COVID-19 Phishing Attacks are Exposing Email Security’s Biggest Flaws

To those of us who work in cybersecurity, hackers and nation state adversaries exploiting the pandemic to drive fear and misunderstanding is certainly horrific, but not at all unexpected. To put the situation into perspective, Tech Republic reported on a 667% increase in malicious email attacks in just a 22-day span (March 1-23). According to the article, more than 2% of those 467,000 spear-phishing emails detected were COVID-19 related.

Adding further context to this percent increase, the nonprofit Anti Phishing Working Group recorded only 132,553 unique email phishing campaigns in all of Q4 2019 - and that was an increase from the previous two quarters!

It is widely accepted that email phishing serves as the primary attack vector for nearly 90% of all cyberattacks. There are a couple of reasons why, led by the ubiquity of email usage. In fact, in 2018, it was estimated that 24.5 billion business emails and 111.1 consumer emails are sent and received each day. The other primary reason that hackers prioritize email is because it was not built with security in mind - it was simply designed as a communications medium that turned out to be riddled with vulnerabilities.

Ever since email evolved into the predominant communications medium in the mid 2000’s, cybersecurity experts and hacking groups have played an endless game of cat and mouse in which every time an adversary improves or alters their phishing techniques, cyber pros counter with a new type of defense. It’s an endless cycle that has benefited both groups.

Amidst COVID-19, trust in email security slows

The increase in phishing attacks in the era of COVID-19 is unimaginable. As if the news cycle wasn’t already bad enough, seemingly every day stories about attacks targeting remote workers and spoofing attempts impersonating government and nonprofit organizations such as the CDC and WHO, are penetrating mainstream newsfeeds. There are even coronavirus themed phishing emails pretending to be from President Trump.

Such an onslaught of phishing emails over a short period of time has led many to start asking a simple question - Does email security actually work? A recent article headline in Threatpost, Top Email Protections Fail in Latest COVID-19 Phishing Campaign, suggests that the public may be starting to lose faith in our ability to control phishing.

The truth, however, is that current email phishing attacks remain successful for the same reasons they were effective before COVID-19 made it into our lexicon. Thus, the idea that COVID-19 has triggered email security to fail is a perception created by the unexpected onslaught of attacks and not because of some new and novel phishing techniques that anti-phishing technology doesn’t know how to solve.

The vulnerabilities and challenges of email security tools

Currently, it is the same limitations and vulnerabilities of the two most commonly deployed email security methods – secure email gateways (SEGs) and the Domain-based Authentication Reporting and Conformance (DMARC) protocol – that are enabling so many COVID-19 era malicious emails to make it into both business and consumer inboxes.

Over the past few years, SEGs have been increasingly under the microscope, as attackers continue to get smarter and more proficient at defeating gateway-level controls not built to identify file-less and link-less social engineering attacks. In fact, the continued prevalence of SEGs in both consumer email applications and as B2B email security technology is the main catalyst for the rise in business email compromise attacks, which according to the FBI is now the most costly attack vector for business.

But there are two other limitations of SEGs that prevent this technology from acting as the silver bullet it once was positioned to be. Those include its inability to:

  • Stop 99.5% of email spoofing attacks, including those that link to malicious phishing websites with visually similar login pages.
  • Identify polymorphism, which occurs when an attacker implements a slight but significant and often random changes to an email, such as its content, copy, subject line, sender name or template, in conjunction with or after an initial attack has deployed.

DMARC has also emerged as a popular email security solution to combat the rise of email spoofing attacks. The quagmire with DMARC is that while it is effective at what it was built for - stopping exact domain spoofing attacks - it is time consuming to implement and maintain, while also requires reciprocity to work (meaning the sender and receiver must both be compliant).

It is also important to note that exact domain spoofs, which occurs when an email is sent from a fraudulent domain that matches exactly to the spoofed brand’s domain, represents less than 1% of all email spoofing attempts due to the time and complexity needed to pull it off. With COVID-19, the vast majority of the spoofing emails are either exact sender name impersonations, similar sender name impersonations and look alike/cousin domain name spoofs, which DMARC cannot stop.

Reducing phishing risk in uncertain times

It’s safe to say that there will be many lessons learned post COVID-19. For one, hackers are going to hack and exploit world crises at any time to fulfill their motivation. As a result, the cybersecurity community must unite in the future and make its own pandemic response plan. Until then, consumers must scrutinize every email that looks suspicious and resist the urge to click on links and download attachments unless they are 100% sure of its validity.

Simultaneously, businesses must continue to train their employees in anti-phishing hyper vigilance. As remote work continues, now is the perfect time for security and HR teams to mandate phishing awareness training, or re-training, and to execute test phishing attacks using timely scenarios against employees. For those companies with more advanced email security, such as platforms built on AI and machine learning, risk will still continue to prevail, although it will likely be less than the risk faced by company’s reliant on SEGs and/or DMARC.

I hope people will find some confidence in knowing that email security is not failing. Both SEGs and DMARC are working as they should, although the reality is that both are plagued by the same challenges and limitations that have allowed email phishing attacks to land in mailboxes over time.

Hopefully, the influx of phishing emails will soon fade away along with the coronavirus. Until then, stay safe everyone - both offline and on.


  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • 91 Percent of Security Leaders Believe AI Set to Outpace Security Teams

    Bugcrowd recently released its “Inside the Mind of a CISO” report, which surveyed hundreds of security leaders around the globe to uncover their perception on AI threats, their top priorities and evolving roles, and common myths directed towards the CISO. Among the findings, 1 in 3 respondents (33%) believed that at least half of companies are willing to sacrifice their customers’ long-term privacy or security to save money. Read Now

  • Milestone Announces Merger With Arcules

    Global video technology company Milestone Systems is pleased to announce that effective July 1, 2024, it will merge with the cloud-based video surveillance solutions provider, Arcules. Read Now

  • Organizations Struggle with Outdated Security Approaches, While Online Threats Increase

    Cloudflare Inc, recently published its State of Application Security 2024 Report. Findings from this year's report reveal that security teams are struggling to keep pace with the risks posed by organizations’ dependency on modern applications—the technology that underpins all of today’s most used sites. The report underscores that the volume of threats stemming from issues in the software supply chain, increasing number of distributed denial of service (DDoS) attacks and malicious bots, often exceed the resources of dedicated application security teams. Read Now

Featured Cybersecurity


New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • ResponderLink


    Shooter Detection Systems (SDS), an company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3