Security

COVID-19’s Impact on Phishing Attacks

The threat of phishing attacks is gradually expanding in the number of cases and their sophistication and use in different attack vectors; this is especially true in the troubling times of COVID-19, where more of the world’s population are working from home, relying on the Internet to facilitate all aspects of their jobs. COVID-19 has also affected the cybersecurity industry resulting in furloughs and downsizing, significantly reducing their abilities to protect all that we depend on to stay securely connected to the IoT (Internet of Things). While COVID-19 is the cause for increases in several methods used by cybercriminals, phishing alone is currently evolving to meet the growing demands of the world of tomorrow. This paper explores phishing attacks in the COVID-19-era using various theories on the subject, defensive methods combatting the rise of these attacks, research methods utilized to collect relevant data, current and proposed policies, the findings of my studies, and how researching this topic has enhanced my understanding of the subject.

Phishing can come in various forms, such as spear, whaling, smishing, vishing, and angler-styled attacks[1]. For example, some users report instances such as deactivation scares; this attack of style is very efficient, as it scares users into reacting by threatening to deactivate a critical account. The email can threaten to deactivate a banking account and informs the user they must follow a convenient link to reactivate it; they are then asked for the user’s login credentials, such as their username and password. When an unsuspecting user follows the instructions correctly without questioning the email’s authenticity, it would eventually ask for their debit/credit card information as well. While most of these kinds of attacks can be easy to spot by looking for misspelled letters or poor-quality images, they have lately evolved to be very realistic. Some phishing emails even have indications that they were already scanned for malicious content by antivirus programs or email systems such as Google’s Gmail.

I feel that phishing attempts are beginning to evolve in complexity and that this threat is not going away anytime soon. By relying on most of the population’s unwarranted trust in their favorite technology company’s cybersecurity and data protection rules, regulations, and defenses, phishing attacks are one of the most significant threats now and into the future. Many individuals would not notice the potential signs of malicious intent of phishing emails; even if they had reason to distrust the email, any attempts at scaring the individual with threats such as having their banking account deactivated would take precedence.

Theory/Theories

In phishing attacks, a simple equation can be formed for scientifically measuring the likelihood of the general user’s chance at opening an email. In any given phishing email, several factors are in play, including the sender’s email address that is shown (often spoofed), the actual sender’s address (which most users do not know to look for), the words used in the email (any indication that the email should be automatically marked as spam by email filters), the appearance of the email (low/high-resolution images, poor/proper scaling), the subject matter of the email (threats or enticements), the status, size, authority, and trust of the ‘company’ that the email is from (or attempting to be from), as well as several factors involving the target of the attack, including their education level, current financial status (how prone they are to opening emails promising free funds, services, or goods), whether the email was sent to their personal, school, or work account, the time of day the email arrives, the nation in which they live, and attributes derived from social engineering attacks. For example, the attack target’s Facebook account can be searched for products or companies they admire, thus opening an opportunity to create a target phishing email in their name.

Domain name scams such as typosquatting are where an unaffiliated individual purchases a domain that is like a business’s and then uses that domain to send its customers emails and notices. Creating and purchasing domain names is a relatively simple process with little-to-no governance involved. By obtaining a similar domain to one owned by a business, one can message their customer while appearing to be affiliated with their company and request payments or personal information. For example, say a company owns ‘www.randomcompany.com’ and someone purchases’ http://www.randomcompany.net;’ as most can probably tell, the ‘.com’ has been replaced with ‘.net’; however, for the average user, they might not be so aware. Several other variants of attacks can be involved in a domain scam, besides the above typosquatting style.

Domain hijacking ensues when someone gains access to domain registrar account details, thus obtaining complete control of all domain-based functions (editing technical, personal, and administer details, and changing/transferring domain name/DNS name servers). When a domain is hijacked, seeking to reclaim ownership can be a prolonged procedure, primarily when assigned to a new registrar. Domain phishing happens via scam emails, which route gullible customers to counterfeit websites masquerading as the original registrar’s sites. Within a phishing email, the attackers collect sensitive data such as banking information and personal details, which can then be exploited in identity theft.

