The coronavirus pandemic has presented cybercriminals with a crisis to exploit, and many are choosing phishing emails as their weapon of choice.
These emails are a form of fraud that aims to steal personal information. At NASA, phishing emails have bombarded employees at twice the rate it’s used to, according to an April 6 memo.
The Department of Defense has seen a “surge” in spear-phishing attempts exploiting the pandemic, Lt. Gen. Bradford Shwedo, the chief information officer of the Joint Chiefs of Staff, said at an April 13 news conference.
And the U.S. Agency for International Development has seen an “uptick” in cyber activity, including phishing attacks.
Generally, agencies receive thousands, or sometimes tens of thousands, of phishing attempts each day, and IT leaders across the federal government are broadly seeing the same number of phishing attacks. But according to a survey from Fifth Domain, more hackers are trying to use the COVID-19 pandemic to trick their way in through the front door.
Fifth Domain contacted the 24 Chief Financial Officers Act agencies to see how phishing attempts have changed in recent weeks. Just under half of those agencies provided substantial responses.
According to research from Zscaler, a cloud security company, its corporate customers faced an 85 percent increase in COVID-19 phishing attempts from January to March. Several of these emails asked for personal information while masked as government agencies.
“You can talk to any cybersecurity professional and they’ll tell you all of the technical countermeasures they put in place cannot really do anything to negate an employee doing the wrong thing, mostly unknowingly doing the wrong thing because they just don’t understand what they’re doing,” said Marianne Bailey, leader for Guidehouse’s cybersecurity practice and former principal director for cybersecurity in the DoD CIO’s office. “And phishing is the perfect way to deliver a malware or package. It’s the perfect way because oftentimes it is directed toward a specific individual.”
A Department of Commerce memo to employees from March 20 warned of an “increase in scams and phishing attempts that reference the ongoing COVID-19 outbreak.” It also warned of emails impersonating the Centers for Disease Control and Prevention, the Department of Health and Human Services, and the World Health Organization. A spokesperson declined to comment.
In the memo, the agency detailed several signals of phishing emails, including unprofessional spelling or grammatical mistakes, as well as unusual formatting. It urged employees to avoid clicking on links and files in suspicious emails.
The departments of Veterans Affairs and Justice each said they have experienced an increase in coronavirus-themed cyberattack attempts.
“While VA has not seen an increase in phishing attempts, we have seen a change from normal phishing-related themes to a focus on COVID-related themes,” said Joe Williams, a spokesman for the VA.
The Federal Emergency Management Agency, which is leading the government’s COVID-19 response, has not experienced an increase, a spokesperson said.
Several agencies told Fifth Domain they’ve completed anti-phishing training for employees and that department IT officials are constantly communicating with employees about threats.
Some anti-phishing efforts appear to be working. The Department of Education’s security operations center has received a “considerable” increase is reported phishing attempts from employees, according to a spokesperson, but hasn’t observed an increase in overall phishing attempts.
Last week, after an employee at the Department of Housing and Urban Development reported a phishing email to the department’s Cyber Incident Response Team, the team searched 44,000 HUD inboxes, finding 4,366 malicious emails, a department spokesperson told Fifth Domain.
Fifth Domain shared the results of its survey with experts from threat intelligence firm Mandiant, who said that the numbers aligned with what the company has observed.
“There has not been a pronounced change in the threat of spear-phishing but also other malicious activity that we’ve seen,” said Ben Read, senior manager at Mandiant.
“There are people doing them, and they are still the same people,” Read said. “There hasn’t been a massive increase in the … cyberespionage or cybercriminal workforce that would facilitate more spear-phishes.”
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which is charged with protecting federal networks, referred Fifth Domain to a joint phishing alert released April 8 with the United Kingdom’s National Cyber Security Centre, but did not offer insight into any changes in phishing attempts against DHS or federal networks.
The National Science Foundation, the Nuclear Regulatory Commission, the Office of Personnel Management and the Federal Emergency Management Agency did not report increases.