Consumers are now paying close attention to how companies behave and treat consumers during this global COVID-10 public health crisis.
Rest assured, when this crisis is behind us, consumers will be much more thoughtful about where they spend their money, especially if dealing with the aftermath of identity theft caused by COVID-19-themed phishing campaigns.
Who will customers blame? Most likely, the companies whose websites were spoofed to trick them into giving up their personal information.
Companies' typical response to thwart phishing is to warn their customers to be more vigilant to spot phishing emails on their own.
Why don't those companies take more responsibility to protect their brand from misuse by phishers? Why won't they fight back by making phishing unprofitable? They have the means to do so.
What's most egregious about brands blaming their customers for falling prey to phishing attacks is that the customer was lured by their trust of that brand.
Advances in technology make it easier than ever for malicious actors to build a spoof site.
Just as new technology has produced "deep fake" videos, the new generation of spoof websites are making it harder to spot the suspicious sites, even to the trained eye of security professionals. And attackers are counting on a strong trust relationship between the customer and, for example, their bank. It's what gets the victim to be tricked into clicking.
Phishing has become the preferred method of social engineering attack, commonly used to steal user data such as login credentials and credit card numbers. The attacker masquerades as a trusted entity, such as the victim's bank or place of employment.
First, the attacker builds a highly convincing fake website, modeled after a brand the victim knows and trusts. Often, the attacker will use real images and text from the original website - a technique known as content scraping. It's remarkably simple for an attacker to make a wholesale copy of the real site, and doctor it slightly. Once the fake domain is launched, the attacker next dupes the victim into opening an email, instant message, or text message containing a link to that spoof site.
Under normal circumstances, the victim is lured by the trust of the brand being impersonated. But the motivation has taken a disturbing turn since the beginning of the pandemic. Attackers are now masquerading as government agencies, luring consumers using messages about the spread of COVID-19.
In this example, the cybercriminal sends an email that appears to originate from the Centers for Disease Control (CDC), urging the victim to click on a link for an "updated list of new cases" in their area.
Another attack specifically targeted the users of Microsoft email products using an email appearing to come from John Hopkins Center, claiming to share news on the number of Coronavirus-related deaths.
It's easy to see why these attacks are successful. As citizens grow more concerned and seek reliable information about the spread of the coronavirus, messages like these are hard to resist. And the phisher is relying on that.
Cybercriminals are leveraging fear to make a profit, and it's time for brands to stop letting them get away with it.
In an age in which data breaches are rampant, customers are increasingly fed up and demanding justice from brands who didn't take the right precautions to protect customer data. Why should consumers continue to spend money with businesses that don't do everything in their power to protect their data and privacy?
With disclosures of phishing attacks increasing each year, we can conclude that most of the anti-phishing tools in the enterprise aren't getting the job done. When some "solution" fails to work, doesn't it make sense to try something else that does work?
A better way to approach detection is to beat the attackers at their own game. Catch them in the act before they have the opportunity to get away with their scam.
Using undetectable lines of code that are embedded into the design of a corporate website, for example, could help defenders know when that website has been scraped for content. The code serves as an alarm of sorts when this activity is in motion as a site's content being scraped is an early red flag that they are being targeted.
The technology to make this happen already exists, and web security personnel in any company can protect their site and brand with this early warning technology.
Once defenders are aware of the potentially fake website, they could take a couple of different paths on mitigation.
Defenders can approach the service provider hosting the phony site and request that it be taken down. It's also possible to leverage the fake site against the attacker.
This would involve flooding the fake website with phony credentials or decoys. To the attacker, it will appear that scores of unwitting consumers are visiting the site and entering their login information. Using a touch of deception has the potential to create doubt on the fraudster's part about what may have been stolen, whether it is real or fake.
This is the time for companies to put their customers first and finally make phishing a more risky and unprofitable exercise for hackers. It's especially evil of cybercriminals to exploit the fear and uncertainty of a global pandemic to steal information and invade citizens' privacy.
By investing in modern security that will finally address phishing at its core, companies are going above and beyond for their customers and protecting their reputation and bottom line.
It's time to turn the tables on adversaries and make them pay the price for using the trust between a brand and its customers as a weapon.