Findings 

Phishing attacks in the early ’90s were devastating, as employees were new to the Internet and not educated on proper cyber-etiquette, like spotting malicious or spoofed emails; thankfully, with modern technology, these tasks have been automated through A.I. or scripts, removing the risk-filled human element from the equation entirely in some cases. However, even with the surplus of new technology and operating methods, phishing attacks have grown into new sectors and vectors in the IoT (Internet of Things). In 2016, we saw cybercriminals continuing to exploit human nature as they rely on phishing and ransomware attacks. Phishing (when users are sent an email from a fraudulent source) is on the rise as the percentage of users who open these emails rose from 23% to 30%. Ransomware attacks increased as well, with an added 16% from the previous year. Per the report, 89% of all attacks involve espionage or financial motives. It is quite shocking that most of these attacks use known vulnerabilities that never have been patched even though these patches exist. The top ten known vulnerabilities accounted for 85% of the total number of exploits. What is even more shocking is the number of data breaches that involved using stolen or weak passwords; a total of 63% of data breaches were recorded using this easily prevented method[2].

In the 2017 Verizon Data Breach Investigations Report, the trends identified in the 2016 document held. 43% of the events were social attacks, including cyber-espionage and web application attacks. By merely influencing or holding leverage over an individual utilizing various forms of social engineering, intruders could bypass many of the security protocols set in place. Phishing was again the top variant, being involved with 90% of both breaches and incidents. When it comes to miscellaneous errors in 2017, there were over 2,478 incidents of misdelivery, disposal, publishing, and misconfiguration errors. Cyber-espionage continued to be a problem, with targeted phishing campaigns at the top; educational organizations were impacted much more than in 2016[3]

In 2018, we saw the trends between 2016 and 2017 continue to make their appearance. Phishing and pretexting represented a surprising 98% of social incidents; the top industry for these breaches was the public sector. In 2018, over 73% of breaches were perpetrated by outsiders, and 48% featured hacking. Ransomware continues to make its tragic incline of incidents, ranging from around 0% in 2013 to over 40% in 2017 (Verizon, 2018). In 2019, cyber-espionage-related breaches increased from 13% in 2017 to 23% in 2018, which should place some fear into many businesses’ hearts. A surprising 90% of malware arrived via email, showcasing the dangers of improper policies and employee training[4].

COVID-19 has impacted the world as we know it in several manners. As INTERPOL states, “Cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments, and critical infrastructure[5].” Due to the vast majority of employees who are working from home and the suddenness of the change, organizations are frantically attempting to secure the remote systems and networks they set up, thus allowing cybercriminals to take advantage of the often-weak protective measures and willingness of work-from-home employees to click on malicious links in emails that they would deem as necessary to perform their job’s duties. The phrase, ‘when it rains, it storms’ is, unfortunately, suitable for this current pandemic, as social, financial, and political unrest leads to a sudden rise in the forces of evil, attempting to collect information, damage businesses, and steal resources in their phishing attacks against those who have far more on their mind than standard security policies and procedures. Per one of INTERPOL’s private sector partners, from January to April in 2020, a total of 909,000 spam messages, 48,000 malicious URLs, and 737 malware incidents were reported, all related to COVID-19[6].

Like technology’s growth, phishing attacks are expanding and becoming vastly more sophisticated than previous versions to combat new defensive measures and interact with the IoT. With many of the top email providers using cloud-based services and issuing trusted links to their customer’s files, the battlefield of cybercrime has been altered by attacks using filesharing services. The zombie phish is another relatively new concept, in that an attacker will take over an email account and respond to an older email thread/conversation with a phishing link; due to the sender and subject’s familiarity, their targets are far more likely to open the link. Shortened URLs are beginning to be immensely popular with phishing attacks by using services such as Bitly. A shortened URL is not often blocked by URL content filters due to not revealing the link’s destination, as since when much of the population thinks of a malicious URL, they imagine a long chain of odd numbers and characters, a shortened URL is an excellent cover for an otherwise suspect URL.

