Welcome to 2021! What a glorious time to (still) be alive … The horrid universal dumpster fire that was 2020 has finally passed into history, leaving us free to defeat the global pandemic, get everyone back to work, rebuild our economies, reconnect with distant friends and family, and consume a backlog of blockbuster movies. Everything will get better now, just you wait! That’s all I’ve been hearing throughout the run up to New Years. It’s all downhill from here.
Except … that’s not how anything works. It’s what most people want to happen, sure, me included. I’ll be the first to stand up and admit that I’d really like to go out in public again without the fear of being murdered by a passing deranged stranger who doesn’t comprehend germ theory or how masks work. If we can reach that point before this time next year, it’ll be awesome, and I’ll join everyone in celebrating. The keyword there is “if.” If we can reach that point. We still have some daunting challenges to work out.
I don’t mean to dwell on things like the immense logistical challenges of the vaccine rollout, the appearance of new and more transmissible strains of the coronavirus, to the search for a targeted inoculation program that yields the greatest benefit in the shortest possible time. Those are subjects that public health official will need to sort out. I’m also not about to stray into Ian Dunt’s turf and opine about BREXIT. Speaking solely as a cybersecurity person, I’m more interested in how these awful subjects are surging in popular culture, news, and media … which is to say, how these subjects are being exploited as phishing lures by cybercriminals.
As soon as the World Health Organisation declared COVID-19 to be a “global health emergency in February 2020, opportunistic scammers started constructing phish that leveraged the growing public awareness of the coronavirus threat to trick their victims into surrendered their system credentials, installing malware, etc. This is what cybercriminals do: they hijack the topics that dominate our fears and anxieties to provoke us into reacting emotionally before we can realize we’re being scammed.
Don’t just take my word for this: consider this warning from Microsoft’s 365 Defender Threat Intelligence Team from June of last year:
“Lures, like news, are always local.
“Cybercriminals are looking for the easiest point of compromise or entry. One way they do this is by ripping lures from the headlines and tailoring these lures to geographies and locations of their intended victims. This is consistent with the plethora of phishing studies that show highly localized social engineering lures. …
“During the COVID-19 outbreak, cybercriminals closely mimicked the local developments of the crisis and the reactions to them. Here we can see the global trend of concern about the outbreak playing out with regional differences. …
“Attacks targeting the United Kingdom initially followed a trajectory similar to the global data, but spiked early, appearing to be influenced by the news and concerns in the nation. Data shows a first peak approximately at the first confirmed COVID-19 death in the UK, with growth beginning again with the FTSE 100 stock crash on March 9, and then ultimately peaking around the time the United States announced a travel ban to Europe.”
This is what we’re facing in 2021. As the new year unfolds, we’re going to see cybercriminals pay close attention to the “breaking news” reports, scandals, and areas of concern in each country and region since every headline-worthy story provides the scammers with a list of emotionally charged topics, keywords, and dangers that will prove to be perfect bait for a phish. They’re going to use the news because they know we’re all obsessed with it.
Here in the USA, we’re guaranteed to see a surge of phish in two weeks as scammers share “new information” about our new president’s plan to change the direction of the national COVID-19 response. Will there be new lockdown measures? New supplies of vaccines? Read this news alert (after you authenticate with your O365 credentials).
Wherever the next major mutation of SARS-CoV-2 is discovered is guaranteed to see a flood of phish pretending to warn about new “outbreak sites.” Just click here to see a map of the most recent “hot zones.”
As soon as one of the vaccines proves to be anything less than completely effective, every country that deployed that specific vaccine will be hit with phish “alerting” victims about booster shots, alternate treatments, etc. Are you vulnerable? Enter your NHS Identity data or US Social Security Number here and we’ll tell you if you’re about to die.
This isn’t a complete list of all the phishing threats we’re destined to defend against; it’s merely an illustrative sample of the disease of deception-based attacks spreads through vulnerable populations based on news-related prompts. The bad guys will use whatever upsets us most to manipulate us. They weaponize our dread … and 2021 promises to deliver all the Greatest Hits of 2020 with a roster of Collective Anxiety Guest Stars appearing just to increase the difficulty factor. Why should we expect things to get easier?
I’ve been saying for months now that 2020 was a scammer’s ideal hunting ground because of how we were all perpetually fatigued and tense from the unrelenting stress. I’m sorry to be the bearer of bad news, but 2021 is going to be worse than 2020 was. Expect it. Prepare for it.
Better to stay vigilant now and remain uninfected then to let down your guard and get infected with malware. Or something else … I can’t remember what. Haven’t slept well in a year and there’s all this disturbing news I have to sort through … I’m sure you can empathize …