116 phishing attacks related to Covid-19, representing about 2% of all phishing attacks detected during that time period. While that percentage may seem small, the data indicated that Covid-19 tailored attacks were on the rise—and a recent warning from FBI, HHS, and the Cybersecurity and Infrastructure Security Agency (CISA) suggest that those types of attacks remain, and will continue to be, a key threat for health care organizations moving forward.
Not only are these phishing attacks increasing in number, but they're also increasingly sophisticated. Hackers today rarely include odd spelling or strange requests that put recipients on guard. Instead, today's phishing emails are designed to feel personal, as if they came from a colleague or boss, and are structured to evoke a sense of urgency, so that recipients respond quickly and without much thought. Amid the new coronavirus pandemic, hackers have taken advantage of the confusion around supply chain shortages, public health updates from the World Health Organization (WHO), and daily business communications.
7 Covid-19 subject lines to look out for
In April, FBI's Cyber Division issued a Flash alert highlighting some of the most common subject lines being used in Covid-19 phishing attacks targeting health care providers:
- "PURCHASE ORDER PVT"
- "COVID-19 UPDATE!!"
- "Information about COVID-19 in the United States"
- "Coronavirus (COVID-19)"
- "Business Contingency alert – COVID-19"
- "Todays Update on COVID-19"
- "World Health Organization/Let‚Äôs fight Corona Virus together"
Notably, the email subject lines FBI highlighted play on providers' need to stay up to date on Covid-19 news. And in addition to leveraging subject lines, hackers have been relying heavily on email impersonation, making it appear as if the email is from prominent organizations such as WHO or CDC, according to Barracuda.
3 ways to keep your organization safe
While health care organization should always protect patient information and PHI against hackers, the need to defend yourself—and your organization—is even greater during the pandemic.Technology can definitely help reduce the risk of a successful phishing attack, and organizations absolutely should consider investing in or updating existing antivirus software, email filters, and blacklisting and whitelisting sites. (To learn more about some of these strategies, view our cheat sheet here.)
But technology alone is not enough. You need each of your employees to make sound decisions in how they navigate the internet and their email. Here are three key ways to build a "human firewall":
Provide frequent, real-world training. Training videos have become a staple for most security programs, but this type of passive training needs to be coupled with active training, such as simulated phishing campaigns. It may also be helpful to share real-world examples of phishing attacks that will resonate with staff.
Ensure leadership undergoes advanced training. Staff who have access to the most sensitive, valuable information should undergo personalized, role-specific training.
- Prepare for successful attacks. Every organization should have a cybersecurity response plan in place with specific instructions for workers who fall victim to a phishing attack. For example, some organizations instruct their employees to immediately disconnect and unplug their workstation or device and notify IT security personnel (that is, to "isolate and escalate").