Due to the pandemic, the rise of online scams and phishing attempts show unprecedented levels of both usage and success. Implementing COVID-19-themed phishing emails, which often impersonate health and government employees, are widely successful, especially those related to the government’s medical response and payments to their citizens in much of the world. Through search engines such as Google, we are seeing a growth of COVID-19-related searches, ranging from cases of the virus, the vaccines, as well as stimulus payments. Google’s Coronavirus Search Trends website shows that from February 28, 2020, to April 28, 2020, Coronavirus was the leading search term by a staggering percentage[7]. The rise in popularity of COVID-19 allows cybercriminals to create targeted ads that play on their target’s fears. While the everyday citizen may think twice about opening an email with the subject of, ‘You Won a Million Dollars,’ many would not show the same resolve if the email stated that one of your employees or friends had contracted COVID-19 or that (in the U.S.), your stimulus check needs to be authorized within twenty-four hours to receive it.

Using fear in phishing attempts is an unfortunate but useful tool in convincing an individual to give up sensitive information; these attacks are especially hazardous for those who are not tech-savvy, such as the elderly. Many do not understand the science behind even a simple email, especially when trying to prove such an email is authentic. In the scenario involving the fraudulent bank account email, to confirm that the email was, in fact, a phishing attack, one could look at the email’s header to verify the sender’s address was either duped, spoofed, altered, or even came from a completely different domain.

One could also examine the Enhanced/Extended Simple Mail Transfer Protocol (ESMTP) number, which is unique to each individual email[8]. A website’s address should always be verified to be the same as the real company’s official website address. Close attention should be paid to items in emails and websites such as font, coloring, and low-quality images; these are all reasonable indications of fraud. Recognizing when emails come from unrecognized senders is also essential. Another indication of a fraudulent email would be to remember that typically, companies do not ask for login information over anything other than their trusted website.

To thwart domain scams, there are numerous methods to bolster a website’s defenses. Selecting an appropriate domain registrar company is an excellent first step. Features such as DNS management, two-factor authentication (2FA), multi-factor authentication (MFA), and 24/7 technical support are ideal. If the registrar allows two/multi-factor authentication, always enable it. 2FA/MFA ensures that even if an unauthorized individual has access to a domain’s username and password, they will have to successfully pass through a second security layer to access the account (such as entering a code sent to your email or cellphone).

Domain locking, while generally enabled by default by popular registrars, prevents unauthorized domain name transfers; this should always be on. ICANN WHOIS is a great tool to help reduce the amount of personal data one exposes on the Internet, including physical and email addresses, phone numbers, and other potentially sensitive information. Similar to all login credentials, a password’s sophistication and security practices need to be extensive and advanced. Passwords should have over eight characters, avoid dictionary words, use a combination of numbers, symbols, lower/uppercase letters, and be frequently changed. Furthermore, keep the domain’s contact details updated and not shared with anyone.

A single instance of a hacked or stolen domain can significantly impact a business in various aspects, potentially leading to declining sales, reduced SEO rankings, lower customer trust, or even a company’s total loss. A domain name and its security are just as crucial as apps, content, and code; devote extra funds to using a reputable registrar, backup service, and purchase the common spelling variations of your domain. Domain scams are a primary factor of phishing attacks, leading unsuspecting users at a loss when attempting to defend against such sophisticated methods of convincing targets to believe something that is not true to gain either information, access, or resources[9].

While COVID-19 has and is currently inflicting havoc on both businesses and individuals worldwide, only by understanding the correlation between fear and technology can we, as a population, reduce the number and success of phishing attacks. Fear, the feeling that many individuals and companies have during these unprecedented times, whether relating to their health, job security, or their company’s dwindling profits, can lead the average user vulnerable to threats from cybercrime. Technology impacts the effectiveness of cybercrime, such as phishing, in two ways that are polar opposites. First, the lack of technical skill and knowledge directly affects the everyday user’s ability to identify and protect against fraudulent emails and other cybercrime forms. Second, the inclusion of technical skill and expertise in cybercriminals allows them to create targeted phishing attacks and malicious malware, thus giving them the tools they need to bypass even the most robust defenses. As the human element is the weakest link in cybersecurity, new policies, procedures, and security measures must be developed to counteract the evolution of cybercrime in the COVID-19 era.

Policy

While there are currently no all-encompassing phishing policies or statutes in the United States at the federal level, individual state laws have been enacted to combat this rising threat. For example, in California, Cal. Bus & Prof. Code §§ 22948 to 22948.3 directly defines both the terms electronic mail message and the various types of identifying information such as social security numbers, account passwords, driver’s license numbers, and unique biometric data[10]. California’s phishing regulation 22948.2 states that “It shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business[11].” Furthermore, California phishing regulation 22948.3 details how individuals who violate the abovementioned regulation will be reprimanded, ranging from a civil penalty of up to twenty-five hundred dollars per violation to legal ramifications.

