This blog was written by an independent guest blogger.
In recent years the outbreak and spread of COVID-19 have left many people with fears and questions. With various medical opinions, news outlets spreading varied statistics, case number and death reports, and safety recommendations that varied between countries, states, cities, and individual businesses, people often felt desperate for information.
The combination of these factors created an environment in which phishing attempts were easily successful, targeting the population by utilizing the World Health Organization’s (WHO) name as a cover. While phishing attempts, particularly those utilizing email are common, they are unfortunately frequently successful.
With a growing dependency on technology and cyber security, most organizations rely heavily on email communications both internally and externally. While the growing use of technology has seemingly increased convenience and efficiency, it also results in increased security risks. In fact, in 2020, 75% of organizations around the world reported to have experienced a phishing attack within the year, 74% of those attacks within the United States were reported to have been successful.
While targeted businesses vary in size and security, large government organizations with adequate phishing education and training are no exception. In the wake of the COVID-19 breakout, WHO experienced many phishing attempts that utilized email to target people and prey on their need for information and fear of the virus. The issue of the phishing attempts was numerous enough to warrant a warning to the public.
WHO announced the various email phishing attempts and provided guidance on how to avoid a breach. Providing guidance, such as how to verify an email address as legitimate, and warning against sharing personal information, WHO took accountability for knowing about the existence and occurrence of these many attempts2.
However, these warnings may not have been adequate in preventing phishing and data breaches, particularly regarding the population that most frequently falls victim: the elderly and the undertrained. While phishing attempts cannot be completely eliminated, there are several actions that could have been taken by WHO to better ensure the prevention of mass data breaches.
One tool that may have been useful in the prevention of these phishing attempts and subsequent data breaches is Domain-based Message Authentication, Reporting, & Conformance, or DMARC. While DMARC does not completely prevent phishing attempts, it does provide increased protection by increasing safety protocols and authentication checks, adding author linkage, increasing transparency regarding sender and recipient, and providing the monitoring and protection of a domain from fraudulent email creation1. DMARC can be a powerful tool in preventing phishing sources from using spoof emails that mirror that of the intended target or organization, therefore making it easier to recognize phishing attempts or completely blocking them from arriving to the sender.
While WHO provided a published warning about the phishing attempts, this may have been too little too late. Information in these publications may have failed to be properly accessed and understood by those that often fall prey to phishing attempts, or otherwise may not have reached the intended audience before data breaches occurred. This method of notification is reactionary rather than preventative. Considering the size, scope, and importance of the WHO, particularly in regard to a public health crisis such as COVID-19, it would have been powerful to enact preventative methods regarding phishing attempts, such as the utilization of tools including DMARC.
Unfortunately, phishing has progressed to a level in which the attempts often are not distinguishable from a legitimate message from the targeted organization. The frequency of these attacks, as well as the success of the attempts, have created an environment in which cybercriminals have honed their ability to mirror official messages and notifications with little to no indication of foul play.
For example, the email phishing attempts may use the organization’s exact email layout and originate from a sender that mirrors an official email address or an unauthorized sender using an official email address within the company1. Without knowledge of an organization’s policies, such as WHO’s policy to never require the sharing of credentials, targets may fall prey to messages that closely mirror authentic communications. This is particularly the case when these spoofed emails utilize scare tactics that require quick action, clicking to download, and fear tactics, each of which are easily incorporated regarding COVID-19 communications.
Further, even with this knowledge individuals may fall prey to phishing attempts in the case that the email utilizes official but unauthorized means. Therefore, while WHO followed protocol by announcing their awareness of the phishing attempts and attempting to educate users on phishing prevention methods, they failed to provide initial protections for their recipients and their organizational safety.
To provide adequate protection, WHO should have implemented DMARC in addition to the published prevention methods and warnings. While education of employees, stakeholders, and the public is vital, prevention methods such as DMARC would increase the overall security by decreasing the receipt of phishing attempts and therefore decreasing the likelihood of data breaches.
Within a health organization that provides vital information in an environment that is both changing and serious, it is important to provide both reactionary and preventative measures to decrease the overall likelihood of data breaches of the organization, employees, and individuals relying on the organization for guidance and information. Though WHO was successful in implementing reactionary information and warnings, they failed to provide adequate prevention methods and could have done so using DMARC.
Article Link: DMARC and the prevention of World Health Organization phishing scams | AT&T Cybersecurity