Leave the pandemic out of your phishing simulations, Cofense says to industry

At least one anti-phishing company says it won’t be testing its customers with coronavirus-themed emails, out of concerns that it’s not socially responsible to play into fears around the current pandemic.

Cofense says it has removed all COVID-19-themed spearphishing templates from its repository of attacks, and the Virginia-based company is recommending other organizations join it in a pledge to avoid using the global health crisis as fodder. Like other anti-phishing companies, Cofense sends fake emails to its customers to see if employees click on corrupted links or file attachments.

“During a time when fears are justifiably running high, we believe it is wrong to confuse employees and exacerbate concerns further. We call upon the industry and organizations to join us in practicing socially responsible awareness training through thoughtful communication and education – not phish ‘testing,’” the company’s pledge, posted on LinkedIn Thursday, reads.

Cybercriminals and suspected nation-state actors have been leveraging coronavirus-related lures in spearphishing campaigns as the pandemic has spread, raising questions about how the security community can best protect against the growing threat. But when the information security community began debating whether it was ethical to use coronavirus-related lures in phishing exercises in recent days, Cofense Co-Founder and CTO Aaron Higbee fell into a panic, he said during a virtual Cofense panel Thursday.

“I didn’t really anticipate the results. The majority of the people who were voting on this tended to think it was OK,” Higbee said. “At that moment I had a bit of a panic.”

As soon as he saw the overwhelming amount of support in that poll, Higbee worked with his team to pull all COVID-19-related templates from Cofense’s collection.

“This concept of phishing simulations is deeply personal to me,” Higbee said on the call. “I knew that we needed to do something immediately. The first steps we took is we logged into PhishMe [to] see if our teams had put these themes in … and sure enough, they were there. We made the call immediately to get these templates out of PhishMe.”

It’s the first time Cofense has ever pulled a template in its history, Higbee said.

“It’s actually extremely rare that we do that,” he told CyberScoop. “COVID-19, coronavirus, it’s different. I can’t think of a time in my life where we’ve had to get together as a planet and work together on something like this.”

Even criminals have pledged, in some cases, to observe a temporary moratorium on attacks against health organizations. It is unclear if each criminal group that has made that pledge is abiding by it.

Indeed, some crime related to coronavirus and the health sector has continued regardless of the worldwide carnage. Attackers targeted a hospital in the Czech Republic in recent days, and hackers continue to send coronavirus-themed spearphishing emails to unwitting victims in attempts to infect their machines with malware.

How to prepare against spearphishing

Instead of using COVID-19 lures in simulations, Higbee suggests that organizations — no matter their training on preventing spearphishing — consider implementing multi-factor authentication.

“When organizations have multi-factor enabled their phishing threat does go down,” Higbee said. “It’s not 100% but it does help at least stop some of that.”

Tonia Dudley, a security solutions adviser with Cofense, suggested companies with teleworking employees during the pandemic take extra pains to communicate with managers to pass on information about avoiding spearphishing campaigns, no matter the content of the lures.

“Give information to your managers. Most likely they’re trying to meet with their teams daily — give them just some reminders of what they can look for,” Tonia said. “A lot of them are not used to working from home. … Remind them, attackers are leveraging this moment.”

Right now Cofense is seeing threat actors take advantage of the coronavirus by using urgent subject lines suggesting the emails contain vital information to surviving the pandemic, including, “EXTERNAL: COVID 19 PREPARATION GUIDANCE,” or “Work Remotely Enrollment (Action Required).” At times the emails Cofense has seen include Powerpoint files with embedded links to spreadsheets or surveys claiming to be for the Human Resources department, that eventually try to steal credentials.