Arizona shares many similarities with California in their attempt to criminalize phishing attacks, especially with how they directly define the terms electronic email message and identifying information; these definitions are quite the same between both states. Arizona’s 18-543 also includes a civil penalty of up to twenty-five hundred dollars per violation, as well as clearly outlines the timeframe for punishment by stating, “An action under this section must be brought within three years after the violation is discovered or by the exercise of reasonable diligence should have been discovered, whichever is earlier.[12]” While both California and Arizona seem to at least identify phishing attacks as a threat, their methods of criminalizing those responsible are relatively inefficient.

California and Arizona’s phishing policies were both created in the early 2000s, in a time where the general population was still coming to terms with what the Internet could grow to become; the wording and terminology in both policies directly reflect how juvenile these regulations really are, as well as their inability to evolve with the changing threat landscape. For example, California’s Cal. Bus & Prof. Code §§ 22948 to 22948.3, originating in 2006, has seemed not to have a single revision in fifteen years; as technology has done nothing but expand and change the way we as a species communicate and prosper, one would assume that there are certainly changes that need to be made to how the two states define and protect against phishing. In further research, several other U.S. states share relatively the same phishing policies, leading one to believe that instead of creating situation-specific rules and regulations for handling the steady rise of the sophistication and number of phishing emails, many states merely use the copy-and-paste approach.

The fact that there is no nation-wide policy on identifying and criminalizing phishing attacks in the United States demolishes any aspirations of attempts to neutralize the growing threat of phishing attacks, especially in the COVID-19 era. Many state policies’ definitions of phishing attacks are worded in a way that makes it unclear how a maliciously designed phishing email differs from, say, a somewhat-questionable legitimate email from a company’s marketing department. In today’s day and age, marketing teams are employing often-devious tactics to get their customer’s attention, such as using email subject lines with statements like, ‘act now or lose your benefits’ or ‘critical account update,’ when the email’s actual content is merely informing their recipient of a new product they offer. Furthermore, as per California’s definition of a phishing attack as a “…means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business[13]“, what exactly defines what information can be collected and how that data can be extracted, within the rules of law?

One can argue that many organizations’ standard marketing emails are attempts to collect information or entice their current/potential customers into acting in a certain way employing blatant deception and using Dr. Robert Cialdini’s six principles of persuasion- reciprocity, scarcity, authority, consistency, liking, and consensus[14]. While the typical marketing email from an organization is not necessarily attempting to gather what many states define as ‘personal information,’ there is plenty of data that is collected on unsuspecting email recipients, including cookies, search histories, percentage of interest in their emails (opening/responding), and often their name, birthdates, and interests, which are then used in tailored marketing campaigns, such as birthday offers. So, differences between an authentic and fraudulent email are often difficult to decipher even for the trained eye, thus allowing phishing emails to remain to be quite an unregulated practice.

Like many cybercrimes, organizations rely on the voluntary submittal of known cases; phishing attacks are no different. Many state’s phishing regulations do nothing on their own without the inclusion of organizations or individual’s encounters with phishing attacks. While states like California and Arizona do try to deter phishing attempts with criminal charges, the dollar amount of fees and threat of possible legal ramifications do little to thwart those with malicious intent in their goal of extracting personal information from unsuspecting targets. In fact, as stated by IBM, the average successful phishing attack costs around $3.86 million[15]; when this dollar amount is compared to California phishing regulation 22948.3 ‘s twenty-five hundred dollars per violation, there is little to convince a potential cybercriminal not to utilize phishing attacks.

The method of attribution in phishing attacks is also challenging. Tracing and proving those responsible for such an attack can be difficult as there are numerous methods of hiding one’s identity on the Internet. Even with proof of the cybercriminal responsible, the laws in place depend on variables such as the email’s content and intent, what state/country the email was sent to, and the state/country the email was sent from. While many organizations have skilled IT and cybersecurity staff that can effectively monitor, prevent, and attempt to pursue legal actions against phishing attacks, the average citizen does not have the skills to do so, thus leading to a world where attacks such as phishing emails are steadily becoming the biggest threat to the everyday user.

