Escalating Phishing Threats Are Still Capitalizing on Pandemic Pressure and Remote Workers
Many things in the world have slowed down or are still stopped as we navigate the back end of the global COVID-19 pandemic. But one thing is having a major growth spurt with no end in sight: phishing. Across the board, phishing threats are the top cybersecurity menace that businesses face today and that threat meter is only going up.
Phishing increased 42% overall in 2020, while some categories and attack types like ransomware experienced triple-digit growth. That constantly growing menace rose 148% in March 2020 alone. Phishing threats took their biggest jump in Q2 2020, escalating an eye-popping 660% according to Google. Even in Q4 2020, the increase was lower but still epic: phishing was up more than 220%. Experts agree that phishing will continue to dominate the threat lanscape in 2021.
Cybercriminals are still milking the public’s thirst for information about COVID-19. In the early months of lockdowns and public health emergencies, bad actors grew adept at using pandemic lures and other crafty, socially-engineered tricks to take advantage of stress and anxiety, especially when it comes to targeting remote workers. More than 30% of the email sent overall in 2020 was a pandemic-themed phishing attempt, and a whopping 72% of all phishing email was COVID-19 themed.
One reason that phishing is up is because email volume is up. Workers handled 72% more emails in 2020 than the year before, and email is the primary communication tool of the majority of businesses these days, although messaging is catching up. That gives cybercriminals many more chances to snag a tired, stressed, or distracted remote worker.
Impersonation and business email compromise scams are also reaching new heights. Business email compromise (BEC) attacks doubled, and impersonation scams, especially phishing that aped a major corporation or “trusted” source took off – more than half of all phishing “websites” in 2020 imitated one of those organizations. In 2020, BEC costs increased rapidly, from $54,000 in Q1 2020 to $80,183 in Q2.
Smart cybercriminals know that they’ll have a far easier time duping an unsuspecting worker into clicking a link than downloading an attachment, and they planned their attacks accordingly. While an estimated 71% of spear-phishing attacks included malicious URLs, only 30% of BEC attacks included a link. Drilling down, 20% of phishing URLs were WordPress sites, 72% of phishing websites used genuine HTTPS certificates, and 100% of drop zones employed TLS encryption.