With employees likely to remain remote for the first half of 2021 (and likely beyond that in many cases), cybercriminals and fraudsters have already adjusted their tactics and techniques to launch fresh waves of phishing campaigns and other attacks designed to steal credentials, compromise personal information, and spread malware.

For the past year, threat actors have consistently tailored their phishing campaigns, as well as business email compromise scams, around the COVID-19 pandemic. Phishing emails can easily match the current news cycle, taking advantage of remote workers, while IT and security staff scramble to keep up. Phishing lures have referenced everything from the travel bans of early 2020 to COVID-19 updates from the CDC. 

Now, security firms such as Proofpoint are finding a sudden spike in both phishing emails and business email compromise schemes using news about COVID-19 vaccines. Once opened, these emails can download malware onto devices, or attempt to gather personal information and data such as login credentials for Microsoft Office 365. Some of these phishing emails spoof organizations such as WHO, or well-known brands such as DHL to give the messages a sheen of legitimacy.

“In the majority of these cases, threat actors are adept at developing authentic-looking messages that are relevant to users and consistent with current events,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told Dice. “We expect vaccine signups, distribution centers and hospitals, vaccine brands and any changes to government policies to remain active phishing themes.”

The continuing need for remote work also means that these patterns are likely to continue, with workers increasingly susceptible to phishing emails, business email compromise schemes and other types of fraud, DeGrippo noted.

“That communication channel continues to be the number one threat vector because it provides a mechanism for 1:1 threat actor communication with an intended recipient,” DeGrippo said. “In addition, working from home means that employees can’t easily turn to a colleague to verify a suspicious email so their natural instinct is to click a link or open an attachment. There is also the stress, anxiety and uncertainty associated with the pandemic that increases the likelihood that users are more susceptible to socially engineered malicious emails.”

Phishing For Data

After employees rushed into work-from-home situations in the spring of 2020, there was a good deal of anxiety and uncertainty. Over the last several months, though, this has given way to an everyday routine that can breed complacency, which can create issues for protecting data and ensuring sound security practices, said Tom Pendergast, the chief learning officer at MediaPro, which provides security training.

“Unlike 10 to 11 months ago, many people have settled into the routine of remote work—and with routine comes carelessness,” Pendergast told Dice. “The sense of heightened risk and urgency is now gone from remote work, so people’s diligence may drop, especially where remote workers may not see the consequences of their actions. Reminding people about the fundamentals of remote work security—VPN or other safe connection; and keeping work and home computing separate—becomes more important as these actions start to feel routine.”

Rick Holland, CISO and vice president for strategy at security firm Digital Shadows, believes that the phishing campaigns that use COVID-19 vaccines as lures are likely to remain prevalent throughout 2021, since the rollout is likely to remain slow for some time and employees will remain at home. If boosters are required, these types of attacks will carry in 2022, he added.

The bigger concern, however, is how these attacks will affect security budgets, which means CISOs and their staff might have to look for new approaches to keep their organization’s infrastructure secure while managing the remote workforce.

“Some organizations could find budget dollars last year, whereas others had to wait until the new fiscal year to get the funding to enable and adequately secure working from home,” Holland told Dice. “The long tail isn’t just about the budget. IT and security professionals only have so much bandwidth to deploy new solutions, so there are constraints on the implementation timelines, as well. On top of this, you have teams responding to the SolarWinds supply chain attacks, which are also competing for the limited budget and people resources available.”

Think Different

Hank Schless, senior manager for security solutions at Lookout, noted that once widespread work-from-home started in early 2020, security and IT teams relied on a combination of multifactor authentication and VPN technologies to try and keep employees, devices and data safe.

Now, however, is the time to rethink that approach, especially as cybercriminals and threat actors continue to revamp their strategies, including the design of phishing emails and what devices to target.

“To enable productivity from anywhere and from any device, IT and security teams realized that they needed to let employees use mobile devices for work,” Schless told Dice. “This created a forced bring-your-own-device scenario for lots of organizations. Without being able to evaluate those personal devices for risk before allowing them access to the corporate data, most teams went in blind. VPN and MFA can both be effective security measures, but if the device connecting to the VPN or authenticating login through MFA is compromised, those solutions are rendered useless.”

Proofpoint’s DeGrippo notes that, in addition to providing as much training as possible to employees, security and IT teams should consider a layer defense approach that includes security at the network edge in the cloud and at the endpoints while implementing email authentication protocols such as domain-based message authentication, reporting and conformance (DMARC) and sender policy framework (SPF).

“Employees will continue to work from home, which is likely to keep increasing risk for organizations and opportunities for threat actors,” DeGrippo said. “Working remotely 100 percent of the time requires a different security strategy than working from home once or twice each week. Specifically, more people are on home networks, which are not as heavily fortified as the office network. Data loss risks increase significantly when personal devices are used to conduct business and when devices are shared with family members.”