Method

Due to the sheer lack of a uniform U.S. policy on phishing attacks, an all-encompassing policy needs to be formed to define phishing emails, taking great care in outlining what they are, whom they target, how they differ from authentic emails, and how states and organizations should form their own situation-specific phishing laws, regulations, and preventive measures. The only way to effectively create such a phishing policy is through thorough research of the current technological climate, emphasizing the current state of the world and how the pandemic is dramatically altering how we, as a species, interact with each other. As many U.S. state’s individual phishing policies mirror each other’s basic guidelines derived in the early 2000s, a complete overhaul needs to occur, starting with realizing that phishing attacks are among the top cybercrimes, and each state’s policies need to reflect their independent situation. For example, California’s laws should reflect on the many technological powerhouses in Silicon Valley, leading the charge to create finely tuned rules and regulations for identifying, preventing, and responding to phishing attacks; this would allow other states to have a model to follow.

While there are currently no all-encompassing phishing policies or statutes in the United States at the federal level, individual state laws have been enacted to combat this rising threat. For example, in California, Cal. Bus & Prof. Code §§ 22948 to 22948.3 directly defines both the terms electronic mail message and the various types of identifying information such as social security numbers, account passwords, driver’s license numbers, and unique biometric data[10]. California’s phishing regulation 22948.2 states that “It shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business[11].” Furthermore, California phishing regulation 22948.3 details how individuals who violate the abovementioned regulation will be reprimanded, ranging from a civil penalty of up to twenty-five hundred dollars per violation to legal ramifications.

Arizona shares many similarities with California in their attempt to criminalize phishing attacks, especially with how they directly define the terms electronic email message and identifying information; these definitions are quite the same between both states. Arizona’s 18-543 also includes a civil penalty of up to twenty-five hundred dollars per violation, as well as clearly outlines the timeframe for punishment by stating, “An action under this section must be brought within three years after the violation is discovered or by the exercise of reasonable diligence should have been discovered, whichever is earlier.[12]” While both California and Arizona seem to at least identify phishing attacks as a threat, their methods of criminalizing those responsible are relatively inefficient.

California and Arizona’s phishing policies were both created in the early 2000s, in a time where the general population was still coming to terms with what the Internet could grow to become; the wording and terminology in both policies directly reflect how juvenile these regulations really are, as well as their inability to evolve with the changing threat landscape. For example, California’s Cal. Bus & Prof. Code §§ 22948 to 22948.3, originating in 2006, has seemed not to have a single revision in fifteen years; as technology has done nothing but expand and change the way we as a species communicate and prosper, one would assume that there are certainly changes that need to be made to how the two states define and protect against phishing. In further research, several other U.S. states share relatively the same phishing policies, leading one to believe that instead of creating situation-specific rules and regulations for handling the steady rise of the sophistication and number of phishing emails, many states merely use the copy-and-paste approach.

The fact that there is no nation-wide policy on identifying and criminalizing phishing attacks in the United States demolishes any aspirations of attempts to neutralize the growing threat of phishing attacks, especially in the COVID-19 era. Many state policies’ definitions of phishing attacks are worded in a way that makes it unclear how a maliciously designed phishing email differs from, say, a somewhat-questionable legitimate email from a company’s marketing department. In today’s day and age, marketing teams are employing often-devious tactics to get their customer’s attention, such as using email subject lines with statements like, ‘act now or lose your benefits’ or ‘critical account update,’ when the email’s actual content is merely informing their recipient of a new product they offer. Furthermore, as per California’s definition of a phishing attack as a “…means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business[13]“, what exactly defines what information can be collected and how that data can be extracted, within the rules of law?

One can argue that many organizations’ standard marketing emails are attempts to collect information or entice their current/potential customers into acting in a certain way employing blatant deception and using Dr. Robert Cialdini’s six principles of persuasion- reciprocity, scarcity, authority, consistency, liking, and consensus[14]. While the typical marketing email from an organization is not necessarily attempting to gather what many states define as ‘personal information,’ there is plenty of data that is collected on unsuspecting email recipients, including cookies, search histories, percentage of interest in their emails (opening/responding), and often their name, birthdates, and interests, which are then used in tailored marketing campaigns, such as birthday offers. So, differences between an authentic and fraudulent email are often difficult to decipher even for the trained eye, thus allowing phishing emails to remain to be quite an unregulated practice.

