How a Biden COVID Update Impacts Network Security

If We Know One Thing, Cyber Criminals Follow the Money

Share

Last summer the NTT Corporation – tasked with providing wide-ranging telecommunications services and network security for the Olympic and Paralympic Games in Tokyo – announced they experienced more than 450 million cyberattacks during the event in July. By comparison, the 2021 Summer Games suffered 250 percent more attacks than the London Games in 2012. In this blog we’ll explain why we expect more of the same in 2022, and how a Biden COVID update impacts network security.

But it’s not just sports, of course. In 2022 the U.S. Federal Trade Commission (FTC) launched a new rule-making initiative designed to combat the tidal wave of COVID scams. The agency had received 12,491 complaints of government impersonation and 8,794 complaints of business impersonation related to the pandemic. 

How a Biden COVID Update Impacts Network Security

What is important to note here are not the specific entities or sporting events, or even the types of malware, scams and other hijinks that show up in our inboxes. The common thread is threat actors following the money. In other words, threat actors go where the people go.

Cybersecurity's Weak Link: Why Phishing Tests on Employees is Crucial

Where people congregate online, malicious actors follow. And surprise, surprise…during a once-in-a-century global pandemic, those eyeballs were stuck at home voraciously reading everything they could about case counts, hospitalizations, and deaths. Thieves understood this and launched a firehose of COVID-related themes into our emails, with subject lines ranging from “Apply here to get your stimulus check” to “Hydroxychloroquine cures.” 

Bottom line: Cyber thieves go where the action is. Here is the online action the day President Joe Biden announced COVID finally came for him, too, as compared to the days prior.

Unfortunately, your employees are not immune from the human curiosity global events inspire. Equipping them with the necessary knowledge and tools to avoid falling victim to online scammers is no longer optional. It should be mandatory business practice.

Curiosity Drives Clicks: How a Biden COVID Update impacts Network Security

Let’s be clear: Newsjacking is just one type of phishing technique, and phishing is just one type of infection vector, although it’s always in the top three (in 2021 the other two were Remote Desktop Protocol (RDP) exploitation, and exploitation of software vulnerabilities according to the FBI’s Internet Crime Report 2021). When enough people start Googling certain phrases like “Joe Biden Has COVID” or “Biden COVID update” bad guys figure it out, tailoring their phishing lures accordingly. 

The good news is there are preventative steps organizations can take to avoid falling victim to newsjacking and other phishing variants. The bad news is few are doing it right. 

How Biden COVID update impacts network security
Interest in "Joe Biden" before and after COVID announcement.

Security Training Employees: Where Companies Miss

To that end, Lucy / ThriveDX just released its Cybersecurity Awareness Study 2022  – its second annual survey of 1,900 IT security professionals from around the world. The respondents were asked a series of questions on subjects ranging from security awareness training, cybersecurity preparedness and what types of online attacks present the biggest challenge for employers. 

The survey presented some interesting findings, but little assurance that organizations are doing all they can to avoid falling victim to COVID fraud, World Cup malware and other newsjacking phishing attacks. Or any other phishing attacks for that matter. 

Only 43% of Companies Are Using A Phishing Button

A phishing button is a simple and elegant button that integrates with Outlook, Gmail or other email clients that provides employees a streamlined way of reporting suspected malware attacks. Instead of filing a report or even forwarding an email to an alias, employees simply highlight the email in question and click on the phishing button. Easy for the employees, a good way for IT to stay on top of potential threats and equally useful, an ideal way to measure the effectiveness of security awareness training. Let us turn to the next finding.

Only 20% of Participants Conduct More Than Seven Phishing Simulations Per Year

When it comes to phishing attacks, frequency matters. If only 20% are conducting more than seven simulations per year, 80% are not. This translates to 4 in 5 employees getting rusty and less cyber aware. The ideal amount is at least 12 according to the security awareness team at Lucy / ThriveDX. This helps explain how a Biden COVID update impacts network security.

How Biden COVID update impacts network security
While 88 percent of companies practice phishing simulations, only 42 percent have a phishing button

The Best Security Awareness Training Targets People

90 percent of successful attacks like Business Email Compromise (BEC), Email Attack Compromise (EAC), Ransomware and Credential Theft begin with a spearphishing email directed at a specific individual within a company. This employee typically has privileged access to sensitive information like W-2 and other tax forms containing Pii (personal identifiable information), or they enjoy close proximity to a company’s intellectual property or financial records. Oftentimes it can be a lower-level employee in “Accounts Payable” tasked with paying invoices.

Whoever it is, threat actors have likely done their homework in identifying the “mark” and researching his or her social media and other internet footprints to get a sense of who this person is and what they are passionate about during their off hours. Using this information, they begin crafting an email customized to this specific individual that plays up their newfound knowledge of the individual. If they live for politics or a particular sports team, they might include this information in the subject line. All of this leads to higher open rates and thus higher infection rates. This is known as the “human factor” or “human firewall” part of cybersecurity defenses.

The "Human Factor" will include NFL Football, World Cup

Hackers are no longer targeting endpoints, servers, and other traditional perimeter defenses. They are instead targeting people and exploiting human frailties like curiosity and ambition. After all, if someone claiming to be the CEO is asking you to complete a task like move money around, send him or her W2 forms or pay an invoice, the first impulse is usually to please the boss.

Threat actors know this in the same way they know that events drive news which drive clicks, which is why the human factor is always the weakest link in cybersecurity. It’s also one of the most predictable. This is why awareness training is so crucial within organizations because people cannot defend themselves without understanding what is coming at them and what it looks like. 

For more information on ThriveDX’s enterprise security training programs, please visit us at https://thrivedx.com

Digital Skills Training and EdTech Solutions | ThriveDX



Christopher Dale is the content marketing manager for ThriveDX. He has worked in the cybersecurity field for almost 14 years in PR, social media and content development roles for a range of companies including ESET, Forcepoint, Cylance (Blackberry) and Proofpoint. He holds Bachelor of Arts degrees in Political Science and Rhetoric & Communication from the University of California, Davis. 

Protect Your Organization from Phishing

Share

Explore More Resources

Pharming vs. Smishing vs. Vishing: Can you identify these common phishing techniques?
In cybersecurity awareness training, authenticity is key. Let's take a look at navigating trademark law in cybersecurity.
SOX Act requirements reshaped corporate governance and financial reporting. Learn how it affects you in 2022.

Your Trusted Source for Cyber Education

Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.

Contact ThriveDX Partnerships


Connect with us at the ASU + GSV Summit

If you are looking to connect with someone from our team on-site, please leave your contact information here and we will connect with you directly during the conference.

Skip to content