The disruption caused by the Covid-19 pandemic saw enterprises across the globe rapidly adopt remote working to support social distancing and comply with quarantine restrictions implemented by national governments. Amid this chaos, many cyber criminals created new phishing scams and other online threats, leading to many high profile data breaches.
One of the most alarming trends that emerged this year was the dramatic increase in phishing sites and scams. According to AtlasVPN, the number of phishing sites reached an all-time high of 2.02 million sites in 2020, 19.91% higher than in 2019. Similarly, F5 found that phishing incidents were 220% higher than the yearly average pre-pandemic.
This article will highlight some of 2020’s most significant data breaches, take a look at some of the most notorious phishing scams throughout the year, and provide tips for how cyber security leaders can protect their organizations.
2020's Biggest Data Breaches
Throughout this year, dozens of high-profile data breaches made headlines. These attacks ranged from state-sponsored data theft to COVID-related scam campaigns aimed at consumers, ransomware attempts to extort enterprises, and brute force credential stuffing attacks aimed at government organizations.
Some of the most significant data breaches are listed below:
- S Treasury and Commerce Departments hack - Russian state-sponsored actors hacked network management solution provider SolarWinds. They injected malicious code into it's Orion solution, enabling the attackers to steal private information from the U.S Treasury and Commerce Departments.
- Canada Revenue Agency data breach - As part of a credential stuffing attack, hackers used credentials obtained from past hacks to gain access to CRA's online portal (used to access immigration services and employment insurance) and interacted with 48,000 user accounts.
- Dental Care Alliance - Hackers accessed the data of the dental support organization Dental Care Alliance, obtaining the information of 1,004,304 patients, including their name, address, dental diagnosis, account numbers, payment information, and health insurance details.
- MongoDB - A hacker uploaded ransom notes to 22,900 MongoDB databases accessible online without password protection, threatening to wipe data if the targeted enterprises didn't pay a ransom.
Other notable incidents: Cyber criminals exploited Spotify software vulnerability, and hackers sold 30 million Wawa customers' credit card details.
2020 Phishing Scams You Need to Know About
Many of the data breaches that took this year did so because of phishing attacks, where impostors manipulated victims into giving up private information. Cyber criminals often use email phishing to trick targets into clicking on malware links or fake websites that collect user information.
Research shows that email is the most common medium for spreading malware, so knowing about phishing scams is vital for protecting your organization against hackers. One of the best ways to see how common phishing attacks are is to look at past incidents.
Over the past several months, there were some devastatingly effective phishing attacks targeting unsuspecting enterprises:
- Office365 (Phishing renewal scam) - Cyber criminals sent fake emails to Office 365 subscription holders prompting the recipient to update their personal information. The email included a link to a phishing site that imitated Microsoft's official branding with a form where they could enter their name, address, and credit card information.
- Google Drive (Push notifications Phishing scam) - Hackers sent Google Drive users fake push notifications prompting them to collaborate on documents that included links to scam websites. Links encouraged victims to review bank account activity or to sign up for a prize.
- Zoom (Account suspension/Missed meeting phishing scam) - Fraudsters issued fake Zoom invites by text, email, and social media messages, telling the victims their Zoom account had been suspended. The messages included a malicious link to a fake site where they were prompted to update their details.
Other notable mentions: Netflix verification email scam, HMRC tax refund scam, IRS direct deposit SMS scam.
How to Keep Your Data Secure from Cyber Criminals
To protect your organization's information from a data breach in the current threat landscape, you need to have a strategy to address phishing attacks. Cyber security leaders can prevent phishing attacks and stop data breaches by:
1. Educate your employees about phishing
Educate your employees about phishing to enable them to spot the signs of phishing attempts so they can avoid being caught off guard and misled. Phishing simulation tools are an excellent learning exercise employees can use to practice identifying spoofed emails.
2. Use security awareness training
Regular security awareness training will update your employees on the latest threats and provide them with practical exercises and phishing simulations that teach them how to detect threats like phishing, spear phishing, ransomware, malware, and social engineering, in real-time.
3. Create internal cyber security heroes
Create internal cyber security heroes and security leaders to monitor employee phishing awareness and identify gaps in their knowledge. Cyber security heroes can provide employees with ongoing guidance and recommend phishing microlearning modules to educate them further.
4. Provide ongoing communication and campaigns
Incorporate regular communications, campaigns, and reminders about the latest online (and offline) threats into your corporate culture to update employees on emerging security challenges.
5. Keep all infrastructure and applications patched/updated
Regularly patch and update all infrastructure and applications to eliminate vulnerabilities in your network that attackers can exploit. Companies could have avoided falling victim to famous data breaches like the WannaCry Ransomware attack by keeping software updated.
Recap
With the Covid-19 pandemic ongoing, employees need to be vigilant to detect new scams and threats created by fraudsters. In an environment where cyber criminals are continually relying on manipulation to obtain access to sensitive information, relying on traditional cyber security solutions like antiviruses and firewalls aren't enough to stay safe.
Cyber security awareness training is vital for cultivating the skills employees need to detect current and next-generation threats, like phishing attacks, and key indicators of compromise that suggest a data breach.
Cyber Security Hub : Access Exclusive Cyber Security Content
Take advantage of the free Cyber Security Hub – it is your one-stop cyber security awareness and knowledge center with one-click access to the COVID-19 Kit, Work From Home Kit, Password Kit, Phishing Kit and more.