Like many cybercrimes, organizations rely on the voluntary submittal of known cases; phishing attacks are no different. Many state’s phishing regulations do nothing on their own without the inclusion of organizations or individual’s encounters with phishing attacks. While states like California and Arizona do try to deter phishing attempts with criminal charges, the dollar amount of fees and threat of possible legal ramifications do little to thwart those with malicious intent in their goal of extracting personal information from unsuspecting targets. In fact, as stated by IBM, the average successful phishing attack costs around $3.86 million[15]; when this dollar amount is compared to California phishing regulation 22948.3 ‘s twenty-five hundred dollars per violation, there is little to convince a potential cybercriminal not to utilize phishing attacks.

The method of attribution in phishing attacks is also challenging. Tracing and proving those responsible for such an attack can be difficult as there are numerous methods of hiding one’s identity on the Internet. Even with proof of the cybercriminal responsible, the laws in place depend on variables such as the email’s content and intent, what state/country the email was sent to, and the state/country the email was sent from. While many organizations have skilled IT and cybersecurity staff that can effectively monitor, prevent, and attempt to pursue legal actions against phishing attacks, the average citizen does not have the skills to do so, thus leading to a world where attacks such as phishing emails are steadily becoming the biggest threat to the everyday user.

Method

Due to the sheer lack of a uniform U.S. policy on phishing attacks, an all-encompassing policy needs to be formed to define phishing emails, taking great care in outlining what they are, whom they target, how they differ from authentic emails, and how states and organizations should form their own situation-specific phishing laws, regulations, and preventive measures. The only way to effectively create such a phishing policy is through thorough research of the current technological climate, emphasizing the current state of the world and how the pandemic is dramatically altering how we, as a species, interact with each other. As many U.S. state’s individual phishing policies mirror each other’s basic guidelines derived in the early 2000s, a complete overhaul needs to occur, starting with realizing that phishing attacks are among the top cybercrimes, and each state’s policies need to reflect their independent situation. For example, California’s laws should reflect on the many technological powerhouses in Silicon Valley, leading the charge to create finely tuned rules and regulations for identifying, preventing, and responding to phishing attacks; this would allow other states to have a model to follow.

As laws, policies, and regulations are nothing without the threat of punishment, the U.S. must discuss and initiate new methods of reporting known phishing occurrences, identifying the cybercriminals responsible, and punishing them to the furthest extent of the law. While it is true that it can often be challenging to trace a cybercriminal and prove their involvement without the benefit of the doubt, this does not mean that the practice is impossible. Furthermore, we must not rely on the individual reporting of possible cybercrimes like phishing attacks as the everyday citizen simply does not know what to look for; hoping they act accordingly in sending these phishing attacks to the proper authorities is not practical. With a new nation-wide phishing policy, email corporations such as Gmail and Microsoft can alter their methods of identifying suspicious emails and have an exact route to relay the information to a U.S. cybersecurity department specializing in this specific area. An excellent method of doing this, while merely being speculative, is to attach a form of tracer to the suspected email and flagging the sender’s account for fraudulent activity, thus allowing the U.S. phishing staff to be alerted to the activity. The proposed new U.S. phishing policy should place stricter restrictions on email providers yet grant them the freedom to further enhance their fraudulent email filters.

As laws, policies, and regulations are nothing without the threat of punishment, the U.S. must discuss and initiate new methods of reporting known phishing occurrences, identifying the cybercriminals responsible, and punishing them to the furthest extent of the law. While it is true that it can often be challenging to trace a cybercriminal and prove their involvement without the benefit of the doubt, this does not mean that the practice is impossible. Furthermore, we must not rely on the individual reporting of possible cybercrimes like phishing attacks as the everyday citizen simply does not know what to look for; hoping they act accordingly in sending these phishing attacks to the proper authorities is not practical. With a new nation-wide phishing policy, email corporations such as Gmail and Microsoft can alter their methods of identifying suspicious emails and have an exact route to relay the information to a U.S. cybersecurity department specializing in this specific area. An excellent method of doing this, while merely being speculative, is to attach a form of tracer to the suspected email and flagging the sender’s account for fraudulent activity, thus allowing the U.S. phishing staff to be alerted to the activity. The proposed new U.S. phishing policy should place stricter restrictions on email providers yet grant them the freedom to further enhance their fraudulent email filters.

Regarding the proposed new U.S. phishing policy, there would be numerous allies and adversaries to the idea on both sides of the equation. As with any new technology-related privacy or security law, while it may mean enhanced protective measures, it may do so due to infringing on our privacy rights. For example, if the U.S. develops stricter phishing laws, they may task email providers in taking a more rigorous approach at scanning emails for malicious content; while this may indeed help reduce the number of emails that make it through their filters, it may mean that the everyday citizen’s personal emails with sensitive information could potentially be read. As many understand the continuous war of internet privacy, constructing a new phishing policy would be no simple task; however, as we continue to see a rise in phishing cases while the world works from home, loses their loved ones due to illness, and rely on their organization’s often downsized IT and cybersecurity teams for defense, I fear that if nothing is done soon, we will be facing a future in which the Internet would be much like the Wild West, a lawless domain in which outlaws reign supreme.

Application

By researching and creating this paper, I have expanded my knowledge of the unique and vulnerable situation individuals worldwide find themselves in, attempting to secure their personal, organization, or user’s data, systems, and networks in the current fear-driven world due to the pandemic. I find that COVID-19 is useful in several ways in that many organizations have encountered a sudden digitalizing of their organizations and have begun to understand the importance of secure networks and business operations due to the switch of many employees to work from home status; while it is unfortunate that it took such a horrible event to bring upon this change, I find that the future will benefit from the pains of today.

The topic of rising cyber threats such as phishing attacks is vital to understand and keep updated as new advances in both the perpetrator and the victim’s attacking and defending methods evolve. I find that COVID-19 has presented cybersecurity researchers with the ultimate experiment consisting of various questions- what would happen if all an organization’s employees had to work from home, and how would this feat be accomplished? What would happen if a business had to immediately shut down due to a coronavirus outbreak? How would the world’s population, the everyday user, react to receiving government payments like the United States Stimulus program regarding phishing emails and other related cybercrimes? These questions have all been answered in a relatively short period, shining a positive light on organizations that have always prioritized cybersecurity yet bringing to the public the organizations that have failed to plan for such emergencies.

If we, as cybersecurity professionals, do not capitalize on the damaging yet research-beneficial situation of COVID-19’s dramatic increase in cyberattacks such as phishing, we will continue to be one step behind those who seek to cause chaos on the digital front. This paper is my method of learning as much as I possibly can on how to respond to organization and users’ increase of fear and vulnerability in the face of wide-spread perils and cyberattacks; with the knowledge I have learned, I now see how my previously-created security policies either succeeded or failed, thus allowing me to craft unique and effective policies in the future, as well as how to educate my peers and the users that I manage in how to remain vigilant in the face of the always-present realm of threats on the Internet and beyond.

Conclusion

Due to the troubled times we are all facing regarding COVID-19’s destruction of various industries, the sudden and dramatic revolution and reliance on remote workforces, losing our loved ones in the pandemic, and the uncertainty of businesses’ future due to dwindling revenue, we, as a species, are living in a time that will be remembered in history forever. These uncertain times have, however, shown a spotlight into the murky world of cybercrime with the sudden rise of phishing attacks; due to this, we must, as cybersecurity professionals, conduct new risk assessments on the systems, networks, hardware, organizations, and users that we manage about the evolving state of decay our protective measures are in relating to the growing demand of cybersecurity skills, policies, and procedures. With the limited technological knowledge of our world leaders, their inability to work with each other in sharing ideas and forming cyber norms, as well as the lack of phishing policies and punishments in several countries, I fear this rise in cybercrime will do nothing but grow as COVID-19 will not be the end of our troubles.

We must take a stand in addressing the issues we are facing due to the pandemic, such as the growing success of phishing email campaigns targeting work from home individuals, the elderly, as well as the quickly-expanding number of phishing attacks related to governmental aid, such as with the U.S.’s stimulus bill. We must thoroughly research how fear and financial vulnerability affect everyday citizens regarding their internet operations. We must apply reasoning to the psychological impacts of influencing individuals to do, open, click, or download something they otherwise would not. We must create policies, organizations, and punishments that will effectively identify, track, prevent, and criminalize cybercriminals responsible for only taking advantage of those who are already living through troubled times. While the fight in front of us is nothing short of problematic, I feel we already possess the tools to win the war against cybercriminals, we just need to realize that the tools are nothing without the collective involvement of the rest of the world’s cybersecurity professionals, world leaders, and politicians.

Bibliography

Arizona State Legislature. (n.d.). Arizona legislature. Retrieved February 05, 2021, from https://www.azleg.gov/viewdocument/?docName=http%3A%2F%2Fwww.azleg.gov%2Fars%2F18%2F00541.htm.

 California Legislative Information. (2005). Code section group. Retrieved February 05, 2021, from http://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=BPC&division=8.&title=&part=&chapter=33.&article=.

IBM. (n.d.). Cost of a data breach study. Retrieved February 05, 2021, from https://www.ibm.com/security/data-breach.

Influence at Work. (2019, June 25). The 6 principles of persuasion by Dr. Robert Cialdini [Official site]. Retrieved February 05, 2021, from https://www.influenceatwork.com/principles-of-persuasion/.

Nelson, B., Phillips, A., & Steuart, C. Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning, 2019.

Otero, A. R. Information Technology Environment and I.T. Audit. Boca Raton, Florida: CRS Press, 2019.

Google. (2020). Coronavirus Search Trends. Accessed January 06, 2021, from https://trends.google.com/trends/story/US_cu_4Rjdh3ABAABMHM_en?fbclid=IwAR159CKSid1b3M-eGfwz-_9uN_PkhVKvpDAFTlSZsf4Gpd8krLRG8tiJ0Io.

Grimes, Roger A. 15 real-world phishing examples — and how to recognize them. Accessed January 06, 2021, from https://www.csoonline.com/article/3235520/15-real-world-phishing-examples-and-how-to-recognize-them.html.

INTERPOL. INTERPOL report shows alarming rate of cyberattacks during COVID-19. Accessed January 06, 2021, from https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19.

Nelson, B., Phillips, A., & Steuart, C. Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning, 2019.

Otero, A. R. Information Technology Environment and I.T. Audit. In Tools and Techniques Used in Auditing IT (Fifth ed., pp. 97-128). Boca Raton, Florida: CRS Press, 2019.

Verizon. 2016 Data Breach Investigations Report Accessed January 06, 2021, from https://content.bellevue.edu/cst/cis/608/cd/docs/rp_DBIR_2016_Report_en_xg.pdf.

Verizon. 2017 Data Breach Investigations Report. Accessed January 06, 2021, from https://content.bellevue.edu/cst/cis/608/cd/docs/rp_DBIR_2017_Report_en_xg.pdf.

Verizon. 2018 Data Breach Investigations Report. Accessed January 06, 2021, from https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_execsummary.pdf.


[1] Grimes, 15 real-world phishing examples — and how to recognize them, 2020.

[2] Verizon, Data Breach Investigations Report, 2016.

[3] Verizon, Data Breach Investigations Report, 2017.

[4] Verizon, Data Breach Investigations Report, 2018.

[5] INTERPOL, INTERPOL report shows alarming rate of cyberattacks during COVID-19, 2020.  

[6]  INTERPOL, INTERPOL report shows alarming rate of cyberattacks during COVID-19, 2020.  

[7] Google, Coronavirus Search Trends, 2020.

[8] Nelson, Phillips, Steuart, Guide to Computer Forensics and Investigations, 2019.

[9] Otero, Information Technology Environment and I.T. Audit, 2019.

[10] California Legislative Information, Code section group- Cal. Bus & Prof. Code §§ 22948 to 22948.3, 2005.

[11] California Legislative Information, Code section group- Cal. Bus & Prof. Code §§ 22948 to 22948.3, 2005.

[12] Arizona State Legislature, Arizona legislature-18-541, n.d.

[13] California Legislative Information, Code section group- Cal. Bus & Prof. Code §§ 22948 to 22948.3, 2005.

[14] Influence at Work, The 6 principles of persuasion by Dr. Robert Cialdini, 2019.

[15] IBM, Cost of a data breach study, (n.d